It seems we're not clear of all the hacking idiocy just yet.

Various sources have reported a simple exploit that lets hackers change your password using only your PSN account e-mail and date of birth.

As we all know, that information was compromised when the Network was attacked last month. According to Eurogamer citing Nyleveia.com , Sony has made the PSN sign-in unavailable for several of its websites, including PlayStation.com. For the time being, it's down for maintenance, and Sony issued this statement:

"Unfortunately this also means that those who are still trying to change their password via Playstation.com or Qriocity.com will be unable to do so for the time being. This is due to essential maintenance and at present it is unclear how long this will take. In the meantime you will still be able to sign into PSN via your PlayStation 3 and PSP devices to connect to game services and view Trophy/Friends information."

Sony did make it clear that such maintenance does not affect PSN-enabled consoles; only the website you click through to from the password verification e-mail message. Currently, the recommendation is that you use a new e-mail for your PSN account, as there's no knowing if the hackers – who may have your information – will try to change your password and hijack your account.

We figure Sony will provide some sort of update at some point.

Subscribe
Notify of
85 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
AshT
AshT
9 years ago

what again…damn those hackers….

FatherSun
FatherSun
9 years ago

This is not a hack. It is only a bi-product of the original hack. Just try telling that to all the Little Chickens that frequent the internet. I expected this much considering that the data that was stolen was personal user information such as emai, DOB, ect….


Last edited by FatherSun on 5/18/2011 12:27:49 PM

TheHighlander
TheHighlander
9 years ago

Indeed, but the exploit kind of relies on the attacker having access to the registered email account, and not just knowing the email address, does it not? Unless I've misunderstood the reset process, the reset password value is sent via email to the registered email address. So, as long as you have altered the password on that email account, there's essentially no danger at all.

FatherSun
FatherSun
9 years ago

I think that only applies to those who reset utilizing email. I changed my password vous the PS3 only. But I change passwords frequently so I am not worried.

On a related note, I agree with what someone posted on the PSBlog.

Butters360 on May 18th, 2011 at 11:09 am said: Patrick, its high time you as well as Sony start calling out game sites out on their journalistic integrity. There was no hack involved, but go figure EVERY single website is STILL spreadin F.U.D. articles. This is HIGHLY unprofessional. This is serious and we PS3/ PSN users deserve better than this crap.

Sir Stringer kind of went in that direction but there is only so much he can say without backlash and how the internet can twist words. I'm with Sony. All the way.


Last edited by FatherSun on 5/18/2011 2:38:34 PM

McClane
McClane
9 years ago

Is this the same reason why I can't log into the PSN store?

I want to download my free games

jimmyhandsome
jimmyhandsome
9 years ago

No, the PSN store is still down. Should be up sometime before the end off the month. I'm sure Sony will make a big announcement when its back up

duomaxwell007
duomaxwell007
9 years ago

No it wont be back by teh end of teh month because Sony said they wont start on phase 2 (getting the ps store open) until phase 1 is complete (getting psn up EVERYWHERE) and with the japanese government holding back the launch of PSN in japan… if beauacrats are controlling that you can expect another 6 months before PSN is up to their standards/expectations…

So lets hope sony goes back on their word of phase 1 being complete and just get teh store up and running for everyone outside of japan and deal with the japan problem sepertely (wouldnt be the first time sony does the opposite of what they said they would after all right?) Because Im sure theyre not gonan wanna deal with the backlash of their developers losing 6 montshs of revenue because of no PS store.

Clamedeus
Clamedeus
9 years ago

@duomaxwell007

Nothing to worry about, they will be compensated for the downtime of the PS store, or what ever else they have planned to help them out.

frylock25
frylock25
9 years ago

so we can just change the email that is associated with our psn accounts right?

off topic: crysis 2 is 34.99 on amazon today only. deal of the day

TheHighlander
TheHighlander
9 years ago

If you changed the password on your email account itself, that should be sufficient as I understand the reset process. The email account is necessary because when you request a password reset, the reset value is sent to your registered email address. If someone else knows the password to your email account, there is a problem. If they do not, there is no problem. So, change your password on your email account.

ace_boon_coon
ace_boon_coon
9 years ago

I didn't care for Crysis 2 that much; it seems like it's lacking something. I tried to play it, but I just can't get into it.

CoolBLKguy
CoolBLKguy
9 years ago

I thought Crysis 2 was trash personally, one of my few purchasing regrets this gen.

frylock25
frylock25
9 years ago

yea i had no plans of getting crysis 2. just tryin to pass on the sale. i might rent it.

sonic1899
sonic1899
9 years ago

I'm really getting tired of all these news related to hackers. I don't think about hurting Sony, as much as making themselves known

TheHighlander
TheHighlander
9 years ago

This isn't a hack it's simply the possibility that someone could, with the right information and access to your email account, reset your PSN password.

If I understand the process correctly, an attacker would not only have to have the registered email address, PSN ID and DOB information, but also have access to the email account so that when the reset email is sent, they can pick up the reset value from the email. So unless your email account is compromised, this isn't an issue. Sony have to take the precaution because it's *possible* for the exploit to be used. However given the circumstances, how else did anyone expect to reset their password without a PS3 console to do it on?

So in other words, no one has hacked anything new, this is a precaution taken in response to the vulnerability being reported. If you sit and think about how you handle a password reset, there is only really one way to do it, and that relies on the user having several key pieces of information, as well as sole access to the registered email account. So long as you changed the email account's password after the initial hack this kind of thing should not affect you.

Scarecrow
Scarecrow
9 years ago

It will only affect those dumb enough not to have changed their email passwords when they read that their information was compromised in the hack back in April.

TheHighlander
TheHighlander
9 years ago

Quite. Sadly lots of people apparently didn't get the message…

Beamboom
Beamboom
9 years ago

Also it should be pointed out that this is only an issue if your password for psn and mail were equal in the first place. If your mail password always have been different from your psn password (really different, no relation) then you need not change mail password.


Last edited by Beamboom on 5/18/2011 3:01:56 PM

Beamboom
Beamboom
9 years ago

Nevermind, Kraygen already has stated this further down. ūüôā

ace_boon_coon
ace_boon_coon
9 years ago

This is starting to piss me off. These damn hackers are ruining our fun. I really want to hurt them right now.

coverton341
coverton341
9 years ago

Just remember, everyone; the hackers are on your side, they are doing this to combat the big evil corporate giant that is Sony. Why, if they just let Sony run rampant, sooner than later we would all be slaves to the system and all of our IP addresses would be logged every time we sneezed and squeaked out gas.

What an absolute load of sh!t

Clamedeus
Clamedeus
9 years ago

I don't consider hackers on our side. I don't like 'em.

Especially one with a god-complex.

Oxvial
Oxvial
9 years ago

hehehehe good one Cove.

Jdogtoocool
Jdogtoocool
9 years ago

So if you change your password, can the hacker come back and change your password again to steal it?

Beamboom
Beamboom
9 years ago

No, not unless they got your new password. Just remember to change both psn and mail password if they were the same.

Excelsior1
Excelsior1
9 years ago

i don't know. psn is still up, but any negative headlines concern me. i just hope sony remains vigilant. another outage or data breach for sony would be just devastating in terms of consumer confidence. they need to keep from generating any negative headlines in regards to psn. headlines that combine the words psn and exlpoit just aren't good to hear..


Last edited by Excelsior1 on 5/18/2011 1:35:08 PM

Wissam
Wissam
9 years ago

Hackers you fail.

bigrailer19
bigrailer19
9 years ago

Sony via the PS Blog-

"We temporarily took down the PSN and Qriocity password reset page. Contrary to some reports, there was no hack involved. In the process of resetting of passwords there was a URL exploit that we have subsequently fixed.
Consumers who haven’t reset their passwords for PSN are still encouraged to do so directly on their PS3. Otherwise, they can continue to do so via the website as soon as we bring that site back up."


Last edited by bigrailer19 on 5/18/2011 2:14:40 PM

TheHighlander
TheHighlander
9 years ago

Indeed.

Personally, if I were Sony, I'd send an email to all accounts that have not yet reset their password. the email would go to the registered email account, and if there is no answer within 2-3 days, I'd suspend the account and require the user to go through an enhanced verification process to reset their password. For safety's sake, I'd also reset any CC number associated with the suspended account. That would protect consumers and Sony alike.

Jdogtoocool
Jdogtoocool
9 years ago

@Highlander
Idk about that, that would probably be a little too extreme but I get where you're coming from

TheHighlander
TheHighlander
9 years ago

Well, the account would be suspended, not deleted. It would still be a valid account, but you'd have to go through the enhanced verification to re-activate the account. No content or PS Wallet amounts would be lost, trophies would be preserved as would all activations of software or video content. So the user loses nothing, so long as they can provide adequate assurance that they are who they say they are, and that *is* their account. By removing CC/Payment card details, Sony protects the consumer against the off chance that someone manages to validate someone else's account.

Jdogtoocool
Jdogtoocool
9 years ago

This is the way I see it:
Sony: whoops hackers just destroyed our services and may have your credit card info, your real name and address, aaand to top it off if you don't respond to this email and go through a long and painful varification process you will not be able to use your account. Have a nice day…idk to me that would be a slap in the face

TheHighlander
TheHighlander
9 years ago

Or how about this (and before anyone asks, I made this up myself)?

Criminal network hackers recently compromised out network as you may have seen reported in the news media. As communicated via email and our PlayStation Blog, Sony has spent several weeks working around the clock to rebuild PSN security. To maintain user security and prevent unauthorized access, we now require all users to reset their passwords via a secure means. Your password has not yet been reset.

So, we are emailing you as a courtesy reminder to reset your password as soon as possible. We are also informing customers in your situation that we are taking action to protect your data and financial information. Therefore, we are temporarily suspending your account pending a secure password reset. None of your content will be lost, all your trophy and user data is safe.

Out of an abundance of caution, Sony will also remove any credit card data from your account to prevent abuse in the event that a third party fraudulently re-activates your account. We are committed to protecting your data and your account information. Recent attacks on our network have raised awareness of these issues to a new height. We are therefore acting in a corresponding fashion to protect you against possible fraud.

– again, the above is my suggestion of how to communicate such a message, I wrote the message myself, it is *not* from Sony.


Last edited by TheHighlander on 5/18/2011 4:55:56 PM

Clamedeus
Clamedeus
9 years ago

I know Microsoft probably isn't linked to this, it very well could be something different.

Conspiracies. :O I love 'em.

TheHighlander
TheHighlander
9 years ago

Oh, that wouldn't surprise me, Microsoft have done things like that in the past to Yahoo and Google. It's more in the way of gamesmanship than a direct attack since it's possible it's simply an oversight on a spam filter….or automatic traffic shaping because PSN was suddenly the source of a large number of emails…

You know the kind of thing.


Last edited by TheHighlander on 5/18/2011 3:03:06 PM

Clamedeus
Clamedeus
9 years ago

Indeed, I wouldn't doubt it but I also wouldn't rule them out either. It could be something different as well. Not sure, it's very strange though, and the timing of it.


Last edited by Clamedeus on 5/18/2011 3:02:59 PM

TheHighlander
TheHighlander
9 years ago

Oh, the exploit is devious and doesn't require access to your email account.

It is based on obtaining the specific reset code/token issued by the reset by email process, and then using that in a specific URL to force a password reset, which then prompts you to change the password.

I'm still not clear how you get the token unless you have access to the email. If the process works like every other reset by email process, that token is given out by registered email, not on a web page. But, I've never used that option, so I don't know from personal experience. If the code/token value is handed out via the web page, I can see the issue. If that's the case, then whoever was responsible for checking the password reset option fell down on the job.

Beamboom
Beamboom
9 years ago

If the token were handed out via the web page then why was there a token in the first place? I mean, that is the whole point of using a confirmed mail address?

This is confirmed?

TheHighlander
TheHighlander
9 years ago

Well, the place I read it, wouldn't normally quote, so I decided to go with the gist. Your point about the confirmed email address is an important one, and I agree with you completely. There's no point to a token without a confirmed email address to send it to. It simply wasn't clear from the process flow I read whether the token was obtained from an email, or from the web page itself.

Oh, here's a horrible thought, what if the token value was in the URL of the confirmation page? You know how those long URLs can be, just about anything could be hidden in there.

Beamboom
Beamboom
9 years ago

No no no, no way. It can not have been found anywhere in the source code of the page either. It just is unthinkable for so many reasons.

First of all, for the token to be featured in url or source the token value must have already been created before the next page were successfully sent to the user – something they at that point in time can not know if they were able to do at all. It would just be a complete mess if the values were created whenever someone initiated the process. Also, the values of forms and the syntax of urls is like the *very* first thing anyone look at if they want to try and mess with the site. A weak script is a hackers target numero uno.

Secondly, *why* should it be featured in the url? What would that solve?

Thirdly, who would come up with such an idea as a solution?


Last edited by Beamboom on 5/18/2011 3:32:33 PM

TheHighlander
TheHighlander
9 years ago

Exactly, it's unthinkable for so many reasons. that's why it has to be sent to the registered email, so this can only be an issue if the email account has already been compromised.

Beamboom
Beamboom
9 years ago

Unless, of course, the token value itself is not random but based on available data like time stamp, country code, psn nick, or whatever, and thus possible to construct without reading the mail at all. But again… *Why* would anyone do that – I simply see no reason to do it in the first place.

These kind of things may be found if the sloppy solution had some kind of advantage to the developer, usually making something easier. But here I see no such advantage here.


Last edited by Beamboom on 5/18/2011 4:05:18 PM

TheHighlander
TheHighlander
9 years ago

Agreed, there's no reason to build a token based on guessable elements of data. simlpy use a random number generator to build a token value. Good lord, it would almost take more work to do it any other way.


Last edited by TheHighlander on 5/18/2011 4:04:15 PM

Beamboom
Beamboom
9 years ago

Yes indeed. Ergo, that can't be it.

But if bottom line here is that "if your mail account is compromised then mail based password reset is a Bad Thing", then why is this even a story at all now? What's new? What's "discovered"?

Another thing is, why would anyone not just use the ps3 to change password now after the update?


Last edited by Beamboom on 5/18/2011 4:51:55 PM

TheHighlander
TheHighlander
9 years ago

I'm guessing that there will be those who's PS3 met it's maker during the 24 day outage, and also Qriocity subscribers who don't have a PS3.But in reality, that should be a very small number – relatively speaking.

Still, people persist in suggesting that the website provides the reset code. I never used the password recovery (reset) option before all of this, but it was my understanding that it sent the reset code to you in email. I can't see why this would be any different now.


Last edited by TheHighlander on 5/18/2011 5:33:46 PM

Beamboom
Beamboom
9 years ago

Well, it could still have sent you an email…
It's almost too bad it's disabled now, I'd love to see this for myself!

TheHighlander
TheHighlander
9 years ago

Me too Beamboom, me too.

Fane1024
Fane1024
9 years ago

Guys,

If you reset your password, it does indeed send you an e-mail message with an embedded link to the page where you can change your password. I don't have enough technical knowledge to give more details (i.e., when the token was given), though.

It didn't allow me to access that page using the PS3 browser (which I had used to check my webmail); it required a PC.


Last edited by Fane1024 on 5/19/2011 1:28:56 AM

TheHighlander
TheHighlander
9 years ago

Thanks Fane, that means it operates as it ought to. So you can't really do much without access to the registered email account, right?