Sony confirms exploit with Playstation Network website password reset [Update]

Sony has confirmed that there is an issue with the web site password reset system for its Playstation Network that would allow hackers to change a PSN user's password. Eurogamer.net reports that as a result of the exploit, Sony has decided to make "PSN sign-in unavailable for a number of its websites, including PlayStation.com and the PlayStation forums. All PlayStation game titles are also unavailable."

The exploit, which was first revealed at the Nyleveia.com web site and confirmed by others, does not affect people who just want to use their Playstation 3 or PSP consoles to sign onto the Playstation Network. According to the story, the exploit is web-based only. However, it would still allow hackers to change a PSN user's password "using only your PSN account email and your date of birth".  In its official statement, Sony says, "Unfortunately this also means that those who are still trying to change their password via Playstation.com or Qriocity.com will be unable to do so for the time being. This is due to essential maintenance and at present it is unclear how long this will take."

This is just the latest issue in Sony's attempt to restore all services for the Playstation Network after a cyber attack forced Sony to shut down the Network on April 20. Sony began to restore the network on Saturday night and Sunday, including multiplayer matchmaking and other features. However the full Playstation Network, including restoring the online Playstation Store, is not scheduled to be back online until the end of May.

Update: In a post on the Playstation Blog site, Sony has confirmed that the web site password exploit has now been fixed, saying, "Consumers who haven’t reset their passwords for PSN are still encouraged to do so directly on their PS3. Otherwise, they can continue to do so via the website as soon as we bring that site back up."

Report a problem with article
Previous Story

Rumor: iPhone with LTE unlikely to show up before 2012

Next Story

AT&T to finally allow sideloading for its Android phones

46 Comments

Commenting is disabled on this article.

Doesn't phase me no more. Still use PS3 so... it just doesn't phase me no more. Only issue I would have of all this debacle is the spam I'll probably receive but I guess I'll have to do my part in blocking them off while I wait for Sony to get there act together. Since the Welcome Back package, I believe there will be more to come from the light of this or one would think so.

Everything should move to triple authentication these days. Things like a safeword card, Blizzard's authenticator, google's similar service where they text you some random code that you have to enter before you can get access.

Username and Passwords do not cut it anymore. Sure it is an annoying added step, but would you rather want your mail/PSN/or any other account to remain safe? Most banks have triple and quadruple authentication.

never late to remember:

$ony is the BIGGEST FAIL in history.

hahaha ... LMFAO !!! for now i'll keep playing with friends only, and ofc PSN never more !!!!

tester.br said,
never late to remember:

$ony is the BIGGEST FAIL in history.

hahaha ... LMFAO !!! for now i'll keep playing with friends only, and ofc PSN never more !!!!

Lets ignore some important parts of history first. Like Hitler and slavery.

Americans and Europeans are suckers running back to Sony as PlayStation Network not up in Japan due to ongoing security concerns.

Sony may have partially restored its troubled PlayStation Network around the globe, but in Japan government officials have refused to restart the online gaming services due to uncertainty about the supposed security boost, according to reports.

In a Dow Jones press release obtained by gaming blog Engadget, a Japanese regulatory official said Sunday that Sony needs to provide more information on what security measures it has implemented since the massive hack last month that compromised more than 100 million online accounts and caused the company to shut the online gaming service down.

"We are asking Sony whether their measures are good enough when compared to countermeasures taken in the past," Kazushige Nobutani, director of the Media and Content Industry department at the Ministry of Economy, Trade and Industry, told the Dow Jones Newswires.

Restored operations have begun in the United States and Europe, but for now those services are limited to online gaming, chat and music streaming.

http://www.cbsnews.com/8301-504083_162-20063518-504083.html

alexalex said,
Americans and Europeans are suckers running back to Sony as PlayStation Network not up in Japan due to ongoing security concerns.

Sony may have partially restored its troubled PlayStation Network around the globe, but in Japan government officials have refused to restart the online gaming services due to uncertainty about the supposed security boost, according to reports.

In a Dow Jones press release obtained by gaming blog Engadget, a Japanese regulatory official said Sunday that Sony needs to provide more information on what security measures it has implemented since the massive hack last month that compromised more than 100 million online accounts and caused the company to shut the online gaming service down.

"We are asking Sony whether their measures are good enough when compared to countermeasures taken in the past," Kazushige Nobutani, director of the Media and Content Industry department at the Ministry of Economy, Trade and Industry, told the Dow Jones Newswires.

Restored operations have begun in the United States and Europe, but for now those services are limited to online gaming, chat and music streaming.

http://www.cbsnews.com/8301-504083_162-20063518-504083.html


Never thought of that. Why is it that the US/UK were online while Japan wasn't. Now we know. Japan Government was smarter on this I guess.. lol.

Working in software and web development, I always would wonder how a big company, a 'player' like Sony was doing it. As it turns out, they weren't doing anything. Color me shocked and seriously disappointed.

ManOfMystery said,
Okay Sony I have been meaning to say this to you for awhile so here it is.....**** YOU

How brave of you to post such a comment. I'm sure Sony is reading this very comment right now and feels incredibly stung by it

LiquidSolstice said,

How brave of you to post such a comment. I'm sure Sony is reading this very comment right now and feels incredibly stung by it


Your level of sarcasm leads me to think that he stung the wrong one...

GS:mac

Glassed Silver said,

Your level of sarcasm leads me to think that he stung the wrong one...

GS:mac

...how on earth does my level of sarcasm make it seem like I'm the stung one? I don't own a PS3 and really don't care about PSN.

LiquidSolstice said,

...how on earth does my level of sarcasm make it seem like I'm the stung one? I don't own a PS3 and really don't care about PSN.


Guess it's not my clearest day today... Reread it and I agree, I jumped to conclusions too quick, something that I normally try to stay away from.
Sorry for that.

GS:mac

I was reading on other sites, and what happens is that when you change your password, you receive an email asking you to click a link to confirm your password change. The exploit allow hackers to confirm the password change without clicking this link, so you would receive the first email asking you to confirm, and then another email confirming the success of the change.

Wow stupid stupid stupid.

70 million accounts get hacked the hackers have everyone's account name, email address and birthdate. Hackers can quite easily use this info to gain full access to the PSN acccount change password on people and then potentially gain there credit card numbers since they would now have full access to the PSN account and Sony does not change the password reset process to be a little more stringent? how ignorant are they?

And how ignorant are Sony Fanboys for still making excuses for Sony after all this crap? Seriously to some Sony could beat their moms and kill their dog and they would thank sony for giving them attention.

All Sony needs to do is send a password reset link to the registered email address after that info has been entered which will then allow them to change their password.

CoMMo said,
This is ridiculous. If you know an e-mail address and birthday you can reset the password to a lot of things.

Which is probably why this is not a good idea to use only those two bits of data to reset a password on an account. Companies should require far more and obscure pieces of info to be used.

Lilrich said,
Why don't they reset ALL passwords and security info and email a tempory passwords to users?
People who have a PSN account associated with an email that they no longer use/no longer have access to, would then be locked out of PSN.

LordBattleBeard said,
People who have a PSN account associated with an email that they no longer use/no longer have access to, would then be locked out of PSN.

That's their problem, you don't sign up for a long-term service like PSN and use an email address that you'll never use again, that's pure stupidity.

LiquidSolstice said,

That's their problem, you don't sign up for a long-term service like PSN and use an email address that you'll never use again, that's pure stupidity.


Stop being so mean. People forget about such things sometimes, and if it just is a damn account deactivation of some cheapa** service like most free mail services do if you don't log in in-time.

GS:mac

Glassed Silver said,

Stop being so mean. People forget about such things sometimes, and if it just is a damn account deactivation of some cheapa** service like most free mail services do if you don't log in in-time.

GS:mac

I'm not being mean, when you make an account with an email address and it's obvious they're going to use the email address to contact you, and when you decide you want to make purchases on that account, it's your own damn responsibility to remember the password.

Deactivation is a retarded excuse as well, there are too many free email services that don't have deactivation or have extremely long deactivation times.

LiquidSolstice said,

I'm not being mean, when you make an account with an email address and it's obvious they're going to use the email address to contact you, and when you decide you want to make purchases on that account, it's your own damn responsibility to remember the password.

Deactivation is a retarded excuse as well, there are too many free email services that don't have deactivation or have extremely long deactivation times.

I agree. I know if they did the idea you describe, which is the most obvious, a bunch of people would be out of luck because they can't get to their email. This is why people need to be taught basic computer skills in school and at work, if they don't have them. It's a shame.

wixostrix said,

I agree. I know if they did the idea you describe, which is the most obvious, a bunch of people would be out of luck because they can't get to their email. This is why people need to be taught basic computer skills in school and at work, if they don't have them. It's a shame.


Sure is, then again Sony isn't really interested in pi**ing off costumers more than they already do.
So go the safe route for now...
That's all I'm saying...

GS:mac

Is it really an exploit if you need their personal details ?

You can reset my passwords for mail if you know my dob, and favourite pizza place.. But then again that's also how I would recover my password.. so it's not really an exploit just because some people have the information..

Ryoken said,
Is it really an exploit if you need their personal details ?

You can reset my passwords for mail if you know my dob, and favourite pizza place.. But then again that's also how I would recover my password.. so it's not really an exploit just because some people have the information..

If you had the all the user data from the first hack, which i'm guessing has the email and date of birth in.

It could possibly be exploited by resetting the user's password, logging in as that user and changing their email; therefore making the user's account exploited completely locked out

Ryoken said,
Is it really an exploit if you need their personal details ?

You can reset my passwords for mail if you know my dob, and favourite pizza place.. But then again that's also how I would recover my password.. so it's not really an exploit just because some people have the information..


Huh ? It's your email and birthday ... I don't know about you but a lot of people know my email and my birthday, and even if they didn't I don't think it would be too difficult for them to find such information.

DrunkenBeard said,

Huh ? It's your email and birthday ... I don't know about you but a lot of people know my email and my birthday, and even if they didn't I don't think it would be too difficult for them to find such information.

Well let's also consider the fact this info was just acquired by hackers and this little story whihc in and of itself would not be a huge deal just became another huge gaffe on sony.

Sony Defenders: hey it's not a big deal you need the person email address and DOB for this hack

Normail human being: Uhh that information was already stolen by hackers so they have your email address and DOB.

Sony Defender: but what about RROD and the Live outage in 2007?

DrunkenBeard said,

Huh ? It's your email and birthday ... I don't know about you but a lot of people know my email and my birthday, and even if they didn't I don't think it would be too difficult for them to find such information.
It was your email and birthday 6months ago.. It wasn't an exploit then, and it's not now.

You've gotta be able to recover your password, and sony can't ask for you information they never had access to..

Caleo said,
Is sony even facing any accountability for all this crap??

Accountability for what? There is nothing any governing body can do for simple incompetence when it isn't actually harming anyone.

Sony is hurting themselves more by doing what they are.

Xenosion said,

Accountability for what? There is nothing any governing body can do for simple incompetence when it isn't actually harming anyone.

Sony is hurting themselves more by doing what they are.


Loss of personal data, credit card numbers, account access.. and an unknown amount of other things - and it's not harming anyone?

Caleo said,

Loss of personal data, credit card numbers, account access.. and an unknown amount of other things - and it's not harming anyone?

Right, but you posted in an article that doesn't have anything to do with those things. Saying "for all this crap" implies that you are including this article which is what I'm debating there is anything to do about.

LiquidSolstice said,

Why, are you outraged at how much you're paying for your free online service?

What does paying for online have to do with anything? Even if no one is paying for it the fact they stores personal info means they have an obligation to keep it safe whihc they have not done.

LiquidSolstice said,

Why, are you outraged at how much you're paying for your free online service?

If you take people's information for commercial purposes you have a responsibility to keep it safe.

Oh, and the PSN IS NOT FREE!!!!111111 Its cost is factored into hardware and software prices. how many times does this need to be pointed out before people stop saying "LOLZ OMGZ DA PSN IZ FRWEE!!!1"?