Sony is giving one of the toughest security exams in its history on PlayStation Network (PSN). The serious security vulnerability, which first came to the fore about six months ago and allows user accounts to be compromised with just a “transaction number”, has still not been closed despite all precautions. This method, which disables modern lines of defense such as two-step authentication (2FA) and passkey, fundamentally undermines the security of digital libraries.

• The vulnerability, reported in December 2025, is caused by an error in the authentication process of the PlayStation support team.

• Attackers can change the email address simply by using an old transaction ID to prove ownership of the account.

• French journalist Nicolas Lellouche, who was previously victimized and whose account was marked as “high risk”, announced that his account was stolen again as of May 2026.

Simple Method to Break Firewalls: Transaction Number

While modern digital security systems use biometric data and instant codes to protect users, the situation is quite different on the PlayStation Network front.

Recent reports that have made a splash in the industry show that Sony’s “backdooring” method is still operating in its customer service protocols. If an attacker knows the username of the account he wants to take over and any old transaction numbers of that account, he can connect to the support line by phone and introduce himself as the owner of the account.

The scariest part of this situation is that even the strongest security measures installed on the user’s account are ineffective. As soon as the attacker convinces the support team, the registered e-mail address of the account is changed and the passkeys are completely deleted from the system with two-step verification (2FA).

The user loses access to the game library he has accumulated over the years within seconds when he receives a “your e-mail address has been changed” notification on his phone.

French Journalist Selected as a Victim Again: Didn’t Sony Take Precautions?

The seriousness of the incident was once again proven by what happened to Numerama reporter Nicolas Lellouche, who announced this vulnerability to the world in December 2025. In his statement on social media, Lellouche said, “This problem, which is on the agenda worldwide, is still not solved. My account was stolen again last night.”

The interesting point is that Sony marked Lellouche’s account as “high risk” after the past incident and instructed customer services to “do not take action on this account.”

Despite this, it appears that the protection shield only lasted for six months or that personnel within the system did not heed this warning. According to the data shared by Lellouche, the attack this time may have been carried out by a different person; because the changes in the game history and account settings used are not similar to the previous case.

This means that this vulnerability has now turned into a weapon in the hands of not only certain hacker groups, but also everyone who knows the method.

What Should You Do to Protect Your Digital Library?

In this era where digital purchases are taking precedence over physical copies, losing a PSN account doesn’t just mean losing a username.

Games, save files and trophies worth hundreds or even thousands of dollars evaporate along with the account. While we wait for Sony to produce an enterprise-level solution, it is critical that users pay attention to the following steps:

• Keep Transaction Numbers Private:Never share screenshots of your purchases from PlayStation Store on social media or second-hand sales sites.

• Increase Email Security:A solution may be to regularly delete invoices sent to the e-mail address to which your PSN account is linked or not to share this e-mail with anyone.

• Beware of Suspicious Support Calls:Never trust third parties who call you or request information on behalf of Sony.

Sony Interactive Entertainment has not yet announced an official patch or protocol change regarding this latest leak and vulnerability. However, as of 2026, it has been proven once again that the weakest link in digital security is the “human factor”.