PlayStation Network faces a critical security vulnerability that puts millions of players at risk. A French journalist just exposed how hackers can bypass two-factor authentication using only your username and an old invoice number. Multiple accounts are already being compromised, and Sony’s response has left gamers deeply concerned about account safety.
🔥 Quick Facts
- French journalist Nicolas Lellouche discovered the flaw after his PSN account was hacked twice in one hour
- Hackers only needed his username and a transaction number from an old invoice to bypass 2FA protection
- A single €9.99 charge appeared when the attacker changed his account email and password
- PSN support confirmed the recovery process requires minimal verification despite 2FA being active
The Critical Bypass: Username + Invoice Number
Riot Games cuts half of 2XKO team just weeks after launch
What some people solve the Mini for reveals surprising habit
On December 23, 2025, journalist Nicolas Lellouche at French publication Numerama reported a devastating security flaw in PlayStation Network. The vulnerability allows attackers to completely take over accounts protected by two-factor authentication using just two pieces of information.
When Lellouche’s PSN account was compromised, the hacker changed his email address and password. A €9.99 charge appeared on his account from the unauthorized changes. When Lellouche called PSN support to recover his account, he discovered something alarming: the support team required only his PSN username and a transaction number from any old invoice to restore access. The year of the invoice didn’t matter.
2FA Doesn’t Stop Determined Attackers
Chumba Casino unlocks 200+ games with new sign-up bonus—try slots free today
Solid Snake joins Rainbow Six Siege in Metal Gear crossover
Two-factor authentication is supposed to be an unbreakable second layer of security, but PSN’s account recovery process completely bypasses it. Within one hour of regaining access, Lellouche discovered his account had been hacked again.
When he contacted the hacker directly, the individual revealed they had found his transaction number posted in an old article online. The attacker claimed to have “coded an app” to access Sony’s servers, though no evidence was provided. More concerning: the hacker didn’t even need that supposed tool. They simply needed the information that PSN support accepts as sufficient proof of ownership.
How This Security Flaw Works In Practice
| Attack Step | Required Information | Verification Time |
| Initial Account Breach | Email + Password (phishing, data breach) | Instant |
| Change Email/Password | Original email access (2FA code) | 1-2 minutes |
| Recover Account via Support | Username + Invoice/Transaction Number | Phone call (minutes) |
| Complete Takeover | Full account access + email control | Total: Under 10 minutes |
Sony’s Support System Puts Players At Risk
What makes this flaw particularly dangerous is that PlayStation Network support staff accept this verification method without questioning it. A transaction number from an invoice is easy to find if someone has even briefly posted it online or shared a screenshot with someone untrustworthy.
Previous incidents show this isn’t an isolated problem. In October 2025, another PSN user known as dav1d_123, famous for collecting PlayStation trophies, had his account stolen. Support handed his account to a hacker who only provided a username. The attacker is now selling the PlayStation trophies on the black market. This pattern shows that Sony’s account recovery procedure is fundamentally broken.
What Should PlayStation Network Users Do Right Now?
Gaming experts are now advising players to never share screenshots of PlayStation invoices online, even in old articles or forums. A casual post could be all a determined attacker needs to steal your account, your games, and access your payment methods.
Players should also avoid posting transaction numbers, order confirmations, or any identifying purchase information publicly. Even old social media posts or deleted articles can be recovered by hackers using archive services. At this moment, two-factor authentication on PlayStation Network is not sufficient protection against this specific attack vector, and Sony has not announced a fix for the vulnerability.
Sources
- Insider Gaming – Comprehensive reporting on the journalist’s account breach and PSN’s weak recovery process
- NotebookCheck – Analysis of the vulnerability and comparison to previous PSN security failures
- Numerama – Original French investigation by journalist Nicolas Lellouche detailing the hack timeline

Annabelle Ink is a gaming journalist and lifelong gamer who lives and breathes video game culture. From console releases to esports tournaments, this dedicated journalist brings insider knowledge and genuine enthusiasm to every review and feature. Her expertise spans multiple gaming platforms, helping readers discover their next favorite game while staying connected to the pulse of the gaming industry.

