The Nefarious Method That Thieves Are Using To Steal Your PSN Account

By

Thieves are using the Deactivate All function to hijack your primary PSN and you might not even know about it…

Before we go any further, if you’ve not got 2-factor authorisation activated on your PlayStation Network Account, go and activate it now. It’s okay, I’ll wait… You’re back? Cool. I’ll continue…

A quick precautionary tale – Just over a year ago, my Wife called me at work to say that something weird was going on with the PS4. She was trying to watch Netflix but she kept being interrupted by a boot screen on the PS4 that said my PSN account had logged into a different PS4. I instantly got that sinking feeling – I’d always been pretty careful on what passwords I used, had never game shared and felt like I was smart enough to avoid most phishing scams. I obviously wasn’t careful enough. I asked my wife to quickly and repeatedly log in to my PSN account to combat whoever was trying to log in to my account from a different PS4, repeatedly logging them out in the process, and eventually they stopped trying. An hour later, I managed to log into my PSN account from my phone and change the password and I didn’t think anything more of it.

It wasn’t until a few months later that I realised what they’d done.

I’d finally bought a PS4 for my step-son and having set up his PSN account, I decided to add mine to the Users on his system and download a few games I’d purchased over the years (namely Minecraft) for him to play. We set a few games to download and left the PS4 running. When we came back, the game had downloaded but we couldn’t start them. They all had a padlock symbol on them when viewing them from my step-son’s PSN account which disappeared when we logged into my account. I did some quick Googling and realised that I needed to make my PSN account the “Primary” PSN account on his PS4 to enable him to play games that own. Remembering that I’d set my own PS4 as my “Primary” when I first set it up, I booted up my PS4 and went to deactivate is so that I could activate it on my Step-Son’s – Only my PS4 wasn’t my “Primary” and when I tried to activate it, it said that another PS4 was already activated as my Primary and I’d need to remove that before activating my own PS4 again. It took 6 months of phone calls with Sony Customer Service to get this fixed and meant that I had to set up a new PSN account to continue reviewing games

So, some how, someone had managed to deactivate my PSN account as my PS4’s Primary account and activate it as the Primary on a different PS4. How did they do it? After a year of searching, I finally have an answer thanks to a talkative PSN thief and account seller who agreed to speak with me…

Initially, it takes a little bit of luck. Using publicly posted/purchased lists of emails and passwords that have been lifted during hacks…

“Yahoo, ClixSense and AFF were good for us. You’d be surprised by the number of people that use the same email address and password for every online account they use. We took some lists from hacks, set up some bots and we started to get some luck on PSN. We even managed to hack a few of the smaller PlayStation trophy tracking websites ourselves and 90% used the same username and password as PSN”

Gaining control over PlayStation network Primary Accounts is relative straight forward once they’ve found a username and password that work.

“We’d log in to the PlayStation website and use the ‘Deactivate All’ function. This removes any Primary accounts without notifying anyone. We check it on the PS4 and then we sell them on”

The issue for the victims here is that the “Deactivate All” function on PSN can only be used once every 6 months. In my case, and a few other victims of this scheme that I’ve spoken to, Sony Customer support weren’t very helpful or understanding either. This has reportedly improved recently with Sony willing to trigger another “Deactivate All” from their end within the 6 month window.

“I imagine most of the PSN accounts we sell don’t even know they’ve been sold. They won’t ever notice unless they go looking. We sell them, the buyer makes the account the primary and downloads what they want to pla. Unless they login at the same time. That has happened”.

And how much would your PSN account sell for and where are they sold?

“Depends. We don’t get too for most of them. More than half are total junk. PlayStation Plus games and not much else. Some have 1 worthy game we can flip for $30. The best accounts have 30 or more games that are good or recent. We can sell them for $1000+. Average? About $250. $300.”

“We sell on websites. Paypal and sometimes Bitcoin. The auction websites. I’m not going to name names. Forums. Reddit and Chan. Sold one to a drunk in bar. haha”

But 2 Stage Authorisation is making it hard for the thieves to sell on your PSN account. Using 2 Step Authorisation prevents access to your account unless it’s also confirmed by your mobile phone.

“It fucked me on day 1. I had 30 emails saying the passwords didn’t work. It has gotten easier and tougher. Still a lot of PSN accounts we tap don’t have 2-step but we can’t tell if the password is right, wrong or it’s just 2-Step. “

So, how can you prevent the theft of your PSN account via this method?

  • Activate 2-Step Authorisation – Now!

  • Use unique passwords for each of your online accounts.

  • Use HTTPS connections where ever possible.

  • Use a dummy email address specifically for each one of your online accounts.

  • Check that your PSN account is allocated as your PS4 Primary and if it’s not when it previously was, contact PlayStation Support.

You can read more on this subject at Destructoid and Kotaku.

 

6 Comments
  1. DarthDiggler 9 months ago
    Reply

    “It took 6 months of phone calls with Sony Customer Service to get this fixed and meant that I had to set up a new PSN account to continue reviewing games”

    I find this hard to believe. Sony can deactivate any PS device as the primary device. I have done it twice for my PS3 and the issue was resolved in 1 phone call.

  2. […] Fingerguns.net recently spoke to a PSN hacker and got some insights into exactly how they operate: […]

  3. Rob 9 months ago
    Reply

    So you spoke to one of these hackers so why not turn them in. Why not try and get those underground sites shut down. This is obviously a crime but you make it sound like your ok with the whole thing and if someone pays $1000 for a PSN account then they have the money to buy games.

    • Sean Davies 9 months ago
      Reply

      The hacker spoke to me anonymously via Skype. The website where I initally contacted him/her is a “PSN account resale” website on which people are legally allowed to sell their own PSN account. I’m absolutely not okay with people stealing and selling peoples PSN accounts (in case you missed it, mine was stolen too!?) but beyond the details I’ve already provided to Sony, I’ve no legal recourse.

  4. […] our existence, we’ve done just that. Paul looked at what Brixton has to offer to Watch Dogs 3. We interviewed a hacker on how they go about stealing your PSN account. We investigated what Gods and monsters were likely to tear limb from limb in the new God of War. […]

  5. vman10809 8 months ago
    Reply

    Actually its not hard to believe, had almost the exact same thing happen to me. One day I tried to switch my new Pro to primary from my standard PS4, and it kept telling another PS4 was activated as my primary, one that I have no idea where it was. I logged into my PSN account, and found out the “deactivate all consoles” had already been used and I couldn’t do it again for 6 months. Researched and found out my account had been hijacked as described most likely.

    I first attempted to deactivate online from a special request form you can do with PSN. I got an unable to reset consoles, email about 30mins later from PS tech support and I would have to wait 6 months… So, I called PS support directly and they were very unwilling to help me, and accused me of giving out my password and not having my account secure, etc, etc. So after escalating to a manager who was even worse, and me getting very pissed off at the lack of caring or empathy, or unwillingness to deactivate my consoles, which I know they can quite easily do, I gave a very loud tongue lashing to the guy for 5 mins, after which he promptly hung up on me…..

    However, about an hour later, I decided to give the on-line reset form another go, and guess what, this time I got an email back saying all PS4’s on my account have been deactivated and I can now set my own back as primary. It only took a few hours and a lot of yelling on the phone, but it should really not be that difficult to get your own PS account back once you’ve verified who you are.

Leave a Comment

Your email address will not be published.

You may also like