By using this site, you agree to our Privacy Policy and our Terms of Use. Close

Forums - Sony Discussion - My PSN account was hijacked (?) today

Welp, time to enable two-step verification then.



Around the Network

How do you enable two-step verification?



I remember I sold m yPS4 and Sony account online. The guy changed the email address to my account to the exact email address of his own PSN account. He effectively lost access to my account at that point. There was no way for me to get it back for him and Sony couldn't do it either.

I later decide to get a PS4 again but I want to see if I can get my account back otherwise I don't want it. I called Sony and in minutes they were able to get my account back to me with a new email.



Quick update: this evening my son noticed that there was some "damage" done in the 8 or so hours that my account was being used by Mr. Asshat Hacker: several custom items and keys in his Rocket League profile are missing, so obviously the pr*ck "traded" those items to his own RL account. I sent an email to Psyonix support informing them of the theft, but don't expect there's much they can do about it. They _should_ have some internal transaction logs that show which other account my account traded the items with, but I doubt they are going to let me know who it is.

Anyway, lesson learned. As others have pointed out in this thread, do yourself a favor an enable 2-step auth on your PSN account *right now* !!



ratchet426 said:
Quick update: this evening my son noticed that there was some "damage" done in the 8 or so hours that my account was being used by Mr. Asshat Hacker: several custom items and keys in his Rocket League profile are missing, so obviously the pr*ck "traded" those items to his own RL account. I sent an email to Psyonix support informing them of the theft, but don't expect there's much they can do about it. They _should_ have some internal transaction logs that show which other account my account traded the items with, but I doubt they are going to let me know who it is.

Anyway, lesson learned. As others have pointed out in this thread, do yourself a favor an enable 2-step auth on your PSN account *right now* !!

Of all the things he could have done with a hacked account, that’s probably one of the dumbest...



Around the Network

Don't they send some kind of email to your email address that you must validate in order for a new email address to be authorized? It would be an easy way to stop 99% of hacked accounts cause then they would need to hack both your email and your PSN account which would be nearly impossible.

Also as a rule, do not add a credit card to your account. In case of hacking at least they can't get hold of your credit card info.

Still I have to wonder how the hell do they manage to hack accounts, cause they need your associated email AND password to get in. Unless you give your email to everyone publicly, how the heck do they know your email? And your password too for that matter?



CrazyGamer2017 said:

Don't they send some kind of email to your email address that you must validate in order for a new email address to be authorized? It would be an easy way to stop 99% of hacked accounts cause then they would need to hack both your email and your PSN account which would be nearly impossible.

I don't think I've ever seen that. Some services send email to the new email address for confirmation, but I don't think I've seen any service send email to the old address. It's possible some services have sent informational email, but not a single one has sent a confirmation email, I'm fairly sure.

CrazyGamer2017 said:

Still I have to wonder how the hell do they manage to hack accounts, cause they need your associated email AND password to get in. Unless you give your email to everyone publicly, how the heck do they know your email? And your password too for that matter?

Security through obscurity is considered a bad assumption. Finding out the email address ought to be easy enough. I'm not sure how Sony handles it, but I think some services even reveal your email address if you use the password forgotten functionality.



I was only tipped off to the hack because I got an email alert at 2pm yesterday afternoon saying that the email address associated with my account had changed. It would be better if PSN would have sent me an email asking me to _confirm_ the email change request (using a one-time unique link that expires in 24hrs or something, like banks typically do).

However, I think that the hacker already had my account password at that point and the first thing he did was change the email address so when he subsequently changed the password, traded the Rocket League items, etc, those email confirmations would go to him, not me. I don't think he realized that I would be alerted to the email address change.



Miguel_Zorro said:

I work in Fraud prevention.  Sending an email to the old email address when the email address on an account is changed is standard industry practice.

I'm pretty sure a lot of companies don't follow standard practices - especially companies that aren't focused on fraud prevention. Also, I acknowledged informational emails being sent.



Miguel_Zorro said:

I work in Fraud prevention.  Sending an email to the old email address when the email address on an account is changed is standard industry practice.

As for how people hack accounts, it's incredible how often people successfully gain account credentials.

Yeah but simply sending an email is not enough, you guys need to send said mail with a code in it or a link for activation, in other words if a hacker steals your account and tries to create a new password or tries to link your account to HIS/HER email address, you security guys should send the victim an email with mandatory confirmation through a link or code so that the hacker CANNOT change your password or add a new email without access to your old email account. He'd have to hack both your PSN (or any other service) AND your email at the same time which would be extremely hard.

Also about the PSN, the two steps check is fine as an extra precaution but you also have an option to add a security question which is STUPID and pointless cause if your account gets hacked and the hacker tries to change your password and even if he's asked a security question, all he has to do is change the security question to whatever he wants, I looked it up and once you are in your account, your security question can be changed without any further protection to it thus rendering it pointless. AGAIN a security question could very simply be effective if you were sent an email to your email address with an activation code, making it AGAIN impossible for a hacker to change your security question UNLESS he has access to your email TOO...

How can security systems not include such simple yet effective steps is beyond me.