According to Wccftech, French tech journalist Nicolas Lellouche had his PlayStation Network account hacked twice on April 28, 2024, despite it being protected by both two-factor authentication and a passkey. The unknown attacker changed the account’s email and password and spent money from a linked payment method. After Lellouche recovered the account via PlayStation Support, the hacker took control again and even communicated with him, detailing a method that bypasses modern security. The hacker claims to be exploiting a “fatal security flaw” in Sony’s internal systems, needing only the account’s associated email address. Lellouche’s email was exposed from an old screenshot shared online, which hackers are reportedly collecting to target accounts. The full technical breakdown is pending in a follow-up report from the journalist.
Internal tools are the weak link
Here’s the thing that makes this so alarming. If the hacker’s claim is true—that they’re using internal Sony tools—then all the security on your end is basically useless. You can have the longest, most complex password, a hardware security key, and every bell and whistle enabled. But if someone with access to Sony’s backend systems can initiate an account takeover with just an email address, your line of defense is completely circumvented. It’s like having an unbreakable lock on your front door, but the building superintendent has a master key they left under a mat. The 2011 PSN outage was a massive breach of external data. This? This suggests a potential breach of internal processes, which is arguably scarier for an ongoing service.
A bizarre and worrisome pattern
Now, the bizarre communication with the hacker adds a strange layer. It’s not just a faceless breach; the attacker was apparently confident enough to explain their method. That implies they believe the flaw is either unstoppable or so deeply embedded that Sony can’t patch it quickly. And the targeting method is chillingly low-tech: scouring the internet for old screenshots that accidentally show an email address. It’s a reminder that in the digital age, a tiny piece of leaked info you forgot about years ago can come back to haunt you. But really, should that be enough to topple an entire account protected by 2FA? Absolutely not.
What this means for you right now
So what can you do? The standard advice still applies, but it feels woefully inadequate against a supposed internal flaw. Don’t share personal info or screenshots that reveal your email. For purchases, use prepaid cards or payment methods with strong fraud protection—losing game access is bad, but having your actual bank account or card drained is far worse. The real onus is on Sony. They need to investigate and confirm or deny this publicly, and fast. If there’s a flaw in their customer support or account management tools, it needs to be shut down immediately. Because if one person found it, others probably have too. This isn’t just about one journalist’s account; it’s about trust in the entire platform’s security foundation. Again.
