Two-factor authentication is supposed to protect your account. Passkeys are meant to be unhackable. PlayStation Network offers both security features, and French tech journalist Nicolas Lellouche enabled them on his PSN account. It didn’t matter. A hacker took over his account twice in a matter of hours, changed the email and password, and made fraudulent purchases – all without ever needing Lellouche’s 2FA code or passkey.
The method is shockingly simple and represents a fatal flaw in Sony’s security systems. As Lellouche discovered after contacting the hacker directly, all you need to hijack a PSN account is the username and a transaction ID from any past purchase. Armed with just those two pieces of information, anyone can contact PlayStation support, pretend to be the account owner, and gain full access. No 2FA required. No email verification. No additional identity checks.
How the Hack Happened
Lellouche’s nightmare began when he suddenly lost access to his PlayStation account. The hacker had changed both the email address and password associated with the account, effectively locking out the legitimate owner. Worse, the intruder immediately charged €9.99 to Lellouche’s connected PayPal account before the journalist could react.
Lellouche acted quickly, disputing the fraudulent charge and contacting PlayStation support to regain access. The support team helped him recover the account, restoring his email and password. Problem solved, right? Not even close. Within an hour, the hacker struck again, seizing control of the account for a second time using the exact same method.
Frustrated and desperate for answers, Lellouche did something unusual – he contacted the hacker directly by messaging the hijacked account. After some initial mockery, the hacker turned cooperative and explained exactly how the breach worked. The technique was disturbingly straightforward.
The hacker had found an old screenshot Lellouche posted on Twitter back in 2023 showing a PlayStation transaction. That screenshot contained a transaction ID, one of many alphanumeric codes Sony generates for every purchase. Combined with Lellouche’s publicly known PSN username, the hacker had everything needed to social engineer PlayStation’s customer support.
By contacting PlayStation support and providing the username plus the old transaction ID, the hacker convinced support staff they were the legitimate account owner. Support then granted full access, allowing the hacker to change the email, password, and security settings. The entire security infrastructure – 2FA, passkeys, email verification – became irrelevant because customer support bypassed everything based on minimal information.
Why This Is So Dangerous
Transaction IDs are not secret information. Many PlayStation users share screenshots of their purchases on social media to show off new games, complain about pricing, or discuss digital receipts. Others post images that inadvertently include transaction details in the background. Email receipts forwarded to friends, shared in Discord servers, or posted in forums can all leak transaction IDs.
Usernames are even easier to obtain. They’re visible to anyone you play with online, appear in public leaderboards, show up in friends lists, and get shared across gaming communities. If you’ve ever played multiplayer, joined a clan, or participated in online discussions, your PSN username is public knowledge.
The security flaw gets worse. According to reports, PlayStation support will also accept other pieces of easily obtainable information as verification. The last few digits of a payment card, the serial number of a console, or other transaction details can all serve as proof of ownership. None of these pieces of information are particularly difficult for determined attackers to find or guess.
Lellouche’s experience suggests the vulnerability is systemic and has been exploited repeatedly. After he published his story, other users contacted him with similar experiences. Some reported losing accounts permanently because hackers repeatedly reclaimed them through customer support faster than legitimate owners could secure them. The cycle becomes endless – recover account, hacker contacts support with stolen info, account seized again.
The Customer Support Problem
The root issue lies in PlayStation’s customer support verification process. When someone contacts support claiming they’ve been locked out of their account, support staff needs to verify the person’s identity. In theory, this makes sense – legitimate users do get locked out and need help recovering access.
But the verification requirements are far too weak. A username and transaction ID should never be sufficient to grant account access, yet that’s precisely what PlayStation support accepts. There’s no check to see if the person contacting support has access to the email address currently associated with the account. There’s no requirement to verify the request through 2FA. There’s no delay period allowing the legitimate owner to contest the change.
Support staff appear to follow a checklist – provide username, provide transaction ID or other basic info, gain access. The process likely exists to help users who genuinely need assistance, but it creates a massive security vulnerability that attackers exploit ruthlessly. One Reddit user who experienced a similar hack described PlayStation support as giving their account “back to the hackers” after initially helping them recover it.
This Isn’t New
PlayStation’s security problems have a long and troubled history. The most infamous incident occurred in 2011 when hackers breached PlayStation Network, compromising 77 million accounts and forcing Sony to shut down PSN for nearly a month. That breach exposed names, addresses, email addresses, birth dates, and possibly credit card information for millions of users.
In 2023, Sony suffered multiple data breaches within months. A May 2023 breach exploiting the MOVEit Transfer vulnerability exposed personal information of approximately 6,800 current and former employees. Another breach in September 2023 saw attackers claim to have stolen internal data from Sony’s systems, though the company later said the breach was limited to a single test server.
But this customer support vulnerability represents something different and arguably more dangerous. Previous breaches involved external attackers exploiting technical vulnerabilities or using malware. This flaw involves Sony’s own support processes creating an avenue for account takeover. The company is essentially helping hackers steal accounts by accepting insufficient verification.
Similar customer support vulnerabilities have plagued the gaming industry before. Steam, Xbox, and various other services have all faced criticism for support staff granting account access based on weak verification. The difference is that most companies recognized these issues and strengthened their verification processes. PlayStation appears to still rely on dangerously inadequate security checks.
What Users Can Do (Sort Of)
The frustrating reality is that individual users have limited options to protect themselves from this vulnerability. All the standard security advice – enable 2FA, use strong passwords, add a passkey – means nothing when customer support bypasses everything.
Some basic precautions can reduce risk. Never share screenshots containing transaction IDs publicly. Be cautious about posting purchase receipts on social media. Check email forwards and Discord messages for transaction details before sharing. Review old social media posts for any images that might inadvertently expose transaction information.
Consider using privacy-focused payment methods rather than linking PayPal or credit cards directly. While this won’t prevent account hijacking, it limits the financial damage attackers can cause once they gain access. Remove stored payment methods entirely if you’re particularly concerned, though this reduces convenience significantly.
Monitor your account activity regularly. Check recent transactions, login history, and connected devices. If something looks suspicious, act immediately – change passwords, contact support, and dispute any fraudulent charges with your payment provider before PlayStation can claim the money is lost.
The harsh truth is that users shouldn’t need to implement elaborate workarounds to compensate for PlayStation’s inadequate security. Two-factor authentication exists specifically to prevent unauthorized access. Sony offers 2FA and passkeys, actively encourages users to enable them, then undermines those protections by allowing support staff to bypass them based on minimal verification.
Sony’s Silence
As of late December 2024, Sony has not publicly addressed the customer support verification flaw. The company hasn’t issued a statement acknowledging the problem, announced changes to support procedures, or provided guidance to users concerned about account security.
This silence is concerning. The issue has garnered attention across gaming media and social platforms. Multiple users have come forward with similar experiences. The vulnerability is now public knowledge, meaning more attackers will attempt to exploit it. Sony’s lack of response suggests either ignorance of the problem’s severity or unwillingness to acknowledge a systemic flaw in their support processes.
Fixing this vulnerability requires fundamental changes to how PlayStation support handles account recovery requests. Support staff needs access to better verification tools. The system should automatically send notifications to the currently registered email address before making any account changes. Requests to change emails or passwords should require 2FA verification or a waiting period allowing legitimate owners to contest changes.
These aren’t revolutionary concepts. Many online services implement similar protections specifically to prevent social engineering attacks on customer support. Sony has the resources and technical expertise to build better verification systems. The question is whether the company recognizes the urgency or will wait until a high-profile incident forces action.
Frequently Asked Questions
Can hackers really bypass PlayStation’s 2FA?
Yes, but not by breaking 2FA directly. Hackers exploit PlayStation’s customer support by providing a username and transaction ID, which support staff accepts as sufficient verification to grant account access. This bypasses 2FA entirely because support doesn’t require 2FA verification during account recovery.
What information do hackers need to steal a PSN account?
According to the French journalist who was hacked, attackers only need a PSN username and a transaction ID from any past purchase. PlayStation support may also accept the last digits of a payment card, console serial numbers, or other basic account information as verification.
How do hackers get transaction IDs?
Many users inadvertently share transaction IDs by posting purchase screenshots on social media, sharing receipts in Discord servers, or including transaction details in forum posts. Old tweets, Facebook posts, or Reddit comments can contain transaction information that attackers search for and exploit.
What should I do if my PSN account is hacked?
Immediately contact PlayStation support to report the unauthorized access. Dispute any fraudulent charges with your payment provider. Change your password and enable 2FA if possible. However, be aware the hacker may be able to reclaim the account by contacting support with stolen transaction information.
Has Sony responded to this security flaw?
As of late December 2024, Sony has not publicly addressed the customer support verification vulnerability. The company has not issued statements, announced changes to support procedures, or provided security guidance regarding this specific issue.
Are other gaming platforms vulnerable to similar attacks?
Customer support social engineering attacks can affect any online service. However, most major platforms have implemented stronger verification procedures after previous incidents. PlayStation appears to be particularly vulnerable due to accepting insufficient information for account recovery.
Can I delete my transaction history to prevent this?
No, you cannot delete transaction history from PlayStation’s systems. The records exist on Sony’s servers regardless of what you see on your account. The best protection is never sharing screenshots or information containing transaction IDs publicly.
Should I remove payment methods from my PSN account?
Removing stored payment methods won’t prevent account hijacking but limits financial damage if your account is compromised. Hackers won’t be able to make fraudulent purchases without adding their own payment method first, potentially giving you time to notice and respond.
The Bigger Picture
This vulnerability highlights a broader problem in the gaming industry – the disconnect between security theater and actual security. Companies implement 2FA, passkeys, and encryption, then create backdoors through customer support that undermine those protections completely.
Users trust that enabling security features actually secures their accounts. When companies market 2FA and passkeys as account protection, users reasonably assume those measures prevent unauthorized access. Discovering that support staff can grant access by bypassing security measures destroys that trust and raises questions about what other vulnerabilities exist.
For Sony specifically, this incident compounds existing concerns about the company’s commitment to user security. Between the 2011 breach, the 2023 employee data exposures, and now this customer support flaw, PlayStation users have legitimate reasons to question whether their accounts and data are adequately protected.
The solution isn’t complicated. Sony needs to implement proper verification for account recovery requests, require notification to registered emails before making changes, and create systems that respect the security measures users have enabled. These are standard industry practices that other companies successfully implement.
Until Sony addresses this vulnerability, every PSN account remains at risk regardless of security settings. The hacker who compromised Lellouche’s account called it “a fatal security flaw with Sony’s security systems.” That assessment appears entirely accurate. The question is whether Sony will fix it before more users lose access to their accounts, game libraries, and personal information.
If you’re a PlayStation user, scrub your social media history for any purchase screenshots. Never share transaction details publicly. Monitor your account regularly. And hope Sony takes this seriously before your account becomes the next one hijacked through their own support system.