Thieves are using the Deactivate All function to hijack your primary PSN and you might not even know about it…
Before we go any further, if you’ve not got 2-factor authorisation activated on your PlayStation Network Account, go and activate it now. It’s okay, I’ll wait… You’re back? Cool. I’ll continue…
A quick precautionary tale – Just over a year ago, my Wife called me at work to say that something weird was going on with the PS4. She was trying to watch Netflix but she kept being interrupted by a boot screen on the PS4 that said my PSN account had logged into a different PS4. I instantly got that sinking feeling – I’d always been pretty careful on what passwords I used, had never game shared and felt like I was smart enough to avoid most phishing scams. I obviously wasn’t careful enough. I asked my wife to quickly and repeatedly log in to my PSN account to combat whoever was trying to log in to my account from a different PS4, repeatedly logging them out in the process, and eventually they stopped trying. An hour later, I managed to log into my PSN account from my phone and change the password and I didn’t think anything more of it.
It wasn’t until a few months later that I realised what they’d done.
I’d finally bought a PS4 for my step-son and having set up his PSN account, I decided to add mine to the Users on his system and download a few games I’d purchased over the years (namely Minecraft) for him to play. We set a few games to download and left the PS4 running. When we came back, the game had downloaded but we couldn’t start them. They all had a padlock symbol on them when viewing them from my step-son’s PSN account which disappeared when we logged into my account. I did some quick Googling and realised that I needed to make my PSN account the “Primary” PSN account on his PS4 to enable him to play games that own. Remembering that I’d set my own PS4 as my “Primary” when I first set it up, I booted up my PS4 and went to deactivate is so that I could activate it on my Step-Son’s – Only my PS4 wasn’t my “Primary” and when I tried to activate it, it said that another PS4 was already activated as my Primary and I’d need to remove that before activating my own PS4 again. It took 6 months of phone calls with Sony Customer Service to get this fixed and meant that I had to set up a new PSN account to continue reviewing games
So, some how, someone had managed to deactivate my PSN account as my PS4’s Primary account and activate it as the Primary on a different PS4. How did they do it? After a year of searching, I finally have an answer thanks to a talkative PSN thief and account seller who agreed to speak with me…
Initially, it takes a little bit of luck. Using publicly posted/purchased lists of emails and passwords that have been lifted during hacks…
“Yahoo, ClixSense and AFF were good for us. You’d be surprised by the number of people that use the same email address and password for every online account they use. We took some lists from hacks, set up some bots and we started to get some luck on PSN. We even managed to hack a few of the smaller PlayStation trophy tracking websites ourselves and 90% used the same username and password as PSN”
Gaining control over PlayStation network Primary Accounts is relative straight forward once they’ve found a username and password that work.
“We’d log in to the PlayStation website and use the ‘Deactivate All’ function. This removes any Primary accounts without notifying anyone. We check it on the PS4 and then we sell them on”
The issue for the victims here is that the “Deactivate All” function on PSN can only be used once every 6 months. In my case, and a few other victims of this scheme that I’ve spoken to, Sony Customer support weren’t very helpful or understanding either. This has reportedly improved recently with Sony willing to trigger another “Deactivate All” from their end within the 6 month window.
“I imagine most of the PSN accounts we sell don’t even know they’ve been sold. They won’t ever notice unless they go looking. We sell them, the buyer makes the account the primary and downloads what they want to pla. Unless they login at the same time. That has happened”.
And how much would your PSN account sell for and where are they sold?
“Depends. We don’t get too for most of them. More than half are total junk. PlayStation Plus games and not much else. Some have 1 worthy game we can flip for $30. The best accounts have 30 or more games that are good or recent. We can sell them for $1000+. Average? About $250. $300.”
“We sell on websites. Paypal and sometimes Bitcoin. The auction websites. I’m not going to name names. Forums. Reddit and Chan. Sold one to a drunk in bar. haha”
But 2 Stage Authorisation is making it hard for the thieves to sell on your PSN account. Using 2 Step Authorisation prevents access to your account unless it’s also confirmed by your mobile phone.
“It fucked me on day 1. I had 30 emails saying the passwords didn’t work. It has gotten easier and tougher. Still a lot of PSN accounts we tap don’t have 2-step but we can’t tell if the password is right, wrong or it’s just 2-Step. “
So, how can you prevent the theft of your PSN account via this method?
Activate 2-Step Authorisation – Now!
Use unique passwords for each of your online accounts.
Use HTTPS connections where ever possible.
Use a dummy email address specifically for each one of your online accounts.
Check that your PSN account is allocated as your PS4 Primary and if it’s not when it previously was, contact PlayStation Support.