I hate to write two passive-aggressive or negative articles on PlayStation back-to-back because I love video games and would love to talk about PlayStation doing a solid job with new features or releases, but I feel we need to talk about this. A new issue that has emerged appears to reveal a dangerous problem with the company’s account recovery systems.
Reported by Colin Moriarty on X yesterday, Colin’s PSN account was hacked. Now this wasn’t a normal hacking attempt where users click on a suspicious link, log in to a fake PSN website, or anything like that, but instead it just happened. His account had two-factor authentication enabled and any potential security feature possible, yet none of it mattered.
What Potentially Happened?
Believe it or not, this isn’t a new issue either, as this same exploit has been reported numerous times in the past, such as with content creator Ali-A in 2023. Despite this, it seems Sony has made no changes to the system, allowing something that isn’t a software exploit or a data breach to become a social engineering attack that exploits PlayStation’s own customer support system.
So, what happens? From our understanding, attackers identify a target’s PSN ID, which can be found in numerous ways — if you use a common name across every platform, it makes it all the easier to find you. Once the name has been found, they try to obtain one piece of old transaction information, usually discovered through videos or screenshots posted online when you’re excited about purchasing a new game, or through old data leaks. After obtaining everything and contacting support, they use the data as proof of ownership, and Sony’s internal support system sometimes will just allow this information to be used, even if it’s all easily found on the web. This allows them to change the account’s email address through support, which automatically disables two-factor authentication, giving the hacker full control of your account.
It may sound like a somewhat sophisticated attack, but it’s really not. This is something that hackers have been doing for years, not just with Sony but with other companies such as AT&T. This means the only thing standing between you and a hacker is your username, a single purchase from anything you’ve ever made on the platform, and someone who dislikes you enough to put effort into taking your account.
According to Colin, his connections at PlayStation escalated his issue and removed any credit card information from the account in the interim — but told him it could take up to three weeks before they have any answers to give him. Three weeks. For a profile attached to your entire career, suddenly out of your hands and in the hands of someone who singled you out as a target. Colin’s reaction was understandably blunt: he said he’d be more patient if he’d done something wrong, if he’d been phished or clicked a bad link. He hadn’t. And yet here he was, being told to wait.
It Gets Worse
The hackers sent a message to Colin’s co-host, Dustin Furman, from the compromised account that simply said: “You’re next.” This is something that makes us feel like the PlayStation hacks going on right now are targeted towards those who might talk positively about PlayStation. While motives obviously aren’t confirmed, it’s a red flag instantly — whoever did this intentionally targeted Colin and wasn’t just trying to recover an account with a similar username. This is an organized pattern, and the fact that Colin had been covering it on his podcast for months before becoming a target himself adds an unsettling layer to the whole thing.
How To Protect Yourself
The brutal truth is that, as of right now, there’s a limit to what you can do to protect yourself from this specific exploit. As mentioned above, it bypasses your security settings entirely, so all we can offer are some practical steps you can take today:
- Never share PSN transaction screenshots, order numbers, or purchase invoices publicly
- Don’t publicly display your PSN ID anywhere that links to your real identity if you can avoid it (we know, this is almost impossible to do.)
- Remove any saved credit card information from your account. Only use credit cards for one-time purchases if you don’t mind re-entering details each time.
- Keep records of your transaction history somewhere, so if you do lose an account, you have documentation to prove you’re the actual owner.
- If you suspect your account is targeted, contact support immediately and try to escalate as quickly as possible. Support might not be the best, but you might as well try anyway.
Your PSN 2FA and password alone cannot protect you from this exploit. The vulnerability is in Sony’s customer support verification process, not your account settings. Sony has not issued a public statement or confirmed a fix as of publication. The best security you can have right now is security based on obscurity.
