I do. Still paranoid.
-
Hey Guest. Check out your NeoGAF Wrapped 2025 results here!
My PSN account has been stolen...please help!
- Thread starter goonergaz
- Start date
I do. Still paranoid.
Stallion Dan
Member
Whenever I need input my password I need get a new code from 2FA too. Your post seems completely wrong.
roddjbrown
Member
Yep. I've just spent a 2 hour train ride putting a password manager in place and terrifying myself at just how many accounts used the same login details
nycgamer4ever
Member
How is this Sony's fault? Yahoo was just recently hacked and 500,000,000 accounts were compromised. Coincidentally all these threads are showing up. If you use yahoo as an email signing for PSN and use the same passwords for multiple accounts then this will happen. Use 2FA and unique passwords!
0ptimusPayne
Member
Looks like the specific site for 2FA is currently down. Can you enable 2FA through the ps4?? thanks
Pretty sure it's not down... You can access it through your account details>security and htere should be a link at the bootom of the page.... Or try the following link.
captainraincoat
Banned
Not sure if its a setting but i dont always get the 2fa pop up when logging in
Only when i request a password change
StereoVsn
Gold Member
From a known device you wouldn't. However you should get a 2FA request from a new device.
should change passwords first. Especially if you know you use the same ones across multiple sites
Muffdraul
Member
Yes, that's what I did.
Frostman
Member
Apologies for bumping this thread, but I don't know where else to post this. I had a text at midnight giving me a verification code (I have 2FA enabled), I have heard this has been a bug before, as a couple friends and people online had texts through even though know one was trying to access their account.
I tried logging in this morning and couldn't, so I immediately went to change my password. I logged into my email, and saw that an email came through at midnight from PlayStation stating that my password had been reset (knowing full well I hadn't changed it at that time, I assumed somebody was trying to compromise my account), luckily for me I followed my password reset link, and have managed to sort it.
My question is, how the fuck can someone change my password without access to the code i received through text?
I tried logging in this morning and couldn't, so I immediately went to change my password. I logged into my email, and saw that an email came through at midnight from PlayStation stating that my password had been reset (knowing full well I hadn't changed it at that time, I assumed somebody was trying to compromise my account), luckily for me I followed my password reset link, and have managed to sort it.
My question is, how the fuck can someone change my password without access to the code i received through text?
Frostman
Member
Cob32
Member
This is worrying.
Frostman
Member
Exactly.
Just a quick update. I've found out that they managed to access my EA account, 10 minutes prior to accessing my PSN account. I now have access to both and have reset my password.
I hadn't touched my EA account in perhaps 1-2 years, and it didn't have 2FA enabled. It now does. I'm assuming they gained access to my PSN through my EA account somehow? (Both are linked)
Cob32
Member
Did you have the same email and password for both?
I'm not convinced they actually got into your psn account. Surely they would have changed the email straight away. Especially since this happened overnight?
Edit: sorry read your first post again and you couldn't get access.
Frostman
Member
Yeah, this is the confusing part. You usually receive 2 emails when changing your password, with 1 containing a link. The email containing the link didn't come through during the night. It was as if the password automatically updated.
That's why I think Joni could be onto something.
Edit : to answer your question, no I didn't have the same password for both.
Just did some checks. You either have a serious issue aside from the PlayStation Network or it was Sony that took action.
You can change the password without reaching the 2FA but you have to click forget password, then it sends a reset mail, then you need to click that link and insert your birth date. Then you can enter the new password, which then goes back to the 2FA. So if your mail hasn't been breached, I think Sony just reset because your password was stolen.
There is this one guy that keeps saying it in every topic without ever giving detail when he is challenged.
You can change the password without reaching the 2FA but you have to click forget password, then it sends a reset mail, then you need to click that link and insert your birth date. Then you can enter the new password, which then goes back to the 2FA. So if your mail hasn't been breached, I think Sony just reset because your password was stolen.
There is this one guy that keeps saying it in every topic without ever giving detail when he is challenged.
Frostman
Member
I was going too but didn't know whether this warranted another thread.
Are they unique to that account or not?
Of course they are always unique. I never would use the same password for any of my credit cards, emails, or game accounts. I have no idea why anyone would do this. I do use similar passwords but never the same.
My email for the account is shared with a couple things, but all unique passwords that are very strong and could never be brute forced AFAIK.
I don't want my account being messed with just like anyone else. But 2FA is a huge bother to me personally. Same thing on Steam. Will never do that again.
I'm curious how did you and your friends determine that a received code was a bug in the 2FA system and not an adversary trying to access your accounts?
stargateheaven
Member
Yeah, as soon as i recieved a code (then several more continuously) i changed my PW immediately.
There initially was a bug where you could potentially be bombarded with codes.
It should. It means someone has your password.
Melchiah
Member
You got me curious, as that sounds pretty odd.
My question is still how was it determined to be a bug and not adversarial behavior?
entremet
Member
ItÂ’s a completely different scenario. So yes make a new thread for it. Bumping old threads is rather confusing.
Speed of texts, and it stopping when turning 2FA on/off again. You expect it to continue.
Woah, is that the only situation that would trigger it? Damn. Time to change the password.
Jacksinthe
Banned
Aside from 2FA, folks should add aliases to email addresses if you use Gmail using +alias
youremail at gmail dot com
to
youremail+whateveryoutypehere at gmail
Anything that's "+whatever" will get sent to your main address. Not only is it an extra layer of protection but you can have different extensions for different sites.
It's also good to see which asshole company gives your email address out to their friends.
youremail at gmail dot com
to
youremail+whateveryoutypehere at gmail
Anything that's "+whatever" will get sent to your main address. Not only is it an extra layer of protection but you can have different extensions for different sites.
It's also good to see which asshole company gives your email address out to their friends.
Sorry not sure I understand. You can add random shit onto your email address and it'll still deliver?
I assume the point here is you'll still get the email, but that email address won't be valid to actually log into PSN?
Thanks. Yeah, speed of texts could be login bots, but it stopping when turned off and on again definitely signify it was a bug. We don't hear about those bombardments anymore, so it's likely fixed.
Yep, if you didn't perform a login to trigger the sending of code, someone else did.
Spaulding
Member
Yes, using Gmail you can use the + sign to add an alias to your email address and you will still receive the mail (or you can just add many . as you want).
It is still a valid email address to log into PSN, if you specified it in your account settings. You can use different aliases for different accounts, though.
Like name+psn@gmail.com or name+origin@gmail.com and so on.
If for example you used danthefan+neogaf@gmail.com, that would be your login username but all emails would get delivered to danthefan@gmail.com. It's good because like what the other poster said you can pinpoint which service may be compromised should that happen and it'd also an easy way to have multiple separate emails for sign ups without having to make different ones each time.
Edit: beaten!
THE_W1TCHER
Neo Member
Im gonna explain these Stolen account procedures so people know what they are dealing with
Everyday people's email addresses and passwords are stolen from legit websites without them knowing or they signup in shady sites that are collecting these information purposefully and Many people use exact same email and password for everything they sign up for.
These stolen email addresses and password form lists and with using some hacking programs, simple scripts and multiple vpn servers everybody can bombard sony's servers to find accounts with matching emails and passwords. When the account owner doesn't use 2FA, they can access the account easily. Then they dump name of games purchased via that account and make shortlists of various accounts they've got access to.
These accounts are sold in boundles very cheap.
What happens next is someone that buys these Boundles use Playstation app to check that account owner is not online and using it. Then they access the account via psn website and use deactivate ps4 systems and then they activate as primary the account on their own ps4. they go through that library and download whatever game the account has and logout from the account. They don't change password or change email address. By doing this they make it harder for accounts owners to find out about their accounts and even proving it to sony that their account is actually stolen. And so many times account owner never finds out about this.
And if the account owner actually finds out about it and can prove the matter, the stealing party only loses those games and rarely theire ps4 gets banned from psn.
Its outright disgusting people are stealing peoples accounts and sony must be held responsible for their weak security. One simple solution would be needing an email confirmation for deactivating the account. Because there is a chance that email itself use different password. Making 2FA mandatory is another solution.
So people if you care about your account use 2FA. Use unique email address and password for your psn account. This way you can be sure this wont happen.
I hope i dont get in to trouble for sheding some light on This matter.
Everyday people's email addresses and passwords are stolen from legit websites without them knowing or they signup in shady sites that are collecting these information purposefully and Many people use exact same email and password for everything they sign up for.
These stolen email addresses and password form lists and with using some hacking programs, simple scripts and multiple vpn servers everybody can bombard sony's servers to find accounts with matching emails and passwords. When the account owner doesn't use 2FA, they can access the account easily. Then they dump name of games purchased via that account and make shortlists of various accounts they've got access to.
These accounts are sold in boundles very cheap.
What happens next is someone that buys these Boundles use Playstation app to check that account owner is not online and using it. Then they access the account via psn website and use deactivate ps4 systems and then they activate as primary the account on their own ps4. they go through that library and download whatever game the account has and logout from the account. They don't change password or change email address. By doing this they make it harder for accounts owners to find out about their accounts and even proving it to sony that their account is actually stolen. And so many times account owner never finds out about this.
And if the account owner actually finds out about it and can prove the matter, the stealing party only loses those games and rarely theire ps4 gets banned from psn.
Its outright disgusting people are stealing peoples accounts and sony must be held responsible for their weak security. One simple solution would be needing an email confirmation for deactivating the account. Because there is a chance that email itself use different password. Making 2FA mandatory is another solution.
So people if you care about your account use 2FA. Use unique email address and password for your psn account. This way you can be sure this wont happen.
I hope i dont get in to trouble for sheding some light on This matter.
I'd like to use 2FA, but as far as I can tell, it's a mess to setup for PS3... Even the official tutorial from Sony points toward a 404 page, and the things they say are in menus definitively aren't.
(Though I still don't understand how they would get access to a PSN account if you use unique decent password)
Indeed. It only switches to the 2FA screen after you have entered the password.
That is a big workaround for hackers wanting to make money. They simply hack the account, use the present Paypal to buy for instance Neverwinter gold and then sell that gold.
It is also not really Sony's fault when it concerns people reusing passwords. People doing that, would probably not have different passwords for their mail.
THE_W1TCHER
Neo Member
Yes. If you use unique email address and password and never use it on any other place you can be sure this wont happen.
The Pet of the Month
Member
It isn't very hard, I simply had to generate a password for the PS3 from Sony's account management page. If you need a hand setting it up I can write up a few instructions.
Not sure of it has been mentioned but everyone should check their email addresses on https://haveibeenpwned.com
BigEmil
Junior Member
Was your PSN, EA accounts passwords the same? PSN password should always be unique meaning you never made that password before or currently no other account of yours have that password
Also enter your email in here see if you been compromised elsewhere
https://haveibeenpwned.com/PwnedWebsites
Mind blown. Thanks guys I will certainly take advantage of this in future.
HueyFreeman
Banned
Given sony's security, they should probably just send out a notification to all accounts that it will only continue to function once 2FA is enabled.
Obligatory reminder to enable 2FA NOW BEFORE IT HAPPENS TO YOU UNLESS YOU ARE PERFECT ABOUT YOUR PASSWORD MANAGEMENT.
Saved my PSN once already, lovely morning when I was abroad on holiday getting a dozen or so codes being sent to me to apparently change my password / email. PSN accounts will now easily be worth three if not four figure dollar sums not mentioning the massive hassle of getting pwned, switch it on now if you need to.
Saved my PSN once already, lovely morning when I was abroad on holiday getting a dozen or so codes being sent to me to apparently change my password / email. PSN accounts will now easily be worth three if not four figure dollar sums not mentioning the massive hassle of getting pwned, switch it on now if you need to.