Summary
French journalist’s PSN account hijacked using only his username and a 2023 transaction ID from a public article.
Hack bypassed 2FA entirely; hacker changed email, password, and made a €9.99 PayPal charge.
PlayStation support recovered the account with the same info, exposing the flaw—readers report similar incidents.
The PlayStation Network (PSN) faces fresh scrutiny after a French tech journalist exposed a shocking security loophole that lets hackers seize accounts without triggering two-factor authentication (2FA).
Nicolas Lellouche from Numerama detailed his ordeal in a bombshell report. His account was compromised out of the blue. The intruder swiftly updated the email and password, then slapped a €9.99 charge on his PayPal. Lellouche disputed it fast and looped in PlayStation support.
The Disturbing Recovery Process
Support reclaimed the account—but only after Lellouche handed over his username and any old transaction ID from a past purchase. No 2FA codes, no deep verification. This same combo is all a hacker needs, turning innocuous purchase proofs into keys to your digital kingdom.
Lellouche’s nightmare repeated when the hacker struck again. He confronted the perp directly, who mocked him before revealing the method: snagged the 2023 transaction ID from one of Lellouche’s own articles, paired it with the public username, and logged in effortlessly.
Widespread Risk Confirmed
Post-report, affected readers flooded in, confirming the tactic works broadly. PSN’s history of breaches makes this extra alarming—past incidents often required support battles, but this sidesteps defenses entirely.
Sony hasn’t commented yet. For now, guard those transaction IDs like your trophy collection. Scrub them from public posts, and consider auditing old invoices.