Although it seems everything is on its way back to normal with Sony’s PSN following this weekend’s restoration, there are reports going around that the service was compromised again. Nyleveia first reported that an individual had demonstrated that PSN account passwords could be reset with just two bits of information: the e-mail address and date of birth. Given the previous data breach, that information could easily be available to plenty of malicious users. Following these reports circulating, the web-based PSN password reset form was taken down.
Nyleveia’s description of the exploit in general:
While we will not reveal specific details regarding how the exploit is performed for obvious reasons, we can say that the exploit involves a vulnerability in the password reset form currently implemented, not properly verifying tokens.
On the PlayStation Blog, this was posted:
We temporarily took down the PSN and Qriocity password reset page. Contrary to some reports, there was no hack involved. In the process of resetting of passwords there was a URL exploit that we have subsequently fixed.
Consumers who haven’t reset their passwords for PSN are still encouraged to do so directly on their PS3. Otherwise, they can continue to do so via the website as soon as we bring that site back up.
It confirms the exploit existed and that passwords could be reset. The PSN store site is still down for maintenance as of publishing.
Nyleveia’s advice for how to make a secure account is still sound:
I would suggest that you secure your accounts now by creating a completely new email that you will not use ANYWHERE ELSE, and switching your PSN account to use this new email. You risk having your account stolen, when this hack becomes more public, if you do not make sure that your PSN account’s email is one that cannot be affiliated with or otherwise traced to you.