PlayStation Network hacked again

18 May 2011

Just days after Sony announced the PlayStation Network was back online, reports are coming in that the network has been hit once again by hackers. This time an exploit has been discovered that lets hackers change your password using only your account email and date of birth.

An exploit that allows people to change users’ passwords via the PSN password reset page using only an account email and date of birth has been discovered. The exploit was first uncovered by video games blog Nyleveia and was corroborated by Eurogamer, which says it has seen video evidence of the vulnerability.

It appears Sony has already begun responding to the problem and the PSN login is now unavialble across various Sony sites.

The PlayStation Network was taken offline in recent weeks following a devastating cyber attack on Sony’s servers that saw hackers access information on over 77m users. The Sony Online Network (SOE) was also hit in an attack and a further 25m users’ details were accessed, including 24,000 credit and debit card details.

On Saturday Sony confirmed that its PlayStation Network was gradually coming back online, starting in the US. It said users needed to update the firmware and change their passwords.

The latest exploit of Sony’s PlayStation Network

Nyleveia wrote: “A new hack is currently doing the rounds in dark corners of the internet that allows the attacker the ability to change your password using only your account’s email and date of birth. It has been proven to me through direct demonstration on a test account, so I am without any shadow of a doubt that this is real.

“I would suggest that you secure your accounts now by creating a completely new email that you will not use ANYWHERE ELSE, and switching your PSN account to use this new email. You risk having your account stolen, when this hack becomes more public, if you do not make sure that your PSN account’s email is one that cannot be affiliated with or otherwise traced to you.

“While we originally assumed this was a poor hoax designed only to stir the community into another frenzy, the individual who we are in contact with requested just two pieces of information from us: this being an account email and the date of birth used for that account. We promptly created a new account via and provided the individual with the email address and date of birth used.”

A new moments later Nyleveia received an email from Sony confirming the password had been changed successfully.

Without explaining how the exploit happens, Nyleveia said that the exploit involves a vulnerability in the password reset form currently implemented, not properly verifying tokens.

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years