My Playstation Account Keeps Getting Stolen and I Need to Vent

NCR Ranger · Sep 19, 2018

Short version someone keeps using social engineering to steal my PSN account and Sony seems unwilling or unable to put an end it.

Long version is this. I wake up in the morning yesterday and am getting ready for the day. I get a text telling me that my two factor for PSN has been disabled. I of course know enough to know that that means I am fucked. I try to log into my PSN account and sure enough get a message telling me that my info is incorrect. I call up Sony and after playing the little are you who you claim to be I managed to get my account back. I change the email address and the password and set up 2 factor again. This isn't the first time it has happened in the lifetime of the account. Since this isn't the first time I am paranoid about this account and have it tied to an email address that also has two factor set up and a 100 character randomly generated password for it. I am positive at this point that my email hasn't been compromised. I have also changed it to another just as secured email address to no difference. My PSN account also has a 25-30 character randomly generated password that even I don't remember, a password manager does, and 2 factor set up. Somehow though this person bypass all that and they finally managed to bypass 2 factor this time as well.. I ask Sony if there is anyway they can lock down the account so this random jackoff can't do this again. They tell me they can't but will flag it as a sensitive account.

A little less then 24 hours pass and the same shit happens again. As you can imagine I am pissed. Two factor disabled, password and email changed, etc. Called up Sony and play the verification game again and am told that after a few days i should be able to get my account back. I am not holding my breath. The real kicker is that the rep told me that someone called in 4-5 times just today about this account. At this point I am positive the "hacker" is using social engineering to get this account and Sony doesn't seem to have anyway to stop an agent from not following procedure.

The account isn't tied to anything particularly valuable so I assume the person just wants the name, which isn't even that good of a username, and at this point it seems me and him will be having a tug of war over this account until one of us gets locked out. Right now it seems it could be either of us. I have no faith that Sony will fix this problem and I am pretty much just fighting over the account as a fuck you.

IzzyRX · Sep 19, 2018

Damn. Do you think he's got your personal info then?

D65 · Sep 19, 2018

Is your password manager compromised?

NCR Ranger · Sep 19, 2018

IzzyRX said:
Damn. Do you think he's got your personal info then?

Yeah he does have at least my real name, address, and mobile number. A credit card was tied to it that I forgot about, but already called the bank about that.

Airbar · Sep 19, 2018

D65 said:
Is your password manager compromised?

Ding ding, this sounds like the most likely scenario. I can't imagine Sony deactivating 2-factor auth for a PSN account just because someone calls them up.
If I'm wrong this is shitty security by Sony. What use is 2-factor auth if all you need is to call support?

Windu · Sep 19, 2018

Seems like Sony needs better security policies at their help desk...

How do they verify you when you call? I would ask them to change that verification and not accept the old one.

ev0 · Sep 19, 2018

This keeps happening to a friend of mine too. Its insane. I cant think of anything other than social engineering. Hes changed his passwords, emails, reanabled 2FA and everything but then he gets logged off a digital game and finds out someone changed his primary console. Then the next week he cant log in again,
Feel for you OP, have no idea how this can be fixed

JustinH · Sep 19, 2018

I didn't know such a thing was possible. Is that all the person would need to convince a customer service rep? The full name, address, and mobile number?

NCR Ranger · Sep 19, 2018

D65 said:
Is your password manager compromised?

No sign that it is, but changed the password just to be safe.

I forgot to mention that he sent me texts telling me to back off, but all the info he tried to threaten my with is tied to my PSN account. If he had my password manager he could of used far worse.

BlkSquirtle · Sep 19, 2018

Try using the password manager password and then alter it, literally write down the new password on a piece of paper. After that, I'd be convinced I have a keylogger on my pc/mobile and/or social engineering because all of this is ridiculous.

androvsky · Sep 19, 2018

I thought one of the side effects of 2-factor is that it's nearly impossible get your account back if it's lost. If you can get it back from the hacker just by calling support, the hacker can keep stealing it using the same methods you are using to get it back. I guess all I can say is good luck, maybe Sony can at least look at the IP address where the account was used before the first call to support.

D65 · Sep 19, 2018

Almighty said:
No sign that it is, but changed the password just to be safe.

I forgot to mention that he sent me texts telling me to back off, but all the info he tried to threaten my with is tied to my PSN account. If he had my password manager he could of used far worse.

You're being specifically targetted? Um, call the police?

Hassel · Sep 19, 2018

Please post the exact wording of his texts to you

Pikagreg · Sep 19, 2018

Can you change the security questions or something else maybe that is tied to your account to prevent him from getting it again?

Ant_17 · Sep 19, 2018

Almighty said:
No sign that it is, but changed the password just to be safe.

I forgot to mention that he sent me texts telling me to back off, but all the info he tried to threaten my with is tied to my PSN account. If he had my password manager he could of used far worse.

Dude, call the cops. This is a direct attack, not some random dude looking to steal your account.

Francesco · Sep 19, 2018

Similar thing happened to me.
It's shit, I'm sorry you're going through it.

Windu · Sep 19, 2018

D65 said:
You're being specifically targetted? Um, call the police?

Yeah I would escalate this if the guy is sending threatening text messages and knows your address.

Abaddon · Sep 19, 2018

Airbar said:
Ding ding, this sounds like the most likely scenario. I can't imagine Sony deactivating 2-factor auth for a PSN account just because someone calls them up.
If I'm wrong this is shitty security by Sony. What use is 2-factor auth if all you need is to call support?

Thing is, even if the password manager was compromised they'd still need to get access to OPs phone as Sony refuse to use anything other than text for 2FA. Unless Sony are deactivating it based on the hacker providing the password over the phone, in which case as you say it isn't worth a damn at that point.

Edit: Yeah, if the culprit is texting you I guess there's a chance he's somehow intercepting the 2FA text. Keep the texts and pass them onto the police as it's definitely targeting you maliciously.

Airbar · Sep 19, 2018

androvsky said:
I thought one of the side effects of 2-factor is that it's nearly impossible get your account back if it's lost. If you can get it back from the hacker just by calling support, the hacker can keep stealing it using the same methods you are using to get it back. I guess all I can say is good luck, maybe Sony can at least look at the IP address where the account was used before the first call to support.

IANAL but doesn't this actually constitute an act of thievery? At least in the EU it is that way I think.
I mean if he texts you, you got a number. Go the police, point them at Sony who could provide them with an IP address and you might be in luck. Might as well change the security question. Give changing your password a try on a mates PC/laptop/phone.

Kthulhu · Sep 19, 2018

Airbar said:
Ding ding, this sounds like the most likely scenario. I can't imagine Sony deactivating 2-factor auth for a PSN account just because someone calls them up.
If I'm wrong this is shitty security by Sony. What use is 2-factor auth if all you need is to call support?

It's that way for a lot of companies. Most don't bother to be more secure than that because 99% of their customers aren't going to get spear phished.

Kimchi_Breath · Sep 19, 2018

I really want to know your PSN name now. It must be amazing if this guy has been going through so much trouble to steal it from you.

dom · Sep 19, 2018

Do you have the console that originally was used to make the account still? If so, that serial number could be a key to help prevent more successful attacks.

Deleted member 5764 · Sep 19, 2018

That sucks OP! Is it possible to change your personal info on the account to someone this jerk doesn't have? Be it a friend or another family member or something?

Deleted member 17676 · Sep 19, 2018

If he's calling up as Sony then he's using one of those spoof apps which you can use to show your caller ID as anything.

When in reality Sony should use their head and tell the guy we going to text you a verification code so we know it's you. As on these apps you can't receive texts.

Creamie · Sep 19, 2018

IF the password manager is compromised, I am sure the "hacker" would go after things far more lucrative than a PSN account.

SoftTaur · Sep 19, 2018

Kimchi_Breath said:
I really want to know your PSN name now. It must be amazing if this guy has been going through so much trouble to steal it from you.

Nice try, Hackerman.

:P

Deleted member 268 · Sep 19, 2018

You're in contact with the dude jacking your shit?

SillyGoose · Sep 19, 2018

It has to be social engineering. This happens to ecelebs a lot with their cell phones. Sony just needs to up their security (lol).

Deleted member 135 · Sep 19, 2018

Almighty said:
No sign that it is, but changed the password just to be safe.

I forgot to mention that he sent me texts telling me to back off, but all the info he tried to threaten my with is tied to my PSN account. If he had my password manager he could of used far worse.

Forward these texts to PlayStation if possible. Maybe they can IP ban the guy from even trying to log in or something.

Also if the guy actually threatened you or threatened to blackmail you or something contact the police.

BAN PUNCHER · Sep 19, 2018

New email address (preferably with a different email service), new phone number just for the 2FA (buy a 'burner' SIM for a few bucks just to get a new number), new password made up of lowercase letters, uppercase letters, numbers and symbols with as many characters as you can enter and write it on a piece of paper and sew it into your underpants if you have to just keep it away from any password managers or anything connectable to the internet. Sign out all sessions for anything you are connected to, go through your social media accounts and remove information like birthday, addresses and phone numbers (too late this time but no point making it easy for next time). Run your virus software. Have you bank cancel your current credit card you had associated with PSN and reissue a new card. Write the number you are receiving texts from on a bunch of public restroom walls preceded by 'For a good time call...'

NCR Ranger · Sep 19, 2018

Calling the police might not be a bad idea. Sadly my dumb ass deleted all the texts.

As for the password manager that shit is on lockdown with two factor and all that and even if he got some login info the company can't really do anything with it as the encryption is all done locally using the email and password and they don't get access to both.

balohna · Sep 19, 2018

I kept getting locked out of my account so I set up 2 step verification. Now I get 2-step texts like every day.

So not even "my account is stolen", just "people are trying to brute force into my account about once a day". I don't know what the solution is for this kind of stuff, but I wish there was one.

NCR Ranger · Sep 19, 2018

Abaddon said:
Edit: Yeah, if the culprit is texting you I guess there's a chance he's somehow intercepting the 2FA text. Keep the texts and pass them onto the police as it's definitely targeting you maliciously.

I assumed he got the mobile number when he got into the account. The annoying thing is I don't get any two factor texts or anything until I get one and an email telling me it was deactivated.

RexNovis · Sep 19, 2018

Somebody is texting you threats telling you to back off of?!? That's insane. Op if you'd u have any personal identifying information on social media you should delete it ASAP. File a police report about the threatebeubg text messages then change your mobile number. Save the police report so you can send a copy to Sony and then update your account with a new phone number (that isn't posted anywhere online).

Surely either this has to be someone you know or someone who has access to your social media accounts and that is how they have your info. Either way this is definitely something to take to the police. Why on earth have you not done this already?

Alec · Sep 19, 2018

Almighty said:
Calling the police might not be a bad idea. Sadly my dumb ass deleted all the texts.

As for the password manager that shit is on lockdown with two factor and all that and even if he got some login info the company can't really do anything with it as the encryption is all done locally using the email and password and they don't get access to both.

Sounds like this person might know who you are IRL. Change your security questions and stuff, too?

Creamie · Sep 19, 2018

Sony needs a better 2FA method than SMS that can easily be compromised.

IzzyRX · Sep 19, 2018

Almighty said:
I forgot to mention that he sent me texts telling me to back off, but all the info he tried to threaten my with is tied to my PSN account. If he had my password manager he could of used far worse.

Call the cops, this is too much.

Metalmurphy · Sep 19, 2018

How is he disabeling the 2factor? Don't you actually need to 2 factor authenticate first to do that? Does he have access to your texts?

NCR Ranger · Sep 19, 2018

Metalmurphy said:
How is he disabeling the 2factor? Don't you actually need to 2 factor authenticate first to do that? Does he have access to your texts?

That is what i want to know. It is also why I assume this is on Sony's end because I don't get two factor texts until I get one combined with an email telling me it has been disabled. Combined with the Sony reps telling me someone has called them many times right before it happens.

VirtuaRacer · Sep 19, 2018

Almighty said:
I assumed he got the mobile number when he got into the account. The annoying thing is I don't get any two factor texts or anything until I get one and an email telling me it was deactivated.

Then you haven't set it up correctly.

Also, it doesn't tell us how this person got into your account in the first instance. Enter your PSN email address in https://haveibeenpwned.com/ to determine if your email is public facing.

Edge · Sep 19, 2018

How can someone bypass 2 factor? I thought that's 100% secure because, you know, he actually needs the code that you get on your phone?

NCR Ranger · Sep 19, 2018

VirtuaRacer said:
Then you haven't set it up correctly.

What do you mean. I go set it up do the whole verification did you get the code thing and it all seems fine. I test out the log in by trying to log in and it sends my codes like it is supposed to. I than go to bed and when i am getting ready the past two days I get a text telling me it is deactivated.

atmuh · Sep 19, 2018

I'm sorry to ask, what is social engineering?

Brannon · Sep 19, 2018

Change your security question to something that doesn't match, like say

Q. "What is your favorite movie?"

A. "The United States of Sexy"

Q. "Where were you born?"

A. "Kill Bill 4 Revengeance"

(Yes they are deliberately swapped)

Then put that info in your password manager because if you aren't going to remember that nonsense, the hacker sure as hell isn't. Never use real info for security questions, make it YOUR info. They'd literally have to be in your head to get it.

Orb · Sep 19, 2018

You're getting fucked royally from some other source. If you are using a unique email address, unique password, and two-factor auth, there is some major security hole that exists somewhere outside of Sony. Maybe you have a keylogger or something?

EDIT: I missed the part about you getting texts from the hacker. That's wild. As someone suggested above, they may be using security questions they know the answers to in order to social engineer Sony support into getting them to reset your account or something. Change all those. Change everything you can to something completely random that no one would ever be able to guess in one fell swoop.

Sounds like the mobile number could be the real problem here, though. Can you change it to like a Google Voice number or something? In fact, given your unique situation, it might be safer to remove the phone number from the account altogether and not use two-factor auth. You need to 10000% make sure you are using a random, unique, high-entropy email address and password in that case, though.

Greigor the FellHand · Sep 19, 2018

Almighty said:
Calling the police might not be a bad idea. Sadly my dumb ass deleted all the texts.

As for the password manager that shit is on lockdown with two factor and all that and even if he got some login info the company can't really do anything with it as the encryption is all done locally using the email and password and they don't get access to both.

contact your phone service, they'll have a log of texts you can request

Dark_EMT · Sep 19, 2018

How are some accounts so susceptible to being hacked? I've had mine since before the big hack and I've never had anything weird going on. My account is over 10 yrs old!

CannonFodder52 · Sep 19, 2018

Sorry OP, that sounds awful.

Do you have a 3 or 4 character PSN name or something like that.

Deleted member 2533 · Sep 19, 2018

Almighty said:
Calling the police might not be a bad idea. Sadly my dumb ass deleted all the texts.

As for the password manager that shit is on lockdown with two factor and all that and even if he got some login info the company can't really do anything with it as the encryption is all done locally using the email and password and they don't get access to both.

Inform the police anyway, that should get you a case number, that will allow you or the police to get the relevant texts from your phone company's records.

DirtyLarry · Sep 19, 2018

Edge said:
How can someone bypass 2 factor? I thought that's 100% secure because, you know, he actually needs the code that you get on your phone?

This is my question as well. Is it possible somehow this person is spoofing your phone or something along those lines?
Sounds like a fucking nightmare. Holy shit.

My Playstation Account Keeps Getting Stolen and I Need to Vent

One Winged Slayer

Attempted to circumvent ban with alt account

▲ Legend ▲

User requested account closure

User requested account closure

User requested account closure

Hero of Bowerstone

A King's Landing

One Winged Slayer

User requested account closure