Published May 18, 2011
Sony's PlayStation Network password-reset page, built following a weeks-long outage after hackers breached the company's network and compromised over 100 million online accounts, is itself temporarily offline -- for security reasons, the company said.
But it's not another hack, Sony insisted in a blog post late Wednesday.
"Contrary to some reports, there was no hack involved," wrote Patrick Seybold, Sony's senior director of corporate communications and social media. "In the process of resetting of passwords there was a URL exploit that we have subsequently fixed."
The page was built to encourage PlayStation users to reset their passwords after Sony reinstated the PlayStation Network, a system that links gamers worldwide in online play. But that password reset page is itself down following discovery of the security flaw.
Gaming website Nylevia had discovered the flaw on Tuesday, which let hackers change any account's password simply by entering an email address and a birth date.
“Despite the methods currently employed to force a password change when you first reconnect to the PlayStation network, your accounts still remain unsafe,” Nyleveia.com wrote. “A new hack is currently doing the rounds in dark corners of the Internet that allows the attacker the ability to change your password using only your account’s e-mail and date of birth.”
The site did not provide additional details, citing security concerns.
"We for rather obvious reasons do not want to elaborate further on the exact details of the exploit, on the off chance that when the web based interface for PSN is restored the exploit has not been patched," wrote the site, which claimed to have alerted Sony to the exploit.
Early in May, Sony denied claims that the PlayStation.com website was hacked as well, following outages at that site. The company chalked the outage up to a new security measure rather than the work of hackers as first suspected.
Sony was heavily criticized over its handling of the network intrusion. The company did not notify consumers of the breach until April 26 even though it began investigating unusual activity on the network April 19.
Sony had at the time that personal data from 24.6 million user accounts was stolen in the hacker attack last month. Personal data including credit card numbers might have been stolen from another 77 million PlayStation accounts, said Sony Computer Entertainment spokesman Satoshi Fukuoka.
He said Sony has not received any reports of illegal uses of stolen information, and the company is continuing its probe into the hacker attack. He declined to give details on the investigation.
Last month, U.S. lawyers filed a lawsuit against Sony on behalf of lead plaintiff Kristopher Johns for negligent protection of personal data and failure to inform players in a timely fashion that their credit card information may have been stolen. The lawsuit seeks class-action status.