It seems that the PlayStation Network’s history of vulnerability continues, as a French journalist has reported that his account was taken over with a leaked transaction number. Nicolas Lellouche posted to X (formerly Twitter) about the security issue, which led to his account being hacked twice in one night.
Writing for Numerama, Lellouche details further how he “befriended” the hacker, who was more than happy to speak. So how did a stranger gain access to an account protected by a passkey?
Customer support.
The apparent requirements for accessing the PlayStation Network were a username and a transaction ID, with no time limit on when they could be obtained.
When Lellouche finally got his account back, the hacker simply took it back through the same methods. They erased everyone from Lellouche’s friends list, bought something with the connected PayPal account, and changed all the details.
Some on Reddit are arguing that part of the blame lands at Lellouche’s feet. In a 2023 article, he posted an image that accidentally included a transaction ID. As he posted a screenshot with the ID in it, this isn’t a “fatal security flaw” as other outlets have described it in the way that the pedantic Redditors expected. Instead, it’s a very mild social engineering exploit that shouldn’t exist.
There should be a hard limit on transaction IDs, especially as the ecosystem moves to digital. Sure, some accounts might never make a transaction, but then we shouldn’t even be using this as a way to authenticate people either.
Did no one at the customer support center think it was weird that a person called and then changed everything?
Someone once logged into my Steam account from another country in 2009, and Steam’s support blocked it immediately. I can’t even log into my Xbox anymore without at least two authentication jumps.
However, what they’ve failed to do is a little bit of research. Despite Lellouche’s mistake, an endless stream of PlayStation hacks remains active.
Entire networks dedicated to hacking PlayStation accounts
Detailed in a few social media posts on X by GGmuks Inc., a development team, and content creator, Hakoom, it’s grisly out there.
GGmuks details that co-owner David had his account hacked, who also had a talkative hacker. They also confirmed that the customer support can be tricked into changing things with just a username. It’s unverified whether or not the hacker’s claims about support being based in Columbia is true.
There’s also “nich.legend” on Instagram, who allegedly actively sells accounts from PSN and other services. They have nearly 900K followers and reportedly run a Telegram channel, where details are actively shared.
Sony has a big problem on their hands if this continues
These types of operations aren’t new, but the ease of the hack is a massive oversight by Sony. Despite Two-Factor Authentication being on via PassKeys, there was no attempt to figure out whether it was a phishing scam or not.
These are the basics of tech support, and the fact that it’s clear that the PlayStation Network has a massive vulnerability point in its customer service.
This was highlighted by Hakoom, who had his account hacked, despite being a partner with the PlayStation brand. He eventually recovered the account, but moved away from the PlayStation ecosystem after that.
It’s one that further compounds issues that have cropped up over the years. Most famously, in 2011, Sony had a massive data breach that took down PSN for nearly a month, with 77 million accounts put at risk.
Last Updated On: Dec 24, 2025 5:33 pm CET