Follow-up: Sony: PSN Password Issue Was Exploit, Not Hack
Reports are starting to bubble up saying that Sony’s PlayStation Network may have been compromised yet again and, sure enough, I can’t even log into my own account on PlayStation.com: I get the above message.
MCVUK.com reports the following:
“The exploit allows people to change users’ password via the PSN password reset page using only a PSN account email and date of birth – both of which were obtained by hackers in the original breach…
…As a result, PSN sign-in is now unavailable on a number of Sony’s sites.”
The area on Sony’s site where you’d normally reset your password has been taken offline as well. The issue doesn’t currently affect actual sign-ins on the PlayStation 3 console—just the websites.
The exploit was exposed by Nyleveia.com, which says, “While we will not reveal specific details regarding how the exploit is performed for obvious reasons, we can say that the exploit involves a vulnerability in the password reset form currently implemented, not properly verifying tokens.”
The site contacted Sony and—to Sony’s credit—the issue appears to have been addressed rather quickly. Until it’s fixed, however, Nyleveia.com cautions that the security hole potentially affects “any account the email and date of birth was known for, regardless of if the password was changed or not, or what region the account was tied to.”
You’ll know your account has been compromised if you got an automated e-mail from Sony telling you that your password’s been changed. Assuming you didn’t change it yourself, use the contact information contained within the e-mail to get things straightened out. For the time being, it appears that nobody can log in or change passwords via Sony’s sites, which is a good thing.