According to reports on Nyleveia.com, Eurogamer, and NeoGAF, Sony's PlayStation Network password reset system-the one just put in place after the PSN hack-has been compromised, allowing hackers to change a PSN password if they know your email and date of birth. Exactly the sort of information that was released in the original hack.


Sony has taken the password reset system offline. Kotaku has reached out to Sony for comment.

Update 1: The good news (as pointed out by NeoGAF's "Metalmurphy") is that if your account was compromised, you should have gotten an email from PSN that says your password has been reset.


Update 2: An official community moderator on the EU PlayStation forums notes the following services are offline:

PlayStation.com

PlayStation forums

PlayStation Blog

Qriocity.com

Music Unlimited via the web client

All PlayStation game title websites

G/O Media may get a commission Subscribe and Get Your First Bag Free Promo Code AtlasCoffeeDay20

Update 3: This is the purported exploit as provided to Kotaku. As PlayStation services are now offline, this exploit is no longer able to be executed:

The prodecure is as follows:

1) Navigate to : https://store.playstation.com/accounts/reset/resetPassword.action?token (this is normally, via email, https://store.playstation.com/accounts/reset/resetPassword.action?token=YYYYYYYYYYYYYYYYYYYYYYYY with the y's being a unique token) - do not enter the code at this point.

2) Open a new tab in firefox, and go to fr.playstation.com (other pages will work too most likely), and click Login (Connexion)

3) Click Recover password

4) Enter the email and date of birth of the target account

5) Click continue, then on the confirmation page, click "Reset using E-mail"

6) Switch back to the original tab, and enter the code, then click continue

7) You will now be asked to enter a new password for the target account


Update 4: According to Sony's PlayStation blog, "Contrary to some reports, there was no hack involved. In the process of resetting of passwords there was a URL exploit that we have subsequently fixed."