PSN password-reset system compromised
Multiple sources report Web-based method for creating new login info can be hacked with a user’s e-mail and date of birth.
What we heard: Just five days after the PlayStation Network started coming back online, reports are surfacing of a new security flaw with the online systems. Based on an initial article on gaming blog Nyleveia.com that was reportedly confirmed by NeoGAF users and Eurogamer, hackers have discovered a new, simple exploit to change PSN users’ passwords.
The PSN’s Web-based password reset service appears to have been compromised.
The exploit is reportedly done via the Web pages Sony set up to facilitate the mandatory password changes required in the wake of the three-week PSN outage. All that is reportedly needed to perform the exploit is a PSN user’s email account and date of birth, which is among the data that was reportedly stolen from all 77 million PSN and Qriocity users last month. The exploit reportedly does not affect those trying to change their passwords on the PlayStation 3 or PSP, both of which can still access the PSN.
The official story: Though Sony Computer Entertainment America reps had not commented as of press time, a moderator on the European PlayStation.com forums offered the following information:
Please note that PSN sign in is currently unavailable for the following services:
Music Unlimited via the web client
All PlayStation game title websites
Unfortunately this also means that those who are still trying to change their password via Playstation.com or Qriocity.com will be unable to do so for the time being. This is due to essential maintenance and at present it is unclear how long this will take.
In the meantime you will still be able to sign into PSN via your PlayStation 3 and PSP devices to connect to game services and view Trophy/Friends information.”
Bogus or not bogus?: Not bogus that the PSN password reset page that PlayStation.com directs users to is “currently down for maintenance.”
Meanwhile, Nyleveia.com has reportedly performed the exploit multiple times with multiple volunteers’ PSN accounts. Several websites have also posted detailed instructions on how to perform the exploit, so this also looks not bogus.