Password Recovery Bug Puts PSN Users at Risk
Sony has suffered another blow as reports indicate that even users that have changed their passwords since PSN has come back online are still at risk.
This past weekend, Sony finally reached its goal of bringing PSN back online. Along with a service restart, Sony also rolled out a mandatory update to all users, which required that they change their password before logging in. However, it seems things still aren’t secure, despite this forced password change, as users’ accounts may still be at risk.
A posting over on game blog Nyleveia claims that all accounts remain unsafe because of a hack that allows a third party to change your password using only your email address and date of birth. Nyleveia claims that its source demonstrated the exploit and they received a ‘password successfully changed email’ from Sony and could no longer use their own password to sign in.
Nyleveia contacted Sony, providing a detailed account of the exploit and, shortly after, Sony shut down web-based PSN login and password recovery. Right now, users attempting to sign in via PlayStation.com are seeing the following notice:
Considering email addresses and DOBs were among the data stolen during last month's attack, it's plausible that the people responsible for that breach could potentially take over your account. Sony has yet to comment on the validity of the exploit, but Nyleveia suggests making a brand new email address just for your PSN account. We'll update if Sony comments on the situation.
Read more about the exploit here.