Following one of the most costly and wide-reaching thefts of data in history, Sony’s re-launch of the popular PlayStation Network (PSN) stalled yesterday when their password-reset system was revealed to have a fatal flaw that allowed hackers to steal user accounts.
The hack worked by gaming the unique string of characters Sony sends out to a user’s email account when they request to change their password, according to published reports. Hackers with just a user account and the user’s date of birth were able to use the security flaw to change passwords at will.
Unfortunately for Sony, word of the gaping security hole came at a crucial moment, right after they asked tens of millions of PSN users to change their passwords and come back to the service after weeks of downtime.
In a post to the PlayStation blog, Sony denied that they had been hacked again, opting to use the word “exploit” instead.
The company reacted to the security hole by taking the login forms for a number of their websites offline. The password hack did not affect users trying to reset their accounts directly from PlayStation 3 consoles.
It’s also not likely that many user accounts were affected. A fail-safe in the system sends out emails to users once their passwords have been changed,which would alert users to a possible theft.
Sony has been gradually restoring its online services since Sunday after taking them down on April 20 and admitting nearly a week later that personal information from over 100 million user accounts had been stolen, and that credit card details may be included in the stolen data.
The latest misstep will raise serious questions about the electronic giant’s ability to manage security for its online services. After word of the earlier hack went public, the company was roundly criticized for using outdated software on its servers.
The company is offering two free games for PlayStation 3 users who return to the free gaming network within the next 30 days. PSN service was still online as of this writing.
An investigation into the initial PSN hack is ongoing.