PlayStation Network Account Hacks Reportedly Possible Even With 2FA and Passkeys
A troubling account security story is circulating in the PlayStation community after French tech journalist Nicolas Lellouche reported that his PlayStation Network account was taken over despite having modern protections enabled, including 2FA and a passkey. The key issue described is not a cryptographic failure of passkeys or 2FA themselves, but a support side ownership verification process that can be socially engineered.
In his detailed write up for Numerama, Lellouche says the root problem is how Sony verifies account ownership during support recovery flows. He reports that attackers were able to take control of his account twice by presenting a transaction number as proof of ownership, and that number was obtained from a screenshot previously shared by the account owner. According to the report, the process did not require additional corroborating information, and repeated requests tied to the same account did not trigger suspicion or escalation, creating a path for an attacker to override strong login protections through customer support rather than through direct authentication bypass.
Aucune idée de comment, mais quelqu’un a réussi à changer le mail et le mot de passe de mon compte @PlayStationFR, pourtant protégé par une clé d’accès.
— Nicolas Lellouche (@LelloucheNico) December 22, 2025
J’ai perdu accès à mon compte, on m’a pris de l’argent et je ne peux plus me connecter. Changez vos mots de passe ! pic.twitter.com/K8fO6dprwD
The story also describes how the attacker changed the associated email and password and was able to spend money using a linked payment method. After Lellouche recovered the account through PlayStation Support, the attacker reportedly regained control again, which is the worst case scenario for any account recovery system because it signals that the recovery pathway may be easier to exploit than the login pathway is to defend.
Separately, context from the broader discussion includes a now deleted summary that was preserved and reposted by a ResetEra user, describing the attacker’s method and the idea that public facing identifiers like an email address can become the starting point for targeted takeovers if support workflows treat limited evidence as sufficient.
Passkeys and 2FA protect authentication at login. But if a support agent can be convinced to transfer ownership using weak evidence, then attackers do not need to break passkeys at all, they just route around them. That is a classic social engineering failure mode, and it hits hardest on platforms like PlayStation where accounts can contain large digital libraries plus stored payment methods.
Based on what is described in the report, the most pragmatic mitigation is to limit what an attacker can harvest and reuse.
Avoid posting screenshots that include transaction numbers, order IDs, email addresses, or support case details
Remove saved payment methods if you do not need them for subscriptions
Use prepaid cards for store purchases when possible
Keep records of your own purchases privately so you can recover the account faster if needed
If you ever share proof of purchase for support, redact transaction numbers and any personally identifying details before uploading or posting
Hopefully, this report prompts Sony to tighten support verification, require stronger multi factor proof during recovery, and implement internal flags when the same account triggers repeated recovery attempts in a short window.
Do you think Sony should require a higher bar for account recovery even if it makes support slower, or do you prefer a faster process that risks being abused?
