Jump to content

PSN Account with 2FA Hacked - Make sure you switch from SMS to Authenticator App


Recommended Posts

3 minutes ago, gooner4life said:

 

Everything had been migrated off of that email address, Virgin Media told me that the email account would be closed (90 days after i ceased the services) 2.5 years ago when I closed my mums account after she passed away, it's the flaw in Sony's Chat Bot that allowed the thief to get in, it was definitely via the bot as it happened at 00:50 and Sony's customer care are closed, the only thing that does work is the chat bot at that time of night.


First of all I’d be absolutely livid that Virgin were holding onto that data for way longer than necessary, which allowed access to old transaction emails (that’s from my GDPR e-learning module at work, which I passed by clicking Next repeatedly and guessing the answers).

Link to post
Share on other sites
21 minutes ago, Freeman said:

As for the GDPR thing, I'd say the owner of the account is the person who can log in etc.


Ownership of the account doesn’t transfer to the hacker just because they can log in. 

 

I think the real GDPR issue is @gooner4life details were disclosed not that some probable random address was left on the account, if it was actually the hacker’s or 3rd party who purchased it more fool them, they’ll need to take it up with Sony lol.

 

Link to post
Share on other sites
4 minutes ago, scoobysi said:


Ownership of the account doesn’t transfer to the hacker just because they can log in. 

 

I think the real GDPR issue is @gooner4life details were disclosed not that some probable random address was left on the account, if it was actually the hacker’s or 3rd party who purchased it more fool them, they’ll need to take it up with Sony lol.

 

 

That's the problem though isn't it.  The ownership of the account actually isn't relevant from a GDPR perspective, it's the ownership of the data - or more accurately, the privacy of the data subject.  The 3rd party (or indeed the hacker) have input their details to Sony's system.  Sony's system shouldn't disclose that data to anyone but the person to whom it belongs.  Their controls to limit that access are the log in credentials, except they circumvented these controls by allowing someone else to access the account. Twice.  Once with the initial hack, and once with the return to gooner.

 

Whilst I very much feel for gooner, his isn't the real issue for me.  The whole experience shows that Sony('s customer service operators or chatbots...) aren't trained to a level where they think about this stuff, but instead make it too easy for others to gain access to potentially any account.

The stuff gooner went through with console serial numbers is really cool, and shows they have some innovative and sensible ways to look into and validate the claims of the person on the phone, but the whole scenario shows that they don't always use them, or perhaps they are trying to be too clever and have too many ways to validate including using defunct data from years ago.  

 

 

Link to post
Share on other sites
42 minutes ago, Kryptonian said:
23 hours ago, Thor said:

Isn't it also possible that the guy whose address was left on the account is merely the numpty who bought it, and not the cunt who did the hack?

 

55 minutes ago, Freeman said:

Also, everyone seems to be assuming that the name and address that was left on the account is the hacker. 

 

Oops, sorry Thor!

Link to post
Share on other sites

Further response to Sony today after I questioned whether the SIX email addresses used after my account was compromised could be used in a similar way to compromise it again.

 

This does put my mind at ease that they wont be able to compromise it again in the future.

 

Short snippet of the email.

 

Sony said - However to prevent this again, moving forward, we have enabled a protected status on your account which will prevent the chat bot being used in future. This status will not impact your ability to self manage the account while logged in. However should you encounter any issues in future, don't hesitate to get back in touch with me.

Link to post
Share on other sites

Well that begs the question why such protection isn't active for all accounts by fucking default because they're you know, paying customers.

 

Edit: I'm happy you got it sorted of course, I'm just amazed that they're handling it this way. "Thank you for alerting us about this loophole. You'll be glad to know that we closed it for your account, but kept it open for all others"

Link to post
Share on other sites

It's shit, but they don't believe it's a loophole, this is how they signed off the email, I'm still in contact with their escalation team, I warned him I'm going to be a pain in the arse.

 

"I do understand this has been a disappointing experience however without access to the original sign-in ID and therefore sufficient information to pass our verification process, the compromise in this case would not have been possible. It was necessary for us to verify you as the owner of the data before we could take further action at your request as we could potentially have revoked access from a legitimate owner of the account."

Link to post
Share on other sites

Not to argue with you personally, but Sony's logic seems rather flawed. Allowing a chatbot to turn off 2FA based on an old, no longer used emailaddress and an ancient invoice sounds like a loophole to me. PSN has been around for, what 15 years now? The notion that more people have switched email in that period is not unthinkable (I have, but the old address is still in use - been on PSN since day 1). Just don't allow a bot to turn off 2FA without human intervention/verification seems like the minimum action to undertake here.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue. Use of this website is subject to our Privacy Policy, Terms of Use, and Guidelines.