Sony has a problem. Not just PlayStation. Not just one division. The whole company has a systemic, decades long, deeply rooted security problem. And the most recent example is not just alarming. It is personal.
Let me explain.
I love PlayStation. I have been a PlayStation person since the mid nineties. It is my platform, it is my community, and it is where a significant chunk of my gaming life lives. So this is not me coming after something I hate. This is me talking about something I love that keeps getting let down by the company behind it.
Because Sony has shown us over and over again that security is not their strong suit. And I have the receipts.
Before we even get to PlayStation specifically. Sony BMG, the music division, intentionally installed hidden software on millions of people's computers through regular music CDs. No warning. No consent. A rootkit buried deep in your Windows operating system that immediately created a backdoor hackers exploited. This was not Sony getting hacked. This was Sony doing it to their own customers on purpose. That is where this story starts.
This one I remember vividly.
I was 23 or 24 years old. I had just gotten my hands on SOCOM 4 early from one of those stores in my neighborhood that would put games out a little before release. SOCOM was probably Sony's most successful multiplayer franchise at the time. It carried real weight with hardcore players and SOCOM 4 was the first proper numbered entry on PS3. I was locked in and ready to go. I had one night of playing it and the next day nothing worked. I could not log on to the PlayStation Network. What happened?
What happened was one of the largest data breaches in internet history at the time. 77 million PlayStation Network accounts compromised. Personal information, email addresses, physical addresses, passwords, and potentially credit card data all exposed. And Sony waited nearly a week before telling anyone. The network stayed down for 24 days.
Weeks later they came back for more. Sony Online Entertainment got hit separately. Another 25 million accounts. An archived database with thousands of credit card numbers exposed. Two separate attacks. Same month. Same company. Over 100 million accounts compromised in the span of weeks.
I was young and maybe did not fully understand the severity at the time. But I had a lifeline. Back then my main PlayStation podcast was IGN's Podcast Beyond, hosted by Greg Miller and Colin Moriarty among others. They along with their co-hosts were essentially the therapeutic support group for PlayStation fans during those 24 days. Episodes titled PSN Fail. PSN Crisis Day 22. The crew answering furious listener questions about whether their credit cards were stolen and whether they should abandon PlayStation entirely. When the servers finally came back online Greg and Colin literally ran back to the IGN offices on a Saturday night to record an emergency episode called Podcast Beyond: The PSN Lives. They brought beer. They abused the soundboard. Someone screamed Whaaaaaaaaaaaaaa?! (IYKYK). It was a party. Because after 24 days of nothing, PSN was back.
I did not put my credit card back on PlayStation Network for years after that. Sony was never fully transparent about what happened. Information drip fed to us slowly until we eventually got the whole picture. That pattern of keeping people in the dark while protecting the company first is something worth remembering.
Two more hits. Lizard Squad took PSN down multiple times with DDoS attacks including the entire Christmas holiday season. And then Sony Pictures got hit in a completely different and deeply embarrassing way. A full Hollywood studio exposed. Unreleased films leaked. Executive salaries public. Private emails between top executives that cost people their careers. Employee Social Security numbers and medical records out in the open. Over 100 terabytes of data taken. The FBI traced it back to North Korea. A foreign government hacked a major American entertainment company because they did not want a Seth Rogen comedy to come out. Sony Pictures. PlayStation Network. Same company. Different division. Same result.
They got hit twice more. Once through a supply chain vulnerability that exposed thousands of employee records. Then again by a ransomware group that leaked 260 gigabytes of internal data on the dark web. Two separate incidents. Same year.
That is the history. That is the pattern. Now let me tell you about what is happening right now.
I was scrolling through social media and saw that Colin Moriarty had lost his PlayStation account. The same Colin Moriarty from Podcast Beyond. I saw the reaction from the community, people who liked him, people who did not like him, all of them genuinely shocked and supportive. Because losing your PlayStation account is not a small thing. Everyone in that community understood what it meant.
I saw his Twitter thread about it, started digging deeper, and then I waited. Because Colin has a podcast called Sacred Symbols and I knew he was going to get into the full story there. A few hours after he got the account back he confirmed he was working with Sony to figure things out. Then the episode dropped.
I listened. And holy shit.
Moriarty had been warned in advance by a source that his account was being targeted. He knew it was coming. There was essentially nothing he could do about it.
On a Monday afternoon he and his co-host Dustin were livestreaming on YouTube, ironically playing a game called Pragmata, which is about hacking. Mid-stream his email gets bombed with hundreds of spam emails from places like AliExpress. That is a deliberate tactic. Flood the inbox to bury the real Sony security alerts coming in at the same time. Simultaneously he gets a text saying his 2FA has been disabled on PSN. He is booted from his account live on camera.
While Moriarty steps away to deal with it Dustin keeps the stream going. He checks his phone and sees a message sent from Moriarty's now-compromised account. The message says "You're next."
Moriarty calls PlayStation support. Gets an overseas call center. The representative is perfectly nice and completely powerless. They tell him it will take up to a week to investigate. Moriarty tries to explain he is a prominent media member and this is not a standard situation. Does not matter. The system called Parseek that Sony uses internally is locked. Too many changes made too fast. Nothing they can do at that level. Queue. One week. Goodbye.
So Moriarty goes to work on his connections. Emails a high ranking Sony PR contact he has known since the 90s. He calls Greg Miller. If you read the 2011 section you already know that name. The same Greg Miller from Podcast Beyond who helped PlayStation fans through the outage fifteen years ago. The two had a very public falling out after their time together at Kinda Funny. Colin still made that call. Greg still helped. That tells you everything about how serious this situation was. Greg texts his own industry connections even though he is in the middle of recording. Multiple people from first party studios reach out offering to escalate internally.
Now here is where I need to pause because this is the first holy shit moment.
I have a background in security. Phishing, spoofing, social engineering. I know this stuff. So when Moriarty described what happened next my eyes lit up immediately.
A call comes in from the Sony support number. Moriarty thinks it is working. His connections got things moving. He answers, talks to the guy, answers questions, gives him the serial numbers of his consoles. Then his source reaches out and tells him he just talked to the hacker. They spoofed the Sony phone number. They were not even after his specific information. They were building trust. Getting him comfortable. Waiting for the follow up call. And it worked because when you are in a panic in the middle of everything and a call comes in from the number you have been waiting for, you answer it. That is how they get you. That is textbook social engineering. I recognized it the second he described it.
The real Sony call came about an hour later. Moriarty asked for a reference number this time. The guy had it. This was the real thing, a managerial level person with what Moriarty described as bespoke high level access to PSN. He locked everyone out of the account immediately.
The hackers realized they were losing it faster than expected. They started calling back. Leaving voicemails. They even texted Moriarty directly offering to give the account back. Too late. But then right after getting the account back Moriarty got permanently banned. The hackers had set a dead man switch, sending racial slurs through the account knowing PSN automatically bans accounts for that language. The Sony contact unbanned him quickly and put flags on the account so only manager level people could touch it going forward.
Three hours total. Start to finish. Account back.
Now here is the second holy shit moment. The one that really got me.
When Moriarty explained how the hack actually worked I was floored. I am a savvy internet user. I understand security. I understand how attacks work. I still would have been vulnerable. Because here is all it takes to get into someone's PlayStation Network account.
Your email address. And some basic transaction information. A game you bought. A date. A price. Things you may have posted on social media without a second thought because why would that ever matter. You do not even need the password. You do not need the two factor authentication. You do not need the passkey. A customer service representative with the right access can override all of it. That is the vulnerability. That is what has been sitting there wide open.
This is the same company that had their whole network shut down for a month. And they let something like this exist in their system. What?
Colin got his account back in three hours. Because of who he is. Because of connections built over twenty plus years in games media. Because a Sony PR contact he has known since the 90s picked up the phone. Because Greg Miller, despite everything that happened between them, still made the calls.
The other 99.9 percent of PlayStation players? They get the overseas call center. They get put in a queue. They wait a week. And a lot of them never get their accounts back.
Think about what that actually means. Some people are losing thousands of dollars in digital game libraries built over decades. Some people are losing saves. Progress. Time. Trophies, the record of every game they ever played and everything they accomplished. People who have had their PlayStation Network account since 2006 losing everything in an instant through no fault of their own. The number one and number two all time trophy hunters in the world both had their accounts stolen. Neither of them got them back.
Colin could have gotten his account back and moved on. Said nothing. Just continued with his life. But he did not do that. He had two goals. First, get Sony to close this loophole so it stops happening to anyone else. Second, get the accounts back for everyone who has already lost theirs. Both of those goals matter. Both of those goals are the right thing to push for.
Here is what you should know as a PlayStation player right now. And I want to acknowledge upfront how insane this advice is going to sound.
Use an email address for your PSN account that you do not use anywhere else and do not share publicly. Do not post transaction receipts, purchase confirmations, or anything that shows when you bought a game on social media. Keep that information private.
Read that back. An email address. Something that was literally invented to be shared between people. Something that is supposed to be how you communicate with the world. That is now your first and most important line of defense against losing everything on your PlayStation account. Not your password. Not your two factor authentication. Your email address being kept secret.
That is where we are. That is what Sony has allowed to happen. It should not have to be this way. But until they fix this it is the reality.
Sony has to do something and they have to do it soon. They are pushing an all digital future. PlayStation 6 is coming. They want you to invest everything into a digital library with no disc drive backup. You cannot ask people to do that while this vulnerability exists. It is not fair and it is not right.
I am going to keep playing PlayStation because at this point it is what I know and what I love. But I am going to be vigilant. And I am asking you to be too. Spread the word. Let people know. Because a lot of PlayStation players have no idea this is even possible and they deserve to know what they are up against.
Sony has a problem. It is time they actually fixed it.
Go listen to the full Sacred Symbols episode. You already know what happened. Now hear it straight from Colin.
โถ Listen on YouTube