UPDATED: PlayStation password reset vulnerability exposed


Sony could have more embarrassment on its hands following reports the PlayStation Network (PSN) password reset page contains a flaw.

The Japanese firm has taken down sign-in on most of its websites, including PlayStation.com, as reports claimed hackers could exploit the vulnerability to change users' passwords.

Hackers would need the user's PSN account email and date of birth to make the changes, according to Eurogamer, which said it saw video evidence the vulnerability was genuine.

Email addresses and date of birth details were amongst the data stolen in last month's attacks on Sony.

The site PlayStation customers were being redirected to by password reset emails is also down.

"Unfortunately this also means that those who are still trying to change their password via Playstation.com or Qriocity.com will be unable to do so for the time being," Sony said.

"This is due to essential maintenance and at present it is unclear how long this will take... In the meantime you will still be able to sign into PSN via your PlayStation 3 and PSP devices to connect to game services and view Trophy/Friends information."

Nyleveia.com was first to report on the flaw, saying it had given Sony Computer Entertainment Europe (SCEE) a detailed description of the vulnerability.

Users were advised to change their account email to avoid being affected by any possible hack.

Hack was a hiccup'

The reports will not go down well at Sony, which started to restore PSN services over the weekend.

Sony chief executive (CEO) Howard Stringer this week labelled the hack attacks on the PSN a "hiccup."

Speaking publicly for the first time since the breaches, which saw data of over 100 million users stolen, Stringer said no one had a 100 per cent secure system.

"This is a hiccup in the road to a network future," he said.

Stringer defended Sony's response to the hacks, saying the time it took to inform customers was acceptable and only 43 per cent of firms notify users within a month.

"We reported in a week. You are telling me my week wasn't fast enough?" he said.

"This was an unprecedented situation."

The Sony chief posted an open letter online apologising for the data breaches following the hacks, addressing critics who suggested the Japanese manufacturer took too long to tell its customers.

PlayStation users were able to get back on the network this week as Sony restored services. However, in Japan, regulators are still looking for more information on the added security Sony promised before allowing PSN to be restored in the country.

Service restoration hit a snag earlier this week as users complained about not receiving their password reset emails.

Due to the sheer number of people attempting to get new passwords, emails were not going through to customers immediately.

UPDATE: A Sony spokesperson has told IT PRO the company was aware of the issue and is investigating.

"The PSN is still up and functioning, and consumers can still reset their passwords through PSN, but we have temporarily taken down the external password authentication sites whilst we investigate," the spokesperson said.

"Our people are working on this as we speak and we hope to restore this functionality as soon as possible."

Tom Brewster

Tom Brewster is currently an associate editor at Forbes and an award-winning journalist who covers cyber security, surveillance, and privacy. Starting his career at ITPro as a staff writer and working up to a senior staff writer role, Tom has been covering the tech industry for more than ten years and is considered one of the leading journalists in his specialism.

He is a proud alum of the University of Sheffield where he secured an undergraduate degree in English Literature before undertaking a certification from General Assembly in web development.