A French technology journalist has reported a serious PlayStation Network security incident after his account was taken over twice in a single day, despite having two-factor authentication and passkeys enabled. The case was shared publicly by Nicolas Lellouche, a journalist at Numerama, who detailed the events and his interactions with the individual responsible ahead of a planned article.
According to Lellouche, his PSN account was compromised through Sony’s customer support process rather than through traditional methods such as phishing or cookie hijacking. He explained that both his email address and password were changed during the takeovers, effectively locking him out of his account even though additional security measures were active. The account was recovered once, only to be taken over again shortly afterward using the same method.
In a public update, Lellouche stated, “The hacker managed to take over my account twice in a row. When Sony’s support sent me a link to get it back the hacker also gets it at the same time.” He emphasized that the breach did not involve session hijacking or malware, adding, “There was no Cookie Hijacking involved: It’s a fatal security flaw with Sony’s security systems.”
Lellouche claims the attacker relied on internal customer support tools to request full ownership of the account without needing a password or passkey. “He can ask for full ownership of a PSN account without a password or passkey because he uses internal tools,” Lellouche said. According to his account, the only information required to initiate the takeover was the associated email address.
When asked why his account was targeted, Lellouche pointed to a screenshot he shared years earlier that displayed his email address. “Because i posted a screenshot a few years back where my mail address was visible,” he explained, adding that “Dozens of people are apparently collecting screenshots of that type to take over accounts and making sure the owners never manage to get them back.” He further warned that, in this scenario, “Pass key and 2FA are useless, only the mail address is needed.”
As of his last update, Lellouche said his ability to regain access depended entirely on the attacker’s cooperation. “Will i ever get back my account? It all depends on the guy’s honesty,” he wrote, noting that communication had stalled after the hacker initially explained the process. He also stated that Sony needs to “urgently shut down its account recovery process to patch the vulnerability.”
Lellouche indicated that he plans to contact Sony directly and continue documenting the incident. He also noted that the attacker offered to demonstrate the exploit on video by compromising another account, an offer Lellouche said he was not comfortable accepting. The case raises concerns about potential weaknesses in account recovery workflows and highlights how social engineering through official support channels can undermine even advanced user-side security measures.
