Combichristoffersen said:
Doesn't really matter if it wasn't a widely known security hole, if people knew about it, Sony must've known about it themselves, considering they're the ones who set up and run the PSN service. And if Sony knew about this security hole without doing anything about it.. smh. What a bumblefuck.
It matters since if it is a widely known security hole, then it is much easier to know about it, not only among hackers, but also among the companies. If there is an exploit that maybe only a handfull of people know about in secrecy, then it is a bigger chance that the exploit will be available for a longer period of time.
But what i ment is that if it was a widely known problem, then i'm sure that Sony would have fixed it a long time ago. And if it was this easy to hijack someone's PSN account for years, then i think that PSN account hijacking would have been a much bigger problem than what it has been.
HaRyu said:
If you hit the "Forgot Password" link, the next page you see is the recovery page, asking for the email address to the account, and your DOB.
After you enter that information, the next page will ask how do you want to reset your password.
When I tried it yesterday, it only gave me one choice "change via email". I'm assuming there might be more than one choice, and I assume that's the exploit people are using, getting that other choice to appear in the menu.
Ok, i see. I think that it is very wierd if e-mail and DOB is all that was needed though, since these things are not concidered as sensitive information in my opinion, especially not in these "Facebook days".
MTMBStudios said:
When the website was up and running there was two options if I remember correctly when you click "forgot password". There was
1. Send reset password email.
2. Change via website.
Clicking 1 would send the password reset email the OP got.
Clicking 2 would ask for email and dob, and entering those would let you change the password ON THE SITE. Its explicit.
It's not an exploit. It has always been this way on purpose. Or atleast that page used to be there. The only reason this is an issue now is because the hackers most likely have DOB, so now they HAVE to change it.
Are you absolutely sure about this? I don't mean any offence at all, but i just find it hard to belive that all you needed was the email adress and date of birth to be able to change the password. As i mentioned above here, i dont concider email and DOB as really sensitive information, so i find it hard to belive this was all that it took to change someone's PSN password and that this was possible for years. But i never checked it out myself and i'm not saying that you're lying just to underline that, i just find it hard to belive.
EDIT: Nevermind what i wrote in my edit, it was wrong