Just a few days after Sony jump-started the hacker-plagued PlayStation Network comes word of another potential vulnerability, although it doesn’t appear that any additional PSN account info has been stolen (or at least, not yet).
The deal, according to Eurogamer: apparently, a flaw in web-based PSN sign-ins allows attackers to access an account if they have the victim’s account email address and date of birth. Unfortunately, those two pieces of private information were among the treasure trove of data scooped up by the hackers who raided the PlayStation Network last month.
The good news: Sony has already closed down any and all web-based PSN sign-ins, presumably while its engineers work to pin down the exploit. The bad news? Security experts are advising those of us who haven’t yet changed the email addresses associated with our PlayStation Network accounts to do so at once—and according to the site that first discovered the security hole, you should devise “a completely new email that you will not use ANYWHERE ELSE.” Ugh.
To change your PSN email address, go to the PlayStation Network hub on the menu of your PlayStation 3 console, select Account Management, and then Sign-In ID (E-mail Address).
Update: Here’s a new official response from Sony, which claims that “no hack was involved” in the discovered “URL exploit”:
We temporarily took down the PSN and Qriocity password reset page. Contrary to some reports, there was no hack involved. In the process of resetting of passwords there was a URL exploit that we have subsequently fixed.
Consumers who haven’t reset their passwords for PSN are still encouraged to do so directly on their PS3. Otherwise, they can continue to do so via the website as soon as we bring that site back up.
Good news, I suppose. I just wish we could get through an entire week without news of any more PlayStation Network security holes.
Sony’s PSN password page exploit [Eurogamer]