Sony has not fixed a fundamental vulnerability in the PlayStation Network verification process even six months after it was first discovered, which allows accounts to be taken over despite 2FA.
The PlayStation Support It still allows attackers to take ownership of an account simply by providing a transaction number, thereby circumventing all digital security measures such as passkeys or two-factor authentication (2FA).
Support protocols circumvent modern security standards
The security vulnerability is not based on a software bug in the traditional sense, but rather on a flawed internal customer service policy. If an attacker presents a single transaction ID from a purchase on the PlayStation Store, support classifies them as the legitimate owner. Consequently, the registered email address is changed and existing security measures are removed.
The journalist Nicolas Lellouche, who already addressed the problem in December 2025 made public, has recently fallen victim to the same procedure again. The protective measures promised by Sony – such as marking his account as a "high-risk account" where support is not allowed to intervene – apparently only worked temporarily or were ignored internally.
Identity theft without technical effort
The core problem is the prioritization of analog data over digital security. While passkeys represent the state of the art, with Sony, a screenshot or a number from a confirmation email is enough to bypass these barriers. The current case also demonstrates a worsening of the situation. While the first incident in December suggested targeted retaliation, the behavior of the new attacker indicates that the method is now widely known and being exploited.
Compared to competitors like Microsoft or Valve, this process seems archaic. There, account recovery usually requires access to the original payment method or identity verification that goes beyond a simple number. Sony, on the other hand, prioritizes fast support at the expense of user security.
Risks for the digital library
For players, this means constant insecurity. As soon as a transaction number becomes known – for example, through phishing, data leaks, or sharing screenshots on social media – the account is effectively fair game. Since Sony allows the email address change process without confirmation via the old address, the rightful owner loses access immediately and often permanently.
The psychological component is particularly critical. Anyone who has invested hundreds or thousands of euros in a digital game library must be prepared for the possibility of total loss at any time, as long as Sony continues to prioritize transaction IDs for support requests.
The situation is critical. As long as Sony doesn't fundamentally change its support policies, no PSN account is truly secure. Users should be extremely careful never to publicly display transaction details or confirmation emails, or store them in unsecured cloud storage. A hardware passkey offers no protection here, as the human factor in support simply overrides the technical hurdle.
