A recent incident involving a French tech journalist has raised serious questions about how PlayStation Network verifies account ownership during recovery requests, exposing what some experts and users believe is a dangerous weakness in Sony’s support procedures.
Early reports implied that PlayStation accounts could be directly compromised even with two-factor authentication and passkeys, but closer examination shows the real issue lies in weaknesses within the account recovery process handled by customer support.
Who Was Affected and How Did the Account Takeover Happen?
The case was first detailed by a journalist from Numerama, who reported that his PSN account was taken over twice within a matter of hours.
This occurred despite the account being protected by a strong password, 2FA, and a passkey tied to biometric authentication.
In both instances, the attacker changed the account’s login email, made a small paid change to the username, and effectively locked the original owner out of all connected PlayStation services, including consoles and mobile apps.
Why Was the Recovery Process Seen as the Core Issue?
The most alarming aspect was how little information was needed to seize control of the account, with PlayStation support allegedly accepting just a PSN username and a past invoice transaction number over the phone.
No password verification, email confirmation, 2FA code, or passkey prompt was required. Within minutes, the account was restored.
However, shortly after, the attacker used the same recovery process to reclaim the account, suggesting that the same verification method could be reused repeatedly without triggering internal safeguards.
The journalist later communicated directly with the attacker, who claimed the account takeover relied entirely on information that had been publicly accessible.
According to the explanation, a transaction number had been visible in a screenshot the journalist had previously shared online, believing it to be harmless.
Armed with that number and the public username, the attacker was allegedly able to impersonate the account owner during recovery requests and repeatedly convince PlayStation support to reassign the account.
Is This a Security Flaw or a Case of Social Engineering?
The incident quickly became a point of contention across gaming communities, with critics describing it as a straightforward case of social engineering facilitated by user error and reiterating that transaction numbers should always remain confidential.
From this perspective, the attacker did not defeat PlayStation’s security systems so much as exploit the account holder’s mistake, something that could happen on almost any online platform.
Others strongly disagreed, pointing out that modern multi-factor authentication exists precisely to prevent account takeovers even when personal or financial information is exposed.
Security professionals noted that transaction numbers, emails, and usernames all fall into the same category of “knowledge-based” information.
If passkeys and 2FA can be overridden without device access, biometric validation, or email confirmation, the fundamental value of multi-factor authentication is compromised.
Several critics also questioned why multiple recovery attempts on the same account within a short time window did not raise red flags or prompt stricter identity checks.
How Widespread Could the Risk Potentially Be?
The potential scale of the issue is what makes the situation especially concerning. PSN usernames are inherently public, and transaction identifiers can exist in emails, payment records, screenshots, or cloud backups.
If support systems consistently accept this information as sufficient proof of ownership, then accounts with large digital libraries could theoretically be vulnerable even without a traditional password breach.
While there is no evidence of a mass automated exploit, the incident highlights how recovery processes can become a weak point when convenience outweighs security.
By the end of the ordeal, PlayStation reportedly escalated the case, temporarily suspended the affected account, and requested far more detailed identity verification, including original account information and personal details.
This suggests that stricter safeguards do exist, but may not be consistently applied during initial recovery attempts.
As of the latest updates, the journalist was still awaiting a final resolution, and Sony has not publicly addressed whether changes to its recovery procedures are planned.
For more like this, stick with us here at Gfinityesports.com, the best website for gaming news.