PS3 News: New PSN Account Exploit Reported - PS3 News

Members Login: Register | Why sign up? | Forgot Password?

New PSN Account Exploit Reported

It seems we're not clear of all the hacking idiocy just yet.

Various sources have reported a simple exploit that lets hackers change your password using only your PSN account e-mail and date of birth.

As we all know, that information was compromised when the Network was attacked last month. According to Eurogamer citing Nyleveia.com, Sony has made the PSN sign-in unavailable for several of its websites, including PlayStation.com. For the time being, it's down for maintenance, and Sony issued this statement:

"Unfortunately this also means that those who are still trying to change their password via Playstation.com or Qriocity.com will be unable to do so for the time being. This is due to essential maintenance and at present it is unclear how long this will take. In the meantime you will still be able to sign into PSN via your PlayStation 3 and PSP devices to connect to game services and view Trophy/Friends information."

Sony did make it clear that such maintenance does not affect PSN-enabled consoles; only the website you click through to from the password verification e-mail message. Currently, the recommendation is that you use a new e-mail for your PSN account, as there's no knowing if the hackers - who may have your information - will try to change your password and hijack your account.

We figure Sony will provide some sort of update at some point.

Tags: psn, psn outage, playstation network, psn password

5/18/2011 12:00:36 PM Ben Dutka

Put this on your webpage or blog:
Email this to a friend
Follow PSX Extreme on Twitter

Share on Twitter Share on Facebook Share on Google Share on MySpace Share on Delicious Share on Digg Share on Google Buzz Share via E-Mail Share via Tumblr Share via Posterous

Comments (85 posts)

AshT
Wednesday, May 18, 2011 @ 12:19:44 PM
Reply

what again...damn those hackers....

Agree with this comment 5 up, 0 down Disagree with this comment

FatherSun
Wednesday, May 18, 2011 @ 12:24:08 PM
Reply

This is not a hack. It is only a bi-product of the original hack. Just try telling that to all the Little Chickens that frequent the internet. I expected this much considering that the data that was stolen was personal user information such as emai, DOB, ect....

Last edited by FatherSun on 5/18/2011 12:27:49 PM

Agree with this comment 6 up, 0 down Disagree with this comment

Highlander
Wednesday, May 18, 2011 @ 12:40:48 PM

Indeed, but the exploit kind of relies on the attacker having access to the registered email account, and not just knowing the email address, does it not? Unless I've misunderstood the reset process, the reset password value is sent via email to the registered email address. So, as long as you have altered the password on that email account, there's essentially no danger at all.

Agree with this comment 5 up, 1 down Disagree with this comment

FatherSun
Wednesday, May 18, 2011 @ 2:35:02 PM

I think that only applies to those who reset utilizing email. I changed my password vous the PS3 only. But I change passwords frequently so I am not worried.

On a related note, I agree with what someone posted on the PSBlog.

Butters360 on May 18th, 2011 at 11:09 am said: Patrick, its high time you as well as Sony start calling out game sites out on their journalistic integrity. There was no hack involved, but go figure EVERY single website is STILL spreadin F.U.D. articles. This is HIGHLY unprofessional. This is serious and we PS3/ PSN users deserve better than this crap.

Sir Stringer kind of went in that direction but there is only so much he can say without backlash and how the internet can twist words. I'm with Sony. All the way.

Last edited by FatherSun on 5/18/2011 2:38:34 PM

Agree with this comment 11 up, 0 down Disagree with this comment

McClane
Wednesday, May 18, 2011 @ 12:24:34 PM
Reply

Is this the same reason why I can't log into the PSN store?

I want to download my free games

Agree with this comment 0 up, 12 down Disagree with this comment

jimmyhandsome
Wednesday, May 18, 2011 @ 12:26:59 PM

No, the PSN store is still down. Should be up sometime before the end off the month. I'm sure Sony will make a big announcement when its back up

Agree with this comment 11 up, 0 down Disagree with this comment

duomaxwell007
Wednesday, May 18, 2011 @ 12:32:39 PM

No it wont be back by teh end of teh month because Sony said they wont start on phase 2 (getting the ps store open) until phase 1 is complete (getting psn up EVERYWHERE) and with the japanese government holding back the launch of PSN in japan... if beauacrats are controlling that you can expect another 6 months before PSN is up to their standards/expectations...

So lets hope sony goes back on their word of phase 1 being complete and just get teh store up and running for everyone outside of japan and deal with the japan problem sepertely (wouldnt be the first time sony does the opposite of what they said they would after all right?) Because Im sure theyre not gonan wanna deal with the backlash of their developers losing 6 montshs of revenue because of no PS store.

Agree with this comment 0 up, 7 down Disagree with this comment

Clamedeus
Wednesday, May 18, 2011 @ 3:20:23 PM

@duomaxwell007


Nothing to worry about, they will be compensated for the downtime of the PS store, or what ever else they have planned to help them out.

Agree with this comment 6 up, 0 down Disagree with this comment

frylock25
Wednesday, May 18, 2011 @ 12:29:19 PM
Reply

so we can just change the email that is associated with our psn accounts right?

off topic: crysis 2 is 34.99 on amazon today only. deal of the day

Agree with this comment 0 up, 1 down Disagree with this comment

Highlander
Wednesday, May 18, 2011 @ 12:38:35 PM

If you changed the password on your email account itself, that should be sufficient as I understand the reset process. The email account is necessary because when you request a password reset, the reset value is sent to your registered email address. If someone else knows the password to your email account, there is a problem. If they do not, there is no problem. So, change your password on your email account.

Agree with this comment 3 up, 0 down Disagree with this comment

ace_boon_coon
Wednesday, May 18, 2011 @ 12:48:02 PM

I didn't care for Crysis 2 that much; it seems like it's lacking something. I tried to play it, but I just can't get into it.

Agree with this comment 6 up, 2 down Disagree with this comment

CoolBLKguy
Wednesday, May 18, 2011 @ 2:21:16 PM

I thought Crysis 2 was trash personally, one of my few purchasing regrets this gen.

Agree with this comment 2 up, 7 down Disagree with this comment

frylock25
Wednesday, May 18, 2011 @ 3:16:21 PM

yea i had no plans of getting crysis 2. just tryin to pass on the sale. i might rent it.

Agree with this comment 1 up, 0 down Disagree with this comment

sonic1899
Wednesday, May 18, 2011 @ 12:34:27 PM
Reply

I'm really getting tired of all these news related to hackers. I don't think about hurting Sony, as much as making themselves known

Agree with this comment 1 up, 0 down Disagree with this comment

Highlander
Wednesday, May 18, 2011 @ 12:37:06 PM
Reply

This isn't a hack it's simply the possibility that someone could, with the right information and access to your email account, reset your PSN password.

If I understand the process correctly, an attacker would not only have to have the registered email address, PSN ID and DOB information, but also have access to the email account so that when the reset email is sent, they can pick up the reset value from the email. So unless your email account is compromised, this isn't an issue. Sony have to take the precaution because it's *possible* for the exploit to be used. However given the circumstances, how else did anyone expect to reset their password without a PS3 console to do it on?

So in other words, no one has hacked anything new, this is a precaution taken in response to the vulnerability being reported. If you sit and think about how you handle a password reset, there is only really one way to do it, and that relies on the user having several key pieces of information, as well as sole access to the registered email account. So long as you changed the email account's password after the initial hack this kind of thing should not affect you.

Agree with this comment 6 up, 0 down Disagree with this comment

Scarecrow
Wednesday, May 18, 2011 @ 1:35:18 PM

It will only affect those dumb enough not to have changed their email passwords when they read that their information was compromised in the hack back in April.

Agree with this comment 1 up, 1 down Disagree with this comment

Highlander
Wednesday, May 18, 2011 @ 2:24:46 PM

Quite. Sadly lots of people apparently didn't get the message...

Agree with this comment 1 up, 0 down Disagree with this comment

Beamboom
Wednesday, May 18, 2011 @ 3:00:21 PM

Also it should be pointed out that this is only an issue if your password for psn and mail were equal in the first place. If your mail password always have been different from your psn password (really different, no relation) then you need not change mail password.


Last edited by Beamboom on 5/18/2011 3:01:56 PM

Agree with this comment 3 up, 0 down Disagree with this comment

Beamboom
Wednesday, May 18, 2011 @ 3:09:17 PM

Nevermind, Kraygen already has stated this further down. :)

Agree with this comment 1 up, 0 down Disagree with this comment

ace_boon_coon
Wednesday, May 18, 2011 @ 12:46:39 PM
Reply

This is starting to piss me off. These damn hackers are ruining our fun. I really want to hurt them right now.

Agree with this comment 6 up, 0 down Disagree with this comment

coverton341
Wednesday, May 18, 2011 @ 1:01:18 PM
Reply

Just remember, everyone; the hackers are on your side, they are doing this to combat the big evil corporate giant that is Sony. Why, if they just let Sony run rampant, sooner than later we would all be slaves to the system and all of our IP addresses would be logged every time we sneezed and squeaked out gas.

What an absolute load of sh!t

Agree with this comment 5 up, 1 down Disagree with this comment

Clamedeus
Wednesday, May 18, 2011 @ 3:10:00 PM

I don't consider hackers on our side. I don't like 'em.

Especially one with a god-complex.

Agree with this comment 4 up, 0 down Disagree with this comment

Oxvial
Wednesday, May 18, 2011 @ 8:49:14 PM

hehehehe good one Cove.

Agree with this comment 1 up, 1 down Disagree with this comment

Jdogtoocool
Wednesday, May 18, 2011 @ 1:27:30 PM
Reply

So if you change your password, can the hacker come back and change your password again to steal it?

Agree with this comment 0 up, 2 down Disagree with this comment

Beamboom
Wednesday, May 18, 2011 @ 3:03:53 PM

No, not unless they got your new password. Just remember to change both psn and mail password if they were the same.

Agree with this comment 0 up, 0 down Disagree with this comment

Excelsior1
Wednesday, May 18, 2011 @ 1:33:15 PM
Reply

i don't know. psn is still up, but any negative headlines concern me. i just hope sony remains vigilant. another outage or data breach for sony would be just devastating in terms of consumer confidence. they need to keep from generating any negative headlines in regards to psn. headlines that combine the words psn and exlpoit just aren't good to hear..

Last edited by Excelsior1 on 5/18/2011 1:35:08 PM

Agree with this comment 2 up, 1 down Disagree with this comment

Wissam
Wednesday, May 18, 2011 @ 2:06:13 PM
Reply

Hackers you fail.

Agree with this comment 5 up, 0 down Disagree with this comment

bigrailer19
Wednesday, May 18, 2011 @ 2:14:07 PM
Reply

Sony via the PS Blog-

"We temporarily took down the PSN and Qriocity password reset page. Contrary to some reports, there was no hack involved. In the process of resetting of passwords there was a URL exploit that we have subsequently fixed.
Consumers who haven’t reset their passwords for PSN are still encouraged to do so directly on their PS3. Otherwise, they can continue to do so via the website as soon as we bring that site back up."


Last edited by bigrailer19 on 5/18/2011 2:14:40 PM

Agree with this comment 2 up, 0 down Disagree with this comment

Highlander
Wednesday, May 18, 2011 @ 2:23:49 PM

Indeed.

Personally, if I were Sony, I'd send an email to all accounts that have not yet reset their password. the email would go to the registered email account, and if there is no answer within 2-3 days, I'd suspend the account and require the user to go through an enhanced verification process to reset their password. For safety's sake, I'd also reset any CC number associated with the suspended account. That would protect consumers and Sony alike.

Agree with this comment 2 up, 0 down Disagree with this comment

Jdogtoocool
Wednesday, May 18, 2011 @ 2:33:15 PM

@Highlander
Idk about that, that would probably be a little too extreme but I get where you're coming from

Agree with this comment 0 up, 0 down Disagree with this comment

Highlander
Wednesday, May 18, 2011 @ 2:59:57 PM

Well, the account would be suspended, not deleted. It would still be a valid account, but you'd have to go through the enhanced verification to re-activate the account. No content or PS Wallet amounts would be lost, trophies would be preserved as would all activations of software or video content. So the user loses nothing, so long as they can provide adequate assurance that they are who they say they are, and that *is* their account. By removing CC/Payment card details, Sony protects the consumer against the off chance that someone manages to validate someone else's account.

Agree with this comment 3 up, 0 down Disagree with this comment

Jdogtoocool
Wednesday, May 18, 2011 @ 4:31:36 PM

This is the way I see it:
Sony: whoops hackers just destroyed our services and may have your credit card info, your real name and address, aaand to top it off if you don't respond to this email and go through a long and painful varification process you will not be able to use your account. Have a nice day...idk to me that would be a slap in the face

Agree with this comment 0 up, 0 down Disagree with this comment

Highlander
Wednesday, May 18, 2011 @ 4:55:33 PM

Or how about this (and before anyone asks, I made this up myself)?

Criminal network hackers recently compromised out network as you may have seen reported in the news media. As communicated via email and our PlayStation Blog, Sony has spent several weeks working around the clock to rebuild PSN security. To maintain user security and prevent unauthorized access, we now require all users to reset their passwords via a secure means. Your password has not yet been reset.

So, we are emailing you as a courtesy reminder to reset your password as soon as possible. We are also informing customers in your situation that we are taking action to protect your data and financial information. Therefore, we are temporarily suspending your account pending a secure password reset. None of your content will be lost, all your trophy and user data is safe.

Out of an abundance of caution, Sony will also remove any credit card data from your account to prevent abuse in the event that a third party fraudulently re-activates your account. We are committed to protecting your data and your account information. Recent attacks on our network have raised awareness of these issues to a new height. We are therefore acting in a corresponding fashion to protect you against possible fraud.

- again, the above is my suggestion of how to communicate such a message, I wrote the message myself, it is *not* from Sony.

Last edited by Highlander on 5/18/2011 4:55:56 PM

Agree with this comment 3 up, 1 down Disagree with this comment

Clamedeus
Wednesday, May 18, 2011 @ 2:24:06 PM
Reply

Found an interesting read.

http://www.escapistmagazine.com/news/view/110136-Hotmail-Users-Accuse-Microsoft-of-Sabotaging-PSN-Revival

Agree with this comment 1 up, 0 down Disagree with this comment

Clamedeus
Wednesday, May 18, 2011 @ 3:00:25 PM

I know Microsoft probably isn't linked to this, it very well could be something different.

Conspiracies. :O I love 'em.

Agree with this comment 0 up, 0 down Disagree with this comment

Highlander
Wednesday, May 18, 2011 @ 3:01:13 PM

Oh, that wouldn't surprise me, Microsoft have done things like that in the past to Yahoo and Google. It's more in the way of gamesmanship than a direct attack since it's possible it's simply an oversight on a spam filter....or automatic traffic shaping because PSN was suddenly the source of a large number of emails...

You know the kind of thing.

Last edited by Highlander on 5/18/2011 3:03:06 PM

Agree with this comment 4 up, 0 down Disagree with this comment

Clamedeus
Wednesday, May 18, 2011 @ 3:02:31 PM

Indeed, I wouldn't doubt it but I also wouldn't rule them out either. It could be something different as well. Not sure, it's very strange though, and the timing of it.

Last edited by Clamedeus on 5/18/2011 3:02:59 PM

Agree with this comment 4 up, 0 down Disagree with this comment

Highlander
Wednesday, May 18, 2011 @ 2:40:45 PM
Reply

Oh, the exploit is devious and doesn't require access to your email account.

It is based on obtaining the specific reset code/token issued by the reset by email process, and then using that in a specific URL to force a password reset, which then prompts you to change the password.

I'm still not clear how you get the token unless you have access to the email. If the process works like every other reset by email process, that token is given out by registered email, not on a web page. But, I've never used that option, so I don't know from personal experience. If the code/token value is handed out via the web page, I can see the issue. If that's the case, then whoever was responsible for checking the password reset option fell down on the job.

Agree with this comment 0 up, 0 down Disagree with this comment

Beamboom
Wednesday, May 18, 2011 @ 3:07:52 PM

If the token were handed out via the web page then why was there a token in the first place? I mean, that is the whole point of using a confirmed mail address?

This is confirmed?

Agree with this comment 0 up, 0 down Disagree with this comment

Highlander
Wednesday, May 18, 2011 @ 3:15:05 PM

Well, the place I read it, wouldn't normally quote, so I decided to go with the gist. Your point about the confirmed email address is an important one, and I agree with you completely. There's no point to a token without a confirmed email address to send it to. It simply wasn't clear from the process flow I read whether the token was obtained from an email, or from the web page itself.

Oh, here's a horrible thought, what if the token value was in the URL of the confirmation page? You know how those long URLs can be, just about anything could be hidden in there.

Agree with this comment 0 up, 0 down Disagree with this comment

Beamboom
Wednesday, May 18, 2011 @ 3:26:09 PM

No no no, no way. It can not have been found anywhere in the source code of the page either. It just is unthinkable for so many reasons.

First of all, for the token to be featured in url or source the token value must have already been created before the next page were successfully sent to the user - something they at that point in time can not know if they were able to do at all. It would just be a complete mess if the values were created whenever someone initiated the process. Also, the values of forms and the syntax of urls is like the *very* first thing anyone look at if they want to try and mess with the site. A weak script is a hackers target numero uno.

Secondly, *why* should it be featured in the url? What would that solve?

Thirdly, who would come up with such an idea as a solution?


Last edited by Beamboom on 5/18/2011 3:32:33 PM

Agree with this comment 0 up, 0 down Disagree with this comment

Highlander
Wednesday, May 18, 2011 @ 3:44:22 PM

Exactly, it's unthinkable for so many reasons. that's why it has to be sent to the registered email, so this can only be an issue if the email account has already been compromised.

Agree with this comment 0 up, 0 down Disagree with this comment

Beamboom
Wednesday, May 18, 2011 @ 3:55:44 PM

Unless, of course, the token value itself is not random but based on available data like time stamp, country code, psn nick, or whatever, and thus possible to construct without reading the mail at all. But again... *Why* would anyone do that - I simply see no reason to do it in the first place.

These kind of things may be found if the sloppy solution had some kind of advantage to the developer, usually making something easier. But here I see no such advantage here.


Last edited by Beamboom on 5/18/2011 4:05:18 PM

Agree with this comment 0 up, 0 down Disagree with this comment

Highlander
Wednesday, May 18, 2011 @ 4:03:34 PM

Agreed, there's no reason to build a token based on guessable elements of data. simlpy use a random number generator to build a token value. Good lord, it would almost take more work to do it any other way.

Last edited by Highlander on 5/18/2011 4:04:15 PM

Agree with this comment 0 up, 0 down Disagree with this comment

Beamboom
Wednesday, May 18, 2011 @ 4:48:42 PM

Yes indeed. Ergo, that can't be it.

But if bottom line here is that "if your mail account is compromised then mail based password reset is a Bad Thing", then why is this even a story at all now? What's new? What's "discovered"?

Another thing is, why would anyone not just use the ps3 to change password now after the update?

Last edited by Beamboom on 5/18/2011 4:51:55 PM

Agree with this comment 0 up, 0 down Disagree with this comment

Highlander
Wednesday, May 18, 2011 @ 5:13:30 PM

I'm guessing that there will be those who's PS3 met it's maker during the 24 day outage, and also Qriocity subscribers who don't have a PS3.But in reality, that should be a very small number - relatively speaking.

Still, people persist in suggesting that the website provides the reset code. I never used the password recovery (reset) option before all of this, but it was my understanding that it sent the reset code to you in email. I can't see why this would be any different now.


Last edited by Highlander on 5/18/2011 5:33:46 PM

Agree with this comment 0 up, 0 down Disagree with this comment

Beamboom
Wednesday, May 18, 2011 @ 6:38:29 PM

Well, it could still have sent you an email...
It's almost too bad it's disabled now, I'd love to see this for myself!

Agree with this comment 0 up, 0 down Disagree with this comment

Highlander
Thursday, May 19, 2011 @ 12:00:19 AM

Me too Beamboom, me too.

Agree with this comment 0 up, 0 down Disagree with this comment

Fane1024
Thursday, May 19, 2011 @ 1:25:52 AM

Guys,

If you reset your password, it does indeed send you an e-mail message with an embedded link to the page where you can change your password. I don't have enough technical knowledge to give more details (i.e., when the token was given), though.

It didn't allow me to access that page using the PS3 browser (which I had used to check my webmail); it required a PC.



Last edited by Fane1024 on 5/19/2011 1:28:56 AM

Agree with this comment 0 up, 0 down Disagree with this comment

Highlander
Thursday, May 19, 2011 @ 2:18:00 AM

Thanks Fane, that means it operates as it ought to. So you can't really do much without access to the registered email account, right?

Agree with this comment 0 up, 0 down Disagree with this comment

Highlander
Thursday, May 19, 2011 @ 2:45:36 PM

OK, more information. Apparently the cookie that was issued by the site where you request the reset contained the token that could be used to force the reset at a specific URL. Once done you could rest the password on an account and then change it to whatever you wanted to. You *don't* need access to the registered email account.

I'm in two minds about this because first of all, nothing served by the reset request page should include the reset token that is emailed to the user. that is a very basic flaw in this situation. On the other hand, this illustrates the difficulty of testing everything to prevent an attack or exploit. For this to be tested, someone would have to have another user's registered email address, PSNID and DOB, then they would have to open the reset request page and having requested the reset, copy the cookie created by their browser. Then separately you have to open another page with a specific URL and copy a specific value from the cookie file into the URL. Once that's done, the password get's reset and you can change it's value normally.

So it's a flaw that should not happen, exploited in a non-obvious way. The encouraging thing is that it was discovered very quickly, and Sony yanked it immediately. I dare say that the cookie no longer contains the token, and the URL concerned no longer accepts the token.

But, to go back to my discussion with Beamboom. This is exactly the kind of thing I was worried about when I suggested that the value might be found somewhere in the reset page itself. It's really unthinkable that you would design a reset page in this way. To be honest, if I was the manager in charge of this development, I would expect to be fired, and I would already have fired the coder concerned for gross negligence.

You just do not put the reset code or token into *anything* except the reset email sent to the user's registered email address. You simply do not do it. The value shouldn't even be generated by the code serving the web page. There should be a straight client-server call made to a separate process that creates the code and emails it.

Now, the thing is, this is the kind of coding error that happens *everywhere*. Some system somewhere will have an oversight of this kind in it. Those who lack understanding will scream that this is amateur and castigate Sony as a whole over the error of one or two coders that probably occurred 5 years ago. But in truth, that's neither fair, nor very realistic. It's been fixed now, but the thing about it is, that the scrutiny that found the flaw was not present prior to the attack on PSN. The exploit might never have been found without that additional scrutiny. The reason I am mentioning this is that there are thousands of systems connected to the Internet that contain flaws like this, or even worse. Those flaws remain unknown and possibly will never be discovered because the kind of scrutiny currently applied to Sony is far in excess of that which is applied ordinarily.

That does not excuse Sony, or the mistake. But it puts it into perspective. It's very important to acknowledge that Sony is by no means remarkable in this regard. Or rather, they were not before hand. Now, with the increased scrutiny PSN and other Sony networks are under, their security should be far better than average and getting better incrementally going forward.

Still, the coders and project/team managers responsible for this piece of code probably need to be fired over it, it's a very fundamental design flaw in the process - IMHO.

Last edited by Highlander on 5/19/2011 2:48:40 PM

Agree with this comment 1 up, 0 down Disagree with this comment

Fane1024
Friday, May 20, 2011 @ 2:57:03 AM

Thanks for investigating, High.

FWIW I requested the reset on my PS3 (actually it was forced; I tried to change the password and was told it was reset), not on the website. I then went to my e-mail and from there to the password change web page, so I probably didn't get the illicit cookie.

Agree with this comment 0 up, 0 down Disagree with this comment

Sakaxxxx
Wednesday, May 18, 2011 @ 2:42:01 PM
Reply

God damn hackers , if we find them we should break all of their equipment in front of them

Agree with this comment 5 up, 0 down Disagree with this comment

Cesar_ser_4
Wednesday, May 18, 2011 @ 5:46:09 PM

in an office space montage style

Agree with this comment 2 up, 0 down Disagree with this comment

kraygen
Wednesday, May 18, 2011 @ 2:51:47 PM
Reply

However if your email password was different from your psn password then they would not be able to access your email and thus if they tried to change your password you would know about it.

So just make sure the email used for psn id does not use the same password as your email.

Agree with this comment 1 up, 0 down Disagree with this comment

Highlander
Wednesday, May 18, 2011 @ 3:01:55 PM

Which if everyone was listening to Sony three weeks ago, they would already have made sure of. ;)

Agree with this comment 5 up, 0 down Disagree with this comment

Clamedeus
Wednesday, May 18, 2011 @ 3:04:29 PM

@Highlander

That's true but, you should know people by now. xD

Agree with this comment 2 up, 0 down Disagree with this comment

kraygen
Wednesday, May 18, 2011 @ 3:04:34 PM

Exactly, but you know the flamers are going to start saying that the hackers still have control over your accounts and now they can change your password at will.

In truth people should just realize that if someone knows how to get into your account than they can change your account, so just do your due diligence and protect yourself.

Agree with this comment 5 up, 0 down Disagree with this comment

Clamedeus
Wednesday, May 18, 2011 @ 3:06:42 PM

Indeed Kraygen.

Agree with this comment 0 up, 0 down Disagree with this comment

slugga_status
Wednesday, May 18, 2011 @ 6:27:47 PM

Well..checked my e-mail literally seconds ago. And I see a e-mail from Sony speaking of my password being changed..I haven't logged in to my PS3 after this morning and none the previous 30 hrs.

Now my e-mail password and my psn password are completely different and every way possible. I use a 27 character log in for my personal e-mail addy.

When I get out of class I'm going to go home and try to sign in..If it's a no go..I'll let all of you know. Hoping it's just a lag in the reset confirmation from the update..doubt it though...

Agree with this comment 0 up, 0 down Disagree with this comment

SirLoin of Beef
Wednesday, May 18, 2011 @ 3:04:46 PM
Reply

The first thing I did after changing my password was assigning a new e-mail address to my PSN account, one that is used only for PSN (I've done the same for XBL, and a few other online game services I use).

Agree with this comment 3 up, 0 down Disagree with this comment

Highlander
Wednesday, May 18, 2011 @ 3:16:33 PM

I kept the email address, but changed every password that was even remotely close to my PSN password. Now, I have also applied my own advice and use a much longer and complex pass-phrase instead of a password.

Agree with this comment 0 up, 0 down Disagree with this comment

Beamboom
Wednesday, May 18, 2011 @ 3:43:47 PM

Changing to a different account is actually a *very* good move. Safer than just changing the password.

Also, creating dedicated mail aliases to an account is also smart, for those who has that option.


Last edited by Beamboom on 5/18/2011 3:45:23 PM

Agree with this comment 0 up, 0 down Disagree with this comment

MMKM
Wednesday, May 18, 2011 @ 3:52:15 PM
Reply

I'm glad I was able to get into my PSN account and change my password (which was nothing close to my email's password to begin with) and remove my CC information.

Agree with this comment 0 up, 0 down Disagree with this comment

Riku994
Wednesday, May 18, 2011 @ 4:06:09 PM
Reply

This is madness.

Agree with this comment 2 up, 0 down Disagree with this comment

Milonakis
Wednesday, May 18, 2011 @ 4:27:38 PM

No... This is DUTKA!

Agree with this comment 1 up, 1 down Disagree with this comment

Milonakis
Wednesday, May 18, 2011 @ 4:28:02 PM
Reply

I changed my email straight away anyways, so that's good.

Agree with this comment 3 up, 0 down Disagree with this comment

CrusaderForever
Wednesday, May 18, 2011 @ 4:55:33 PM
Reply

Wait, didn't the hackers get my memo!!!!?

PLEASE DIE!!!!!!!!!!!!!

Hmmm (checks phone cable on fax) Crap it was unplugged, sending now! This should be over in about 20 minutes as they will all Waco, TX!

Oh well, hopefully we'll hear about some arrests soon.

Agree with this comment 5 up, 0 down Disagree with this comment

jdt1981
Wednesday, May 18, 2011 @ 5:06:00 PM
Reply

According to nyleveia.com all that was needed to reset peoples PSN password was the email address and DOB associated with the account. If that's all that was needed to reset PSN passwords than Sony really dropped the ball here. Most websites will require people to click a link or use a code sent to the email address used to complete a password reset and this is what Sony should've done. I would suggest that everyone change the email address and password associated with your PSN account to be safe.

Agree with this comment 1 up, 0 down Disagree with this comment

Robochic
Wednesday, May 18, 2011 @ 5:16:25 PM
Reply

Boo to hackers. I changed everything except my email cause I hate having too many email accounts,but maybe thinking I should do it for all my gaming

Agree with this comment 2 up, 0 down Disagree with this comment

LazyVigilante
Wednesday, May 18, 2011 @ 5:31:16 PM
Reply

News like this is like a thorn in the foot...though posing no imminent danger,it's still highly unpleasant and disconcerting.

Die Hackers Die.

Agree with this comment 1 up, 0 down Disagree with this comment

BikerSaint
Wednesday, May 18, 2011 @ 7:04:28 PM
Reply

Highlander ,
Maybe you can tell me,

OK, still a bit confused about this new info.....

Since my older PS3 was dead, I wound up going through the Killzone stats site on my PC to set up changing my password & I received the email within minutes of doing so

So should my new password be OK, or do you think I need to go back & change my NEW one all over again too.
(BTW, my new password now is much different than all the other passwords I made at every other place).

Agree with this comment 0 up, 0 down Disagree with this comment

Highlander
Thursday, May 19, 2011 @ 12:04:05 AM

Since you know your current password, and can modify it through the normal PSN login on the Qriocity and PlayStation, you could always change it again for peace of mind.

Agree with this comment 0 up, 0 down Disagree with this comment

madmike
Wednesday, May 18, 2011 @ 7:07:04 PM
Reply

ben, i usually agree with you on most things but calling hacking idiocy is just plain ignorant. these hackers outsmarted sony and their weak security. i would call sony's lax sucurity idiocy. while certainly dishonest sony themselves admitted that the attack was very sophisticated and well planned. i would not call that idiocy. just my opinion.

Agree with this comment 0 up, 4 down Disagree with this comment

BikerSaint
Wednesday, May 18, 2011 @ 7:07:59 PM
Reply

Highlander, before I forget it again,

Here's an important question that's stumping me...


OK, once the store is up, & since Sony's got to figure now that almost nobody wants to use a credit card there anymore, then how do you think they'll authorize these new separate accounts for PS+, Netflicks, and/or any other of these new 30 day "Welcome back" services, than just accepting Pre-paid PSN cards????

Have any ideas on how they might go about this now?????

Agree with this comment 0 up, 0 down Disagree with this comment

Highlander
Thursday, May 19, 2011 @ 12:02:20 AM

They will probably issue codes that users can redeem.

Agree with this comment 0 up, 0 down Disagree with this comment

BikerSaint
Thursday, May 19, 2011 @ 12:29:06 AM

OK, maybe I didn't ask you right, or I'm just not following your thought correctly(probably the latter due to lack of sleep)but other than using a CC or PSN card, I'm wondering how Sony will actually charge us after those 30 grace periods are up.

Or did you just mean a new redeem code system in place in to to take our charges/PSN cards, or something else entirely?

I mean it's not like they will send us a bill later through the snail mail.

Ok, now I'm officially burned out, time to try putting my brain in freeze-frame on a comfy pillow now.....

Agree with this comment 0 up, 0 down Disagree with this comment

Highlander
Thursday, May 19, 2011 @ 1:01:25 AM

Sorry, I mis-understood. I think that they will still hope people will continue to use their CC number. I will, but then I am well aware of the risks here and elsewhere and deem the risks no worse here. I think that they may push the PSN cards more, and I hope that they include a Paypal option, as Microsoft did just this week.

Oh, BTW I may let Gophermods have a go at repairing my launch baby. Their use of reflowing and reballing techniques instead of pointing what is little more than a hairdrier on steroids at the motherboard is what make the difference for me. Hopefully with a quick reflow, a good clean and remounting the HSF with Arctic Silver, my launch system will continue to live for another couple of years - until that PS4 decides to arrive.

Last edited by Highlander on 5/19/2011 1:03:55 AM

Agree with this comment 1 up, 0 down Disagree with this comment

Danny007
Wednesday, May 18, 2011 @ 8:50:42 PM
Reply

Just when we thought everything was okay...

Agree with this comment 0 up, 0 down Disagree with this comment

Highlander
Thursday, May 19, 2011 @ 12:02:36 AM

Everything is OK, for now.

Agree with this comment 1 up, 0 down Disagree with this comment

___________
Thursday, May 19, 2011 @ 3:16:22 AM
Reply

sigh.
AGAIN!?
but, but, but, our securitys perfect!
sigh, looks like sony have learned jack sh*t over the past few weeks!
thank god all the info on my account is 100% fake!

Agree with this comment 0 up, 1 down Disagree with this comment

Banky A
Thursday, May 19, 2011 @ 4:27:06 AM

Fake? Dangit :/

Agree with this comment 0 up, 0 down Disagree with this comment

Highlander
Thursday, May 19, 2011 @ 10:09:52 AM

Projection again eh?

Oh, and in case you lack reading skills Anon Cow, no one at Sony has ever claimed their security is perfect.

Agree with this comment 0 up, 0 down Disagree with this comment

79transam
Thursday, May 19, 2011 @ 2:09:26 PM
Reply

ps blog has it stated that it is not a hack but rather a URL exploit

Agree with this comment 0 up, 0 down Disagree with this comment

Highlander
Thursday, May 19, 2011 @ 2:25:33 PM

It was a URL exploit where the attacker could use data from a cookie from one web page to supply a value to a URL requesting a reset. It's very devious, and gives an insight into how deep testing of these things needs to be to ensure that no vulnerabilities remain.

Last edited by Highlander on 5/19/2011 2:26:42 PM

Agree with this comment 2 up, 0 down Disagree with this comment

Leave a Comment

Please login or register to leave a comment.

Our Poll

Got the Wii U?
Yep, had mine since day one.
Yeah; I just recently picked it up.
No, but I might get one soon...
No, and I don't ever want one.

Previous Poll Results