Jump to content

PSN Account with 2FA Hacked - Make sure you switch from SMS to Authenticator App


Recommended Posts

28 minutes ago, gooner4life said:

Ok, finally had a chat with the Executive Escalations team, my accounts now back in my hands, the idiot using it left his address on it, so they've breached his Data protection and his security as I want to go for a drive, i got my PS+ Extended by 2 months, and £5 credit for the lost access to PS Now for a week.

 

I'd send him a shit in the post. 

 

Link to post
Share on other sites
35 minutes ago, gooner4life said:

Ok, finally had a chat with the Executive Escalations team, my accounts now back in my hands, the idiot using it left his address on it, so they've breached his Data protection and his security as I want to go for a drive, i got my PS+ Extended by 2 months, and £5 credit for the lost access to PS Now for a week.

 

The hack was done via their chatbot, they had got access to my old email address (ntl ISP one) and used a transaction ID from 3 years ago in the email to get 2 step turned off and the email changed back to that, they then changed the email a further 6 times and all details and none of that triggered a warning inside PlayStation HQ's monitoring, and I can't secure that old email, it doesn't exist according to Virgin Media so I'm at risk of them just doing it all over again.

 

Glad it's sorted and yes, enjoy that drive. Look forward to your report back on that one.

Link to post
Share on other sites

It seems pretty cavalier of Sony to not only tell you how it was done, but to leave the guy's address on your account. That sounds like a pretty big GDPR issue.

Link to post
Share on other sites
18 minutes ago, Uncle Mike said:

It is shoddy and cavalier. I wonder if GDPR covers you when the reason your details are there are because you hacked into the account.

 

I'm not sure, but I think it might. There are obvious reasons not to (deliberately or accidentally) disclose the details of someone who is alleged to have committed a crime to the victim (assuming they even are his details, and not a friend or relative or someone else who got scammed), and it would be a pretty weird and very un-EU thing to include some kind of carve-out saying that it's open season for the personal data of alleged hackers. I would also think that a controller of data would have responsibility for that data even if they didn't intend to collect it.

Link to post
Share on other sites
43 minutes ago, Thor said:

Hang on, didn't @Uzi have some little shitbag (from Middlesbrough, I think?) constantly nicking his PSN account to use for himself? What happened with that?

Haha yeah. It seemed like a dumb kid so i am guessing my account was sold to him. 

 

The second time it happened I had 2FA on and it still got hacked which lead me to believe it was an exploit to do with the registered email on the account. Since I changed the email I've had zero issues. 

 

Sony support were pretty good both times and sorted me out without an issue. People have been trying to hack and buy my account since the PS3 days because i I have a three letter PSN name lol

Link to post
Share on other sites

I'd have thought it would be obvious to contact the holder of the account that is attempting to be "recovered" by a hacker by their current email and maybe a message via PSN?

 

Link to post
Share on other sites
34 minutes ago, Giddas said:

I'd have thought it would be obvious to contact the holder of the account that is attempting to be "recovered" by a hacker by their current email and maybe a message via PSN?

 

 

Yeah they argued that it happens all the time that idiots switch emails attached to accounts, i also asked them why they dont ask for a more recent transaction ID than one on an email that hasnt been used on the account for 3+ years.

Link to post
Share on other sites

Just incase it wasn't clear, the chatbot allows you to turn off 2FA if you can satisfy it that you're the account holder, in my case it's because they had the original email address it was registered with and a transaction ID.

Link to post
Share on other sites

It’s just ridiculous that 2FA can be switched off by a bot. I don’t quite get what then happened, because at that point they’d still need to reset the password wouldn’t they? If they changed the email to NTL they wouldn’t have received the pwd reset email would they as it doesn’t exist?

 

Guess we also need to delete any old PSN emails now!

Link to post
Share on other sites
56 minutes ago, Chooch said:

How’d they get a transaction ID?

 

They have hacked into an old ntl email account and managed to change the password for it, it was the original email I used to setup the account so they managed to get an old transaction ID.

Link to post
Share on other sites
33 minutes ago, scoobysi said:

 If they changed the email to NTL they wouldn’t have received the pwd reset email would they as it doesn’t exist?

 

Guess we also need to delete any old PSN emails now!

 

The email still works, they just took control of it somehow, I haven't used it for several years.

Link to post
Share on other sites
1 hour ago, Harrisown said:

So as someone who just has a regular account and only ever used one email for it. Am I safe?

Safer yes, safe, you are never safe, least of all on PSN.

Link to post
Share on other sites
52 minutes ago, Quexex said:

Safer yes, safe, you are never safe, least of all on PSN.

I don’t have my card details on psn. I always use top ups.

Same for Apple, I use Apple credit top ups. Which is weird ...

Link to post
Share on other sites
10 hours ago, gooner4life said:

It's now 5 days that I've had no access to my account or games for.

 

What is reasonable compensation to expect from Sony? 


An Xbox Series X?

Link to post
Share on other sites
5 hours ago, K said:

It seems pretty cavalier of Sony to not only tell you how it was done, but to leave the guy's address on your account. That sounds like a pretty big GDPR issue.


It’s @gooner4life’s personal account. They (the hackers) put those details in his account. Not a GDPR issue.

Link to post
Share on other sites
1 hour ago, deKay said:


It’s @gooner4life’s personal account. They (the hackers) put those details in his account. Not a GDPR issue.

 

They didn't give a flying fuck about my personal details, infact they were telling me how that information isn't readily available when I said 'Oh wait i can see the person's address who took my account' and i could tell the Sony employee just shrugged his shoulders.

Link to post
Share on other sites
3 hours ago, Quexex said:

Recipte email for a purchase on PSN at a guess.

 

Exactly that, I did point out that at the very least it should be a transaction from the current email that's on the account, and not one from an email address that's not been used for several years.

Link to post
Share on other sites
4 hours ago, gooner4life said:

 

Exactly that, I did point out that at the very least it should be a transaction from the current email that's on the account, and not one from an email address that's not been used for several years.

Any response to that? Or again a shoulder shrug?

 

Glad you got your account back, but it doesn't sound like they're actually motivated to plug this big security loophole thry admitted to. 

Link to post
Share on other sites
46 minutes ago, Dirty Harry Potter said:

Surely that’s a news story for some news outlets? 


As it’s really, really poor security from one of the world’s largest entertainment companies. 

That's a good point, the more noise there is surrounding this the higher the chance they will fix it. 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue. Use of this website is subject to our Privacy Policy, Terms of Use, and Guidelines.