PlayStation Network password-reset system compromised
[UPDATE] Multiple sources report Web-based method for creating new login info can be hacked with a user's e-mail and date of birth; Sony confirms "URL exploit."
Source: See below.
What we heard: Just five days after the PlayStation Network started coming back online, reports are surfacing of a new security flaw with the online systems. Based on an initial article on gaming blog Nyleveia.com that was reportedly confirmed by NeoGAF users and Eurogamer, hackers have discovered a new, simple exploit to change the PSN users' passwords.
The exploit is reportedly done via the Web pages Sony set up to facilitate the mandatory password changes required in the wake of the three-week PSN outage. All that is reportedly needed to perform the exploit is a PSN user's e-mail account and date of birth, which is among the data that was reportedly stolen from all 77 million PSN and Qriocity users last month. The exploit reportedly does not affect those trying to change their passwords on the PlayStation 3 or PSP, both of which can still access the PSN.
The official story: Though Sony Computer Entertainment America reps had not commented as of press time, a moderator on the European PlayStation.com forums offered the following information:
Please note that PSN sign in is currently unavailable for the following services:
Music Unlimited via the web client
All PlayStation game title websites
Unfortunately, this also means that those who are still trying to change their password via Playstation.com or Qriocity.com will be unable to do so for the time being. This is due to essential maintenance, and at present, it is unclear how long this will take.
In the meantime, you will still be able to sign into PSN via your PlayStation 3 and PSP devices to connect to game services and view Trophy/Friends information."
Meanwhile, Nyleveia.com has reportedly performed the exploit multiple times with multiple volunteers' PSN accounts. Several websites have also posted detailed instructions on how to perform the exploit, so this also looks not bogus.
[UPDATE] Later this morning, Sony Computer Entertainment America's senior director of corporate communications and social media Patrick Seybold confirmed the exploit--and that Sony was quickly working to fix it.
"We temporarily took down the PSN and Qriocity password reset page," said Seybold on the PlayStation Blog. "Contrary to some reports, there was no hack involved. In the process of resetting of passwords, there was a URL exploit that we have subsequently fixed."
He continued, "Consumers who haven't reset their passwords for PSN are still encouraged to do so directly on their PS3. Otherwise, they can continue to do so via the website as soon as we bring that site back up." Sony offered no timeline as to when the sites will return.