Journalist loses access to PSN account twice due to Sony support verification failure

A French journalist from the Numerama website, Mesmo with two-factor authentication (2FA) and access keys (passkey) activated, the attacker managed to take control of the profile, change data and charge 9.99 euros.

The attack did not exploit a technological vulnerability, but rather the fragility of the human verification process. Using social engineering techniques, the hacker convinced a PlayStation support attendant that he was the real owner of the account, using minimal information that had been publicly shared by the journalist himself years before.

The case gained great repercussion when it was detailed by Lellouche on social media, raising an alert for millions of platform users about the risk of losing access to digital game libraries, which often represent significant investments. Repetition of the attack within hours demonstrated a systemic failure in Sony’s ability to identify and block suspicious account recovery activity.

Details of the first invasion

The journalist noticed the intrusion when he received notifications of changes to his connection ID and an unknown charge on his PayPal account, which was linked to PSN. When trying to access his profile, he discovered that both his email and password had been modified, and his PlayStation 5 console had been remotely disconnected from the account. The hacker, who identified himself as “Derol Bodden” in the platform’s messages, went so far as to remove friends, delete conversations and change personal information from the compromised profile.

Surprisingly, Lellouche managed to establish direct contact with the attacker through PlayStation’s own messaging system. Durante the conversation, the hacker openly detailed the method used, revealing that Sony support required a very low security check to transfer ownership of an account. The information crucial to the scam’s success was a simple transaction ID from an old purchase, which the hacker obtained from a screenshot the journalist had posted publicly in 2023.

The vulnerability in PlayStation’s service

The incident exposes a critical flaw in Sony’s customer service protocols. Social engineering, a psychological manipulation technique used to deceive people and gain access to confidential information, was successfully applied against the company’s support. The fulfillment agent accepted a single transaction ID as definitive proof of ownership, bypassing the need to request more robust and private verification data, such as a registered date of birth, the serial number of a linked console, or recent purchase history. Essa practice demonstrates a security policy that, by making life easier for legitimate users, opens a dangerous loophole for fraudsters. The hacker’s ability to convince support to bypass the strongest digital security measures, such as 2FA and passkeys, proves that the weakest link in the security chain is often the human factor, and that Sony’s support team training procedures are insufficient to mitigate this risk.

The second invasion and systemic failure

After a long process with support, Lellouche was able to regain access to his account. Ele immediately reset the password, reactivated all security measures and checked for any inappropriate changes. Contudo, the feeling of relief was short-lived.

In less than an hour, the hacker repeated exactly the same procedure. Ele contacted PlayStation support again, used the same social engineering technique and the same transaction ID to, once again, take control of the account. The Sony system did not issue any alert or block, even when faced with two account recovery requests for the same user within a few hours, which constitutes highly suspicious activity.

How hackers obtain this information

The attackers’ main weapon in this type of scam is the information that users themselves share publicly. Hackers constantly monitor social networks, gaming forums and websites for screenshots or posts that may contain sensitive data.

Images that celebrate winning a trophy, show a new purchase on PlayStation

Leia Também

News (EN) • 06/04/2026

Colby Minifie confirms Ashley Barrett’s powers in The Boys season five

Sports • 06/04/2026

Napoli x Milan in Serie A with confirmed lineups and where to watch live

News (EN) • 06/04/2026

New battery test puts Galaxy S26 Ultra ahead of iPhone 17 Pro Max in global ranking

This data, which seems harmless to the average user, is a piece of a puzzle for criminals. Once they have the username and verification data, such as a purchase ID, they have what they need to start the support handling process.

Other information, such as serial numbers of old consoles sold or partial credit card data mentioned in old posts, can also be collected and used to give more credibility to the story told to the support agent, making defense against this type of attack extremely difficult.

Recommendations for protecting your PSN account

While activating all digital security tools, such as two-step authentication, is essential, this case proves that they are not infallible against human process failures. The most effective protection starts with raising awareness about the privacy of information shared online. It is crucial to avoid publicly posting any images or text that contain data associated with your PlayStation account, including confirmation emails, invoices, transaction IDs, or hardware serial numbers.

An additional security measure is to unlink direct payment methods, such as credit cards, from your PSN account. Instead, users can choose to use prepaid cards (gift cards) or digital wallet services such as PayPal, which add an extra layer of protection and limit financial loss in the event of a successful hack. Manter email and app notifications enabled for any account changes is also vital, as it allows for a faster reaction to try to reverse the damage.

Repercussion and concern in the community

Lellouche’s detailed account quickly spread across gaming forums and social media, generating a wave of concern among the platform’s players. Muitos expressed concern about the security of their accounts, which house hundreds or even thousands of reais in games and digital content accumulated over years, questioning the effectiveness of Sony’s protection policies and the concept of digital property when access can be lost in such a simple way.

History of problems on the platform

This is not an isolated event in the history of PlayStation Network. Relatos of accounts stolen through social engineering tactics against official support emerge periodically, often targeting high-value profiles such as those of trophy hunters or those with rare and extensive game libraries. Esses profiles are often sold on underground markets on the internet for considerable amounts, fueling an illegal economy around digital assets.

Despite recurring incidents, Sony continues to face criticism for not implementing more rigorous and multifactorial verification processes in its human service, such as requiring security phrases or analyzing access and geolocation patterns before authorizing critical changes. The company has not issued an official statement on the specific case of the French journalist, which increases the gaming community’s apprehension about the security of their digital investments on the platform.