Sony does not need to lose a single password database for a PlayStation Network account to disappear. Attackers have found a simpler path: call PlayStation Support, recite an email address and an old purchase detail pulled from a years-old receipt, and wait for a support agent to hand over the keys. No malware. No phishing page. No brute-forced password. Two-factor authentication and even hardware-backed passkeys are irrelevant, because the attack never touches them – it walks straight through the human verification layer behind Sony’s own help desk.

The exploit has circulated since roughly November 2025, but stayed a niche complaint until two cases forced it into the open: French tech journalist Nicolas Lellouche, hacked twice on the same account, and podcaster Colin Moriarty, whose public ordeal in mid-May 2026 turned scattered victim reports into a full-blown security story. Months later, Sony still hasn’t issued a public acknowledgment, patch timeline, or statement of any kind – even as the account-takeover fraud industry it now belongs to is measured in the billions of dollars a year.

What’s Happening to PlayStation Network Accounts

Since late 2025, a growing number of PlayStation Network users have reported losing access to their accounts through a method that has nothing to do with weak passwords or reused credentials. The pattern is consistent across the publicly documented cases: a victim who has done everything security guidance recommends – a strong unique password, two-factor authentication turned on, sometimes even a passkey registered – still ends up locked out within minutes, with their linked email address changed and their recovery options stripped by the time they notice.

What makes this wave of PlayStation account hacked reports different from a conventional breach is where the failure sits. There’s no evidence of a Sony server compromise, no leaked credential database, no phishing kit for sale. The weak point is Sony’s own customer support workflow – specifically what an agent is willing to accept as proof that a caller owns the account.

Victims have ranged from casual players to some of the platform’s most visible community members, and the reporting so far – from outlets including GamingBible, GameRant and NoobFeed – describes a support process that, in practice, treats a purchase receipt as stronger proof of identity than the second factor the account owner set up specifically to prevent this.

Inside the Exploit: How Attackers Beat Two-Factor Authentication

The Two Pieces of Information Attackers Need

Based on victim accounts, the bar for a successful takeover is remarkably low. An attacker needs a target’s PSN ID or linked email address, plus one detail tied to a past PlayStation Store purchase – a transaction ID, an approximate date, or a price paid. That’s the kind of information that can sit in an old confirmation email, a shared screenshot, or even a guess informed by a public trophy list.

With that pair of details in hand, the attacker contacts Sony support – sometimes reportedly spoofing a caller ID to appear as the account owner – and asks for help “recovering” the account. Per multiple victim accounts, a support representative processes the request as an identity match and changes account details on the spot.

What Happens Once Support Is Convinced

Once a support agent accepts the claim, the reported outcome is total account transfer: the linked email address is changed to one the attacker controls, two-factor authentication is disabled, and any registered passkey is removed. From that point, the original owner has no working recovery path, because the very channels meant to prove ownership – email and second-factor codes – now belong to the attacker.

Security researchers describe this as a textbook example of an attack that skips authentication entirely rather than defeating it. Passwords, one-time codes, and passkeys protect the login step – none of them protect the recovery step if that step accepts low-entropy, easily reconstructable information as proof of ownership.

The Case That Made It Impossible to Ignore: Colin Moriarty

The incident that pushed this story into the mainstream gaming press involved Colin Moriarty, a former IGN PlayStation editor, Kinda Funny Games co-founder, and host of the Sacred Symbols podcast. On May 18, 2026, Moriarty reported that his PSN account – built up over roughly two decades and carrying a library of hundreds of digital games – had been hijacked despite having both two-factor authentication and a passkey active.

The attackers didn’t stop at taking the account. They used it to send a message to Moriarty’s Sacred Symbols co-host, Dustin Furman, reading simply: “You’re next.” Kotaku’s coverage of the incident framed it as a targeted, almost taunting move rather than an opportunistic grab.

Moriarty regained access in about three hours – a recovery time he was candid about attributing not to Sony’s standard process, but to two decades of personal relationships inside the company built through his media career. He has been explicit in public comments that an ordinary player without those connections would likely still be locked out. That distinction matters: a security failure that can only be reversed through personal favors isn’t fixed, it’s just survivable for a small, well-connected minority.

The story took a stranger turn after recovery. Once locked out again, the attackers reportedly triggered what Moriarty described as a dead man’s switch: sending slurs through his hijacked account, then reporting those same messages to Sony’s automated moderation systems. The result was a permanent ban on Moriarty’s own account, applied after he’d already regained control – reversed again only through his contacts. It’s a detail that shows how one weak process, support-side identity verification, can cascade into a second one turning against the victim.

Not a One-Off: Nicolas Lellouche Was Hacked Twice

Moriarty’s case wasn’t the first, and it wasn’t isolated. French tech journalist Nicolas Lellouche had already gone through the same ordeal months earlier, in December 2025. After that first takeover, Sony reportedly applied a temporary “high-risk” protective flag to his account – an internal marker meant to trigger extra scrutiny on any future recovery attempt.

That flag apparently expired. On the night of May 13, 2026, Lellouche was hacked again, on the same account, using what reporting describes as the same underlying method. RespawnFirst reported the second incident days before Moriarty’s case broke, noting that the exploit remained unpatched roughly six months after it was first flagged. A temporary flag that quietly lapses is not a fix – it’s a snooze button, and Lellouche’s repeat victimization is the clearest evidence yet that Sony’s stopgap measures aren’t holding.

DateDevelopment
~November 2025Exploit first surfaces in security and player reports, later cited by RespawnFirst as the origin point
December 2025French journalist Nicolas Lellouche’s PSN account hijacked for the first time; Sony applies a temporary high-risk flag
Dec 2025 – Apr 2026Scattered further reports, including high-profile trophy hunter “Hakoom” losing account access
May 13, 2026Lellouche’s account hijacked a second time after the protective flag lapses
May 14, 2026RespawnFirst reports the exploit unpatched roughly six months after it was first flagged
May 18, 2026Colin Moriarty’s account hijacked; disclosure goes viral, mainstream gaming press picks up the story
May 20–23, 2026Wide coverage across Kotaku, GameRant, Push Square and others; “be careful” advisory from Sony support channels
June 2026Sony quietly posts Senior Fraud Strategist job listings in San Mateo and London; no public statement issued
July 2026Exploit still confirmed active by affected users; no official fix or timeline announced

Who’s in the Crosshairs

Three Groups Attackers Appear to Target

Moriarty’s own public breakdown of the pattern, echoed across other reporting, points to three overlapping groups of victims rather than a random sample of PSN’s user base:

  • Prominent gaming media figures and public personalities – accounts with visibility that make an attack itself newsworthy, or that carry social proof an attacker can exploit against friends and followers
  • Serious trophy hunters and completionists – players who have invested years into building rare platinum-trophy records, making the account itself a trophy for the attacker; the case of veteran trophy hunter “Hakoom” losing account access fits this pattern
  • Holders of rare, short PSN IDs – usernames registered in 2006 and 2007, when the PlayStation Network first launched, which carry collector’s value in some corners of the community much like short handles on other platforms

All three groups share something worth the manual effort a phone-based attack requires. Unlike credential stuffing, which runs against millions of accounts automatically, this exploit needs a live conversation with a support agent per victim – meaning attackers are choosing targets, not spraying them.

Sony’s Response: Silence, Then a Job Listing

As of the most recent reporting, Sony Interactive Entertainment has not issued a public statement acknowledging the vulnerability, confirming a timeline for a fix, or offering guidance beyond generic account-security advice. eTeknix and EGW both note that instead of a public disclosure, Sony quietly opened Senior Fraud Strategist positions in San Mateo, California and London, with job descriptions focused on identifying fraud risk and protecting player accounts and assets.

The contrast with how Sony handles other announcements is notable. On July 1, 2026, the company published a detailed, proactive PlayStation Blog post explaining its decision to end physical disc production by January 2028 – a business decision, communicated clearly, well ahead of the date it takes effect. On an active account-security exploit that has now hijacked the same user’s account twice, the company has offered nothing on the record. Hiring fraud-strategy staff is a real, if slow, response; it is not the same as telling affected users what changed and when it will stop happening.

Why Passkeys and Two-Factor Authentication Couldn’t Stop This

It’s worth being precise about why modern authentication didn’t help here, because the honest answer isn’t “2FA is broken” – it’s that 2FA and passkeys were never designed to protect the account-recovery process, only the login process. NIST’s Special Publication 800-63A, the federal government’s own identity-proofing guidance, draws a hard line between authentication strength and identity-proofing strength, and treats “knowledge-based verification” – proving who you are by reciting facts about yourself – as one of the weakest tiers of identity assurance precisely because that kind of information leaks, gets shared, or gets guessed.

A purchase date or an approximate price sits squarely in that weak tier. It’s exactly the kind of fact that can appear in an old email, a shared screenshot, or a public trophy timestamp – nothing about it proves the caller is holding the account owner’s phone, authenticator app, or hardware key. The conceptual gap between a strong login check and a weak recovery check is straightforward to illustrate:

// Illustrative only – a conceptual sketch of the gap between
// a weak, knowledge-based recovery check and a stronger one.
// Not derived from Sony's actual support tooling.

function weakRecoveryCheck(claim) {
  // Low-entropy facts that can leak, be shared, or be guessed
  const reconstructableFacts = ['transactionId', 'purchaseDate', 'approxPrice'];
  const matches = reconstructableFacts.filter(fact => claim[fact]);
  return matches.length >= 1; // one match treated as "verified"
}

function strongerRecoveryCheck(claim, account) {
  const outOfBand = confirmOnTrustedDevice(account); // push to an already-registered device
  const coolingOff = enforceDelay(account, '24h');   // no instant ownership transfer
  const stepUp = requireFreshSecondFactor(account);  // re-prove possession, not just knowledge
  return outOfBand && coolingOff && stepUp;
}

The first function is, in effect, what victims describe Sony’s support process doing today. The second is closer to how Microsoft’s Xbox account recovery is documented to behave, and it’s a meaningfully higher bar precisely because it requires possession of something the attacker doesn’t have, not just knowledge of something they can look up.

PSN’s Security History: From a 77-Million-Account Breach to a Human One

This isn’t the first time PlayStation Network security has made global news, but 2026 is a different animal from the platform’s most infamous prior breach. In April 2011, attackers compromised Sony’s own servers directly, affecting data tied to roughly 77 million PlayStation Network accounts and taking the entire service offline for about a month.

The 2026 exploit requires none of that: no server breach, no malware, no leaked password database – the attack happens over a phone call, targeting a person rather than a system. That cuts both ways: it’s a far smaller-scale problem in raw account numbers than 2011, but arguably harder to fix, since the vulnerability lives in training and judgment calls made by support staff, reportedly spread across multiple outsourced call centers, rather than in a patchable piece of software.

How PlayStation Compares to Xbox and Nintendo on Account Recovery

Every platform holder has to solve the same problem: letting legitimate users back into locked accounts without letting attackers walk in behind them. How PlayStation, Xbox, and Nintendo document that process shows real differences in how much friction each accepts in exchange for security.

PlatformInformation used to recover accountWorks if 2FA/2-step is on?Passkey supportDocumented turnaround
PlayStation NetworkPSN ID/email plus one purchase detail (transaction ID, date, or price)Reportedly bypassed entirely in victim accountsYes – removable by attacker after takeoverSame call, per victim reports
Xbox / MicrosoftOld passwords, account creation date, remembered purchase or product detailsNo – official recovery form is disabled once two-step verification is activeYes~24 hours, manual review
NintendoPassword plus linked-account verificationRequires the second factor to proceedYes, via authenticator app registrationNot publicly detailed

The most telling line in that table is Microsoft’s own wording on Xbox account recovery: if two-step verification is on, the standard recovery form simply won’t work, and the user is routed into a slower manual review instead. That’s friction by design – Microsoft would rather make a legitimate user wait roughly a day than let a support workflow shortcut the second factor. Nintendo’s process similarly requires the second factor to proceed rather than treating it as optional. Neither is necessarily flawless, but neither has a documented, repeated case of a support agent transferring ownership on two pieces of guessable purchase information.

The Bigger Picture: Account Takeover Fraud Is Surging Industry-Wide

The PSN exploit is a single, specific process failure, but it’s landing inside an account-takeover fraud environment that has grown into a major line item for the entire industry – gaming platforms very much included, since a PlayStation account is effectively a financial account tied to a stored payment method and a digital game library worth real money.

MetricFigureSource
US account takeover fraud losses~$16 billionJavelin Strategy & Research, 2024 data
US consumers victimized by account takeover5.1 millionJavelin Strategy & Research, 2024 data
Year-over-year increase in ATO reports+36% vs. 2023Federal Reserve / FinCEN reporting summary, 2024 data
Total US identity-theft reports1.1 million+FTC Consumer Sentinel Network Data Book, 2024
Risk reduction from modern MFA>99%Microsoft Digital Defense Report 2025
Share of identity attacks that are “advanced” (i.e., actually defeat MFA)<3%Microsoft Digital Defense Report 2025
Passkeys in active use worldwide~5 billionFIDO Alliance, State of Passkeys 2026
Breaches where stolen credentials were the entry point22%Verizon 2025 Data Breach Investigations Report

That Microsoft figure is worth sitting with: fewer than 3% of the identity attacks in its telemetry actually defeat multi-factor authentication through technical means like token theft or adversary-in-the-middle proxies. The PSN exploit isn’t in that 3% – it doesn’t touch the cryptography or the authenticator app at all, it walks around all of it through a support conversation. That’s arguably more concerning, not less, since it needs none of the sophisticated tooling a technical MFA-bypass requires. Anyone who can hold a phone conversation and quote a purchase date can attempt it.

Sony is not the first major organization to discover that its support desk can be a bigger attack surface than its cryptography. In September 2023, the ransomware-affiliated group Scattered Spider researched an MGM Resorts IT employee on LinkedIn, then impersonated that employee in a call to MGM’s own IT help desk, convincing staff to reset the employee’s Okta identity-management credentials. That single social-engineering call, detailed in the 2023 MGM Resorts cyberattack, cascaded into a company-wide network compromise.

Coinbase faced a related but distinct version of the same weakness: rather than tricking a help desk from outside, attackers bribed a group of overseas contracted customer-support agents, who abused their legitimate access to steal account data belonging to roughly 70,000 customers, later used in a $20 million extortion attempt Coinbase refused to pay. Coinbase disclosed the incident publicly with a detailed account of what was taken – a level of transparency Sony has not matched here.

The pattern is the same across all three: no software vulnerability, just a verification process that trusted the wrong thing – a familiar voice, a plausible story, or a fact that looked like proof but wasn’t.

Market and Reputational Impact for Sony

Unlike a stock-moving earnings miss or a breach affecting tens of millions of records, the damage to Sony here is playing out in slower motion – reputational rather than financial, at least so far. Every fresh victim report renews press coverage and erodes confidence in a support process users can’t opt out of; a PlayStation account is a mandatory gateway to a paid digital library, not a service a frustrated customer can simply abandon.

There’s also a regulatory dimension shattered.io’s privacy-focused readers will recognize. Under frameworks like the EU’s GDPR, organizations processing personal data carry an explicit obligation – often summarized under Article 32’s “security of processing” requirement – to maintain verification and access controls appropriate to the risk. A process that reportedly lets a stranger strip 2FA and passkeys using a purchase date is a live test case for whether that obligation is being met, and gaming platforms already under scrutiny on other consumer-protection issues, from loot boxes to age verification, don’t need another regulatory flashpoint. There’s a quieter cost too: every affected account represents a real digital library, sometimes worth hundreds or thousands of dollars, with no chargeback-style recourse the way a stolen credit card has.

What PlayStation Users Should Do Right Now

Until Sony changes its support-side verification process, practical defenses are limited but not useless:

  • Use a unique, randomly generated email address for your PSN account rather than one that’s easy to find or guess from other accounts, since the email address is one of the two pieces of information attackers need
  • Delete old order-confirmation emails from the PlayStation Store, or at minimum avoid sharing screenshots of them, since a purchase date or price is the other piece of information attackers rely on
  • Avoid publicly discussing specific purchase dates, prices, or transaction details tied to your account on social media or forums
  • Set a distinct, unrelated recovery phone number and keep it current in your account settings
  • Watch for unexpected “account recovery” or “verification” emails from Sony you didn’t request, and treat them as an early warning sign rather than noise
  • If you lose access, escalate in writing and keep a paper trail – public reporting suggests direct industry contacts have been the deciding factor in successful recoveries, which is not a defense ordinary users should have to rely on, but a documented case history helps

None of this substitutes for Sony fixing the underlying workflow – it’s harm reduction for a problem the platform holder, not the player, is responsible for solving.

Predictions: Where This Goes From Here

  1. Sony will quietly tighten recovery rules rather than announce a fix. Expect a support-process change – likely requiring device-based or out-of-band confirmation once 2FA is active, mirroring Xbox’s approach – introduced without a dedicated security disclosure.
  2. The newly posted Fraud Strategist roles will become the public face of a slow-burn remediation. Their hiring is a real signal of internal concern, but a materially improved process likely won’t ship for months given typical hiring and rollout timelines.
  3. More named victims will surface before Sony acts. Moriarty and Lellouche went public because of their media platforms; the same exploit almost certainly has ordinary-user victims who have no way to get press attention or industry favors to recover their accounts.
  4. Regulators and privacy advocates will start asking pointed questions. Given active EU and UK scrutiny of gaming platforms on unrelated consumer-protection issues, a support process that can strip 2FA and passkeys is a plausible next flashpoint, particularly under GDPR’s security-of-processing obligations.
  5. Other platforms with outsourced support operations will face copycat attempts. Once a technique this cheap and effective is public, expect security researchers and opportunistic attackers alike to test whether Xbox, Steam, Epic, and Nintendo support channels have similar soft spots – even if their documented recovery processes currently look more resistant.

Frequently Asked Questions

What is the PSN account takeover exploit?

It’s a social engineering method in which attackers convince Sony PlayStation Support to transfer ownership of an account using only an email address or PSN ID plus one purchase detail, such as a transaction ID, purchase date, or price. It bypasses passwords, two-factor authentication, and passkeys because it targets the support process rather than the login itself.

Does this affect all PlayStation accounts, or just PS5 owners?

It affects the PlayStation Network account itself, not a specific console generation. Anyone with an active PSN account and a PlayStation Store purchase history is theoretically exposed, regardless of console.

Can two-factor authentication or a passkey stop this attack?

Not on its own. Every documented case involved a victim who had 2FA enabled, and at least one case involved a registered passkey. Both protections were removed as part of the account transfer once support approved the request, because the exploit never has to defeat them technically – it just gets them turned off from the inside.

Has Sony fixed the vulnerability?

Not according to public reporting. Sony hasn’t issued a statement acknowledging the flaw or confirming a fix, though it has posted Senior Fraud Strategist job listings in San Mateo and London – suggesting internal attention, but no announced timeline or process change.

What should I do to protect my PlayStation account right now?

Use a unique email address for your PSN account, avoid sharing or leaving old purchase confirmation emails easy to find, don’t discuss specific transaction details publicly, and keep your recovery phone number current. Treat any unexpected account-recovery email as a warning sign.

No. The 2011 incident was a direct compromise of Sony’s own servers affecting roughly 77 million accounts and taking the network offline for about a month. The 2026 exploit involves no server breach at all – it’s a support-process weakness exploited one account, and one phone call, at a time.

Are Xbox and Nintendo accounts vulnerable to the same kind of attack?

There’s no public reporting of an equivalent exploit against Xbox or Nintendo. Microsoft’s documented Xbox recovery process explicitly disables its standard recovery form once two-step verification is active, routing users into a slower manual review instead. Nintendo’s process similarly requires the second factor to proceed. Neither is guaranteed to be immune to a determined, well-resourced social engineer, but neither has a public, repeated case matching what’s been reported against PSN.

Why did it take so long for this to become a major story?

It circulated in smaller player and researcher reports for months after surfacing around November 2025. Two things pushed it into mainstream coverage: Nicolas Lellouche getting hacked a second time in May 2026 after his protective flag expired, and Colin Moriarty’s high-profile takeover days later, which came with a public platform and a willingness to describe exactly how the attack worked.