PlayStation Network security flaw exposes millions of accounts, hackers need just your username and one old invoice number

Created on:

By: Annabelle Ink

PlayStation Network faces a critical security vulnerability that puts millions of players at risk. A French journalist just exposed how hackers can bypass two-factor authentication using only your username and an old invoice number. Multiple accounts are already being compromised, and Sony’s response has left gamers deeply concerned about account safety.

🔥 Quick Facts

  • French journalist Nicolas Lellouche discovered the flaw after his PSN account was hacked twice in one hour
  • Hackers only needed his username and a transaction number from an old invoice to bypass 2FA protection
  • A single €9.99 charge appeared when the attacker changed his account email and password
  • PSN support confirmed the recovery process requires minimal verification despite 2FA being active

The Critical Bypass: Username + Invoice Number

On December 23, 2025, journalist Nicolas Lellouche at French publication Numerama reported a devastating security flaw in PlayStation Network. The vulnerability allows attackers to completely take over accounts protected by two-factor authentication using just two pieces of information.

When Lellouche’s PSN account was compromised, the hacker changed his email address and password. A €9.99 charge appeared on his account from the unauthorized changes. When Lellouche called PSN support to recover his account, he discovered something alarming: the support team required only his PSN username and a transaction number from any old invoice to restore access. The year of the invoice didn’t matter.

2FA Doesn’t Stop Determined Attackers

Two-factor authentication is supposed to be an unbreakable second layer of security, but PSN’s account recovery process completely bypasses it. Within one hour of regaining access, Lellouche discovered his account had been hacked again.

When he contacted the hacker directly, the individual revealed they had found his transaction number posted in an old article online. The attacker claimed to have “coded an app” to access Sony’s servers, though no evidence was provided. More concerning: the hacker didn’t even need that supposed tool. They simply needed the information that PSN support accepts as sufficient proof of ownership.

How This Security Flaw Works In Practice

Attack Step Required Information Verification Time
Initial Account Breach Email + Password (phishing, data breach) Instant
Change Email/Password Original email access (2FA code) 1-2 minutes
Recover Account via Support Username + Invoice/Transaction Number Phone call (minutes)
Complete Takeover Full account access + email control Total: Under 10 minutes

Sony’s Support System Puts Players At Risk

What makes this flaw particularly dangerous is that PlayStation Network support staff accept this verification method without questioning it. A transaction number from an invoice is easy to find if someone has even briefly posted it online or shared a screenshot with someone untrustworthy.

Previous incidents show this isn’t an isolated problem. In October 2025, another PSN user known as dav1d_123, famous for collecting PlayStation trophies, had his account stolen. Support handed his account to a hacker who only provided a username. The attacker is now selling the PlayStation trophies on the black market. This pattern shows that Sony’s account recovery procedure is fundamentally broken.

What Should PlayStation Network Users Do Right Now?

Gaming experts are now advising players to never share screenshots of PlayStation invoices online, even in old articles or forums. A casual post could be all a determined attacker needs to steal your account, your games, and access your payment methods.

Players should also avoid posting transaction numbers, order confirmations, or any identifying purchase information publicly. Even old social media posts or deleted articles can be recovered by hackers using archive services. At this moment, two-factor authentication on PlayStation Network is not sufficient protection against this specific attack vector, and Sony has not announced a fix for the vulnerability.

Sources

  • Insider Gaming – Comprehensive reporting on the journalist’s account breach and PSN’s weak recovery process
  • NotebookCheck – Analysis of the vulnerability and comparison to previous PSN security failures
  • Numerama – Original French investigation by journalist Nicolas Lellouche detailing the hack timeline

Red94 is an independent media. Support us by adding us to your Google News favorites:

Leave a review