Skip to main content
  1. Home
  2. Gaming
  3. Features

After hackers ran up a bill on my PlayStation account, Sony held it ransom

Brad Bourque
By

Sony PS4 Controller
Image used with permission by copyright holder
Getting my PlayStation account hacked was terrible, but Sony made it a whole lot worse.

Instead of helping me, Sony decided that I had to pay for the games that my hacker purchased, or face a permanent ban on my account.

It all started Saturday afternoon. I was scrolling through my inbox and noticed some odd emails from PlayStation, all of them at 3:01 AM. There were three $25 payments to my PlayStation wallet, and a purchase for NBA 2K16 and some credits. After checking to make sure my roommate hadn’t drunkenly purchased the game, thinking he’d pay me back later, I noticed even more concerning emails.

Related

While I was sleeping, someone locked me out of my own account.

The first asked me to confirm a change to my PlayStation account’s email. The email wasn’t opened, nor had any odd devices accessed my email account, but another message less than a minute later confirmed the email change. Yep. While I was sleeping, someone locked me out of my own account.

But PlayStation requires you to confirm an email change by clicking a link in an email sent to the old account first, right? Wrong.

As it turns out, hackers have an easy way around this problem. Payment info, or at least a portion of it, is visible in the web interface for a PlayStation account. Once an attacker has your password, they can chat with Sony tech support, explain that they don’t have access to that email anymore, and use the visible info in the account to verify their identity, changing the email on the account to prevent recovery by its rightful owner — in this case, me.

In the meantime, they added a device to my account, a PS Vita. Unlike a PS3 or PS4, a PS Vita can’t be removed from the account by Web, it can only be deactivated from the device itself.

Fortunately, social hacking your way through tech support tends to be a double-edged sword, and I knew I would be able to wrestle my account back by providing the right info. Both consoles that regularly access the account are in my home, so that’s a form of proof, and because Sony doesn’t let users change their user names, no email changes could alter my gamertag.

Following the paper trail

This all happened on a Sunday, so Sony’s phone support wasn’t open, and I was forced to use the text chat. This actually ended up working to my benefit, as we’ll see shortly, but it also raises some problems of its own.

I wasn’t at home when I noticed the hacker’s activities, but I needed to stop the intruder from making any more purchases. I called PayPal support, and an agent there was quick to de-authorize my PlayStation account from making any more pre-approved purchases. Then, I filed a dispute on all three $25 charges.

Sony-Login-0001
I don’t own a PS Vita, but it’s stuck on my account Image used with permission by copyright holder

Once I got home, I sat down at a computer and fired up Sony’s chat support. At first, the agent was helpful. The intrusion and email changing were a separate issue from the disputed purchases, so we would deal with them one at a time.

The agent rolled back the account’s email to the previous address (mine), and forced a password reset when I confirmed the change. Then I was a little bewildered as the agent asked: “Now what do you want to do about the purchases?”

“I don’t want NBA 2K16, and I don’t want to add $75 to my PlayStation account,” I said. It sounded simple enough, or so I thought.

The agent passed the buck. They explained that in order to issue a refund, I needed to cancel the dispute with PayPal. Essentially, PayPal had taken the money back from Sony, and I needed to have PayPal release it so Sony could hand it back to me.

So I contacted PayPal. This turned out to be a process in and of itself. Because the dispute was security related, I had to call PayPal support, verify my identity, and then say in no uncertain terms that I was closing the case permanently, and get a guarantee that PayPal wouldn’t reopen it.

I informed the Sony tech support agent once the dispute was canceled. I didn’t get a human response. Instead, I got a copied and pasted statement explaining that Sony doesn’t offer refunds, and the funds would only be returned to my wallet. I asked what would happen if I issued a chargeback at the debit card level, and the agent explained matter-of-factly that my account would be banned until I paid the $75 in fraudulent charges.

After six years as a paying PlayStation customer, my account was now being held hostage, not by a hacker, but by Sony. I had to cover the cost of the metaphorical broken window, or my account was going to be locked. Basically, I had to apologize and pay for a thief.

Why hasn’t Sony learned?

You would think Sony would know how to handle hacking, especially after its multiple massive breaches (this one and this one) in the last five years, but it hasn’t learned. The PlayStation network has been around since 2006, but there’s no two-factor authentication, and visible payment info on the web front-end. This leaves a wide enough security hole for an elephant to walk through. The customer service agent suggested that I only use prepaid cards, but that’s more of a workaround than a real solution.

If I disputed the charges, my account would be banned until I paid the fraudulent charges.

Sony has a history of poor responses to hacking. Back in 2011 when PlayStation Network went down for almost a month, the gaming brand offered affected players one month of PlayStation Plus, which meant you got a few games that were disabled after the month ended if you didn’t become a paying subscriber.

You could argue that the way it treated me is to avoid refunding purchases that people made accidentally (or drunkenly), but even if a few people take advantage of the system for an ill-gotten refund, at least they’ll stick with PlayStation. It also took me several hours of legwork over email, Twitter, and customer support to reach that point, which would be a lot of work to go through just to buy a different game.

We reached out to our press contact at PlayStation for comment, and this was the response:

After reviewing your inquiry, we found there was some miscommunication between our customer service agents on this case and we apologize for the inconvenience this may have caused. We are currently working on issuing a refund to your account, and we are addressing the communication issues.

Please be assured that there was no indication that your account was compromised through the PlayStation Network. We do recommend our users maintain good account security, such as regularly changing their password and creating login credentials that differ from other services they use.

I have to wonder whether I would have reached this point had I not pressed my advantage as a tech journalist. A number of readers have reached out about very similar situations, (one involving the same game less than an hour apart), and only some were lucky enough to receive an actual refund. That’s all despite the fact that PlayStation doesn’t offer refunds as a policy. If my account wasn’t compromised, why bend the rules?

The second half of the statement is a boilerplate response that separates Sony from any sort of liability regarding the incident. Allowing users to select a different login ID from email would help, as would two-factor authentication. These modern security methods aren’t hard to implement, nor are they uncommon in the gaming world.

As for me, I now have to decide whether I buy FIFA 16 on PS4 or PC. Right now, I’m not a big fan of Sony’s attitude or policies. It’s bad enough to be hacked, but it’s even worse to have to pay for the digital damage.

Updated on 4/14/16 by Brad Bourque: Added the official response from PlayStation.

Editors' Recommendations

Topics
Brad Bourque
Brad Bourque
Former Digital Trends Contributor
Brad Bourque is a native Portlander, devout nerd, and craft beer enthusiast. He studied creative writing at Willamette…
Sony’s new PlayStation earbuds are a perfect match — for my Nintendo Switch
Sony's Pulse Explore earbuds sit next to a Nintendo Switch OLED.

If you’re the kind of PlayStation loyalist who buys every add-on Sony puts out, 2023 may have been a pricey year for you. We’ve gotten the DualSense Edge, PlayStation VR2, a brand new PS5 model, and the PlayStation Portal -- but that’s not all. Sony is refreshing its audio offerings on top of all that, starting with the Pulse Explore next month.

Sony’s new wireless earbuds are built with PlayStation devices in mind. They use a new PlayStation Link connection system, which is built to easily pair them with the PlayStation 5. That tech actually replaces Bluetooth entirely on the new PlayStation Portal, which means that the Pulse Explore will be one of the only ways to get wireless audio on the handheld this year. It’s a sign that Sony is getting more aggressive about building a dedicated PlayStation ecosystem, Apple-style. It doesn’t just want you to buy Sony consoles, but all of the black-and-white accessories that go with them too.

Read more
PlayStation Portal misunderstands remote play and cloud gaming’s appeal
A PlayStation Portal boots up.

Sony finally revealed more details about its upcoming handheld, now called PlayStation Portal, but these announcements have soured my opinion on the device rather than hyped me up for it. I enjoy cloud gaming and have used a variety of services like Google Stadia, Amazon Luna, and Xbox Cloud Gaming - across my phone and even dedicated devices like the Logitech G Cloud Gaming Handheld. Because of that, I was really excited to see what PlayStation could do as it entered the space. Unfortunately, some specific exclusions from PlayStation Portal's functionality that make it more of a remote-play device rather than a cloud gaming handheld indicate that Sony has a fundamental misunderstanding about what people would want out of a PlayStation game streaming handheld.

Namely, the device's positioning as primarily a "remote play dedicated device" and the exclusion of PlayStation Plus Premium cloud gaming compatibility drastically shrinks the number of reasons people should pick the device up. Cloud gaming and devices built around it have been around long enough to show that an inclusive approach to the number of services, games, and kinds of game streaming available is vital to success, and for a $200 handheld, PlayStation Portal seems like it's excluding way too much.
Narrowing its appeal
Remote play differs from what's more ubiquitously referred to as cloud gaming players are running the games on their own consoles rather than a third-party console or server. Still, it's a form of streaming games over a Wi-Fi connection, typically through an app on a phone or device like the Logitech G Cloud Gaming Handheld. That means you'll have to stick around your own home to use the PlayStation Portal, and its game library is limited to whatever the user owns on the console. That's limiting (it's like if Steam Deck only ran Steam Link) but does have some use cases. Still, it doesn't necessarily feel like it warrants a dedicated $200 device over a phone and a nice mobile controller like the Razer Kishi V2 or Backbone One - PlayStation Edition; haptic feedback and adaptive triggers only go so far.

Read more
Sony’s cloud handheld, the PlayStation Portal, will only stream certain games
Astro's Playroom booting up on the PlayStation Portal.

Sony has unveiled the price for its upcoming cloud gaming handheld, as well as an official name for the device: PlayStation Portal. However, one significant caveat to its functionality might sour people's interest in the handheld: It only supports PS4 and PS5 native games that the owner purchased.
PlayStation VR2 games can't be streamed to PlayStation Portal, which does make sense. More bafflingly, though, is the fact that the PlayStation Blog post states that "games that are streamed through PlayStation Plus Premium’s cloud streaming are not supported." That means you shouldn't pick up PlayStation Portal expecting to stream some PS3 and PS4 games available through PlayStation Plus Premium to the device. That's certainly an odd omission when it's currently PlayStation's most notable cloud gaming effort.
Although Microsoft is more closely associated with cloud gaming, Sony beat it to releasing a dedicated cloud gaming device. PlayStation Portal was first teased as Project Q during May's PlayStation showcase, but now, a PlayStation Blog post more clearly explains what we can actually expect from the handheld. Most importantly, we learned that PlayStation Portal will cost $200, which puts it underneath the cost of a Nintendo Switch, Xbox Series S, and other cloud gaming devices like the Logitech G Cloud Handheld.
As for what you're getting for that price tag, it's essentially a decent screen attached to two halves of a DualSense controller. The controllers on each side share all the functionality of the DualSense, including things like haptic feedback and adaptive triggers. In-between is an 8-inch LCD screen that streams games over Wi-Fi at up to a 1080p resolution and 60 frames per second. All in all, that's fairly solid for a cloud gaming handheld that is this cheap.
Sony confirmed that the PlayStation Portal will have a 3.5mm audio jack, but also used the same blog post to unveil two new wireless audio options. There's the Pulse Elite wireless headset that features a retractable boom mic and a charging hanger and Pulse Explore wireless earbuds that offer similar audio quality in earbud form.
None of these products are available for preorder or have a specific release date just yet, but they are all expected to launch before the end of the year.

Read more