New PSN Password Exploit Discovered *UPDATE: Sony Says Problem is Now Fixed*
*UPDATE*: 1-UP has talked to Sony’s Senior Director of Corporate Communications & Social Media, Patrick Seybold and apparently the problem has been fixed.
You know this whole PSN outage and hack incident is approaching the level of “Leave PSN Alone!!!” internet meme territory. Eurogamer has reported on a hack which was demonstrated to them live and first reported by gaming website, Nyleveia. The hack takes advantage of an exploit in Sony’s password recovery architecture. Basically, all a hacker would need is your email address and your date of birth in order to hijack your account. The good news is that Nyleveia has already contacted SCEE about the exploit and the account servers have been taken offline presumably to fix it. I must admit that this is actually a bit confusing so I’m going to link to both the Eurogamer and Nyleveia articles. Additionally, Nyleveia has posted several updates to the story with the most recent being a list of commonly asked questions.
UPDATE 5: Okay, due to the email response I felt i should answer some general common questions regarding the topic.
Q. If I already reset my password am I safe?
A. The exploit was possible on any account the email and date of birth was known for, regardless of if the password was changed or not, or what region the account was tied to.
Q. What if they don’t know my Date of Birth or Email account?
A. Then the average user would not be able to take your account, however due to the database being illegally accessed in April, it’s safe to assume that someone, somewhere, has access to a large number of users details, which include date of birth and email addresses, this alone should be reason enough to change your email.
Q. Are you sure this is real?
A. Yes, it was demonstrated to one of our empty accounts, then we were able to repeat the process ourselves after figuring out the method, this was additionally confirmed when a twitter user provided us with his data and requested that we change his password as proof.
We have since emailed him his new password, and no other data on his account was changed.
Q. Can Sony fix it?
A. Shortly after containing SCEE, the online forms connected to login and password recovery for the PlayStation and other linked networks was shut down and placed in a maintenance mode, I can only assume this is a direct response to our detailed reports to SCEE, with that said, I assume that when services resume the exploit will be patched and everyone’s data once again safe.
Q. If Sony fixes the hole should I worry?
A. I would suggest that everyone, regardless of if they have been affected or not, create a new password and change their account email to one they do not use anywhere else, and will not be sharing with anyone else just for additional security.
Q. Will you give us more details on the exploit?
A. Until we have confirmed that the security hole has been patched we will not release further details on how and why the exploit was possible.
According to Eurogamer’s follow-up with Sony, this exploit affects logins to PSN accounts via websites. Therefore, logging into your account on your PS3 or PSP should still work fine, but anyone trying to change their passwords via the web will be unable to do so as the servers are offline.
“Unfortunately this also means that those who are still trying to change their password via Playstation.com or Qriocity.com will be unable to do so for the time being,” Sony said. “This is due to essential maintenance and at present it is unclear how long this will take.”
The representative from Sony further added, “In the meantime you will still be able to sign into PSN via your PlayStation 3 and PSP devices to connect to game services and view Trophy/Friends information.”
More on this as it happens.