Sony PlayStation Network Password Reset Page Exploited, Customer Accounts Potentially Compromised

According to reports on Nyleveia.com, Eurogamer, and NeoGAF, Sony's PlayStation Network password reset system-the one just put in place after the PSN hack-has been compromised, allowing hackers to change a PSN password if they know your email and date of birth. Exactly the sort of information that was released in the original hack.

Sony has taken the password reset system offline. Kotaku has reached out to Sony for comment.


Comments

    No worries, I'll just change my DOB.
    The only issue I have with this is that it will spark another explosion of nerd rage.

    omg

    I'm just picturing Mr Burns and Smithers going though all that security screening to get to their secret room only to find that someone left the backdoor open.

    Not. Worried.

      Simply an easy exploit in a webpage to fix. Someone needs your email address and DOB to ask for a password reset, then they have to be able to exploit the page and force confirmation rather than confirmation coming from you clicking a link in your email.

      Fairly easy to fix.

    Factually incorrect.

    This is how the web based pw resetting has always worked.

    This should of course have been disabled until changed using a playstation device.

      No website I have ever used has used date of birth as something for resetting passwords. It's always been email address and then you have to log in to your email to either get the new password they sent you or follow a unique URL link to reset it yourself.

        That'd be the normal way of doing it, but in this case that isn't particularly secure either. Because whoever stole the data has all the email addresses, they could use those to send fake emails to PSN users, sending them to some other website that might look like something official but is, in fact, malicious.

        The best way would have been to have it require the reset to come from a PS3 that had previously logged in using that account. That'd still leave a problem for the very small group of people that this might not work for (e.g those whose PS3s failed in the past 3 weeks, or who might have sold them or whatever) who would probably have to be dealt with on a case by case basis e.g. they call Sony, Sony confirms their identity over the phone then sends an email like you described to their registered address. At least then they know if they didn't call up and request a reset email then if they do get one it's a fake.

    Smooth move, Sony!

    I just love that they have paid for the 'best security people' to get this done.

    Looks like the Japanese gov was right in not letting Sony start the PSN until they proved the security was satisfactory

    Could this have come about because they are allowing people to reset passwords who may have provided a fake email address (Sony's words not mine) in the first place?

    That would explain why it went down last night right as my wife was trying to change the email associated with her User ID. I had just gotten done updating my accounts too.

    these selfish ****s can't they just go and get a life? find something better to do in your time instead. god sake

    I really just want some free sh♥t

    Got to admit, by asking for DOB it's relatively secure compared to a lot of other systems out there (I think eBay asks for a security question or something like that, which would have been stolen anyway).

    What can Sony do now? It would probably be better if you could only change your password on a PlayStation device (from the sounds of it you can do it on the PC) which has the profile you're trying to change loaded, perhaps also check some date details against the profile on the device and the profile's entry in the database or even what games have been played, if that information is available.

Join the discussion!