Sony pwned yet again by password exploit

Can you say massive fail? Yes, Sony has apparently taken down its PlayStation Network password reset page after a rather basic exploit was discovered in the wild.

How basic, you ask?

Well, the exploit reportedly allowed unauthorized individuals to reset account passwords using only an e-mail address and a date of birth. 



Unfortunately, as you may recall, this information was stolen by cyber criminals during a recent hack and extract operation against the Japanese-based corporation. 

The exploit was first reported by Nyleveia, and later confirmed by Metalmurphy of NeoGAF.

“This guy on Twitter claimed there was an exploit on the password recovery page that allowed anyone with a matching PSN login address and Date of Birth could change your password without you confirming it. Personally, I didn’t believe him [but] gave him my login and DOB. He didn’t reply for a long time so I went to sleep. This morning however I got 2 emails.


“The first one is saying that someone had requested to change my password, and that I needed to click the confirmation link to continue. All normal for now, supposedly only people with access to the login address can change it then. HOWEVER the second email is a confirmation that the password was changed and I never clicked the confirmation link… So yeah… my password was successfully changed by someone else.”

Although Sony has officially confirmed the exploit, veteran spinner Patrick Seybold took pains to note that the network hadn’t been hacked yet again.

“[Yes], we temporarily took down the PSN and Qriocity password reset page. Contrary to some reports, there was no hack involved. In the process of resetting of passwords there was a URL exploit that we have subsequently fixed,” Seybold clarified in a PSN blog post.

“Consumers who haven’t reset their passwords for PSN are still encouraged to do so directly on their PS3. Otherwise, they can continue to do so via the website as soon as we bring that site back up.”

D’oh!