https://www.pcmag.com/news/man-spent-20000-on-playstation-games-he-lost-it-all-to-a-security-loophole

All I'm going to say here is that this is why you don't buy digital games. Also, you need a lot of personal information for this exploit to work. 

Per PCMag "When you initiate an account recovery, you submit a PSN ID, the registered email address, the user's full name, and one other detail:

• The first four and last four digits of the credit card number used on the account.

• Serial number of the first console used to create or log into your account.

• Order number for a recent transaction made on this PlayStation account."
  
  P.S. Sony is stupid for not helping the man. 

Wow. Hard to believe that cheap outsourcing and known security flaws in LLM AI could cause such a thing.
Who could have predicted it?

Sony’s customer service has been terrible in a lot of the world for years, but this is a new low.

This article is kind of trash. He says he “hacked” his own account in 30 minutes when he actually just did an account recovery with a bot that requested information from him that only he should have access to. He provided an order number from a transaction, he would only have that if he has access to the account already or access to the email address it’s registered to.

So to use this exploit they need to come to your house to find the serial number on your hardware, have access to your credit card details or have access to your email. Any one of those would be a massive problem in an of itself, and your PlayStation account is probably not the only thing in danger.


Having said that, there should be an additional layer of security for this type of recovery.

This

Forever digital master race....

OMG, I didn't realize how poor credit card security was. I called Visa and provided personal information only I have and THEY LET ME CHANGE MY ACCOUNT!!!!

Despite my distaste for an digital only future, I think there should be a way the man can prove ownership of his account, be it what it can be, even sending official copies of documents or having to meet in person a representative from Sony, but there really should exist a way for Sony to make sure he needs an account reset based on the last safe point in their database and grant it back to him.

It's PCMag. They are usually pretty bad. I specifically quoted a part of their article to avoid tricking people. It's pretty hard to have access to four different pieces of information on a PSN account. 

That is kind of crazy in the one story of the hacker spoofing the customer support number and calling the victim to get the info they need to convince real customer support they are the legitimate owner.

If you're going to go digital, you must accept the flaws along with the benefits. He clearly doesn't.