PlayStation Network faces critical security vulnerability allowing hackers to bypass two-factor authentication and passkey protection using only transaction IDs from old invoices. The flaw exists in PlayStation customer service protocols where support staff grant account access to anyone providing PSN username and transaction number from any purchase regardless of year.
French journalist Nicolas Lellouche discovered the vulnerability after hackers compromised his account twice in December 2025 despite having two-factor authentication enabled. Hackers changed his email address and password while charging €9.99 to account. When Lellouche contacted PlayStation support to recover account, representatives required only his username and transaction number from old invoice to restore access.
PlayStation customer service has internal tool to reset email even if account is protected by two-factor authentication and hardware passkey according to investigation. The support verification process completely bypasses digital security layers making all technical protections useless. Hackers contacted by Lellouche revealed they found transaction number posted in old article online and used it to claim account ownership.
The security flaw represents policy problem rather than software bug with customer service prioritizing analog data over digital security measures. Sony promised to mark Lellouche’s account as high-risk account where customer service must not intervene but protection lasted only six months. Hackers compromised his account again in May 2026 proving flaw remains exploitable.
Sony has not fundamentally changed support policies six months after initial reporting. Users should never share transaction details or purchase screenshots online as even innocuous invoice numbers enable complete account takeover.
