Nicolas Lellouche Says Playstation Network Flaw Still Let Account Hackers In
Nicolas Lellouche says his playstation network account was hacked again last night, six months after the same account-ownership flaw went viral and still has not been properly fixed. The reported weakness centers on how PlayStation support checks who owns an account, and it can allegedly be abused with a transaction number even when 2FA and passkey protection are enabled.
Lellouche's account was hit again
Lellouche, a Numerama journalist, wrote on X earlier today, “Do you remember the hacking of my PlayStation account that went viral around the world and Sony still hasn't fixed? I got hacked again last night,” after saying the new intruder did not change the account ID and played different games.
He also said, “As long as the flaw isn't fixed, the same bug can be re-exploited infinitely. So I can no longer use my games with peace of mind: they risk disappearing,” which turns the issue from a one-off account takeover into a repeat access problem for anyone whose account details can still be contested through support.
Transaction numbers and support checks
The reported attack path is narrow and ugly: hackers reportedly need only a simple transaction number to claim ownership of an account, because PlayStation support appears to verify ownership in a way that can be bypassed through that detail.
Lellouche said, “It’s insane that it’s so easy to change an email, to completely disable the old email, and to delete an access key. The fact that PlayStation is acting like there’s no problem at all is driving me to despair,” and he said the only measure reportedly put in place was a high-risk account identifier that told customer service not to intervene.
Six months without a fix
Back in December 2025, the flaw was widely reported as affecting accounts even with 2FA and passkey protection, yet the issue still had not been properly addressed six months later. That leaves owners with a brittle setup: if support can be persuaded to hand over control again, the same account can be reopened, repointed to a new email, and stripped of its access key.
The unresolved question is whether Sony changes the support process itself, because that is the part Lellouche says lets a simple transaction ID stand in for ownership.
