Sony'sis on the chopping block yet again -- the mandatory PSN password reset system can be used to take control of user accounts, it seems, using information that hackers have already stolen.
Sony forced users to change their passwords before they could use the PlayStation Network again, but changing a password only requires a PSN account email address and the user's date of birth -- both of which were pinched in the massive personal data theft back in April.
Sony's already taken the password reset page offline, replacing it with a site maintenance notice.
In a statement, Sony said, "Unfortunately this also means that those who are still trying to change their password via PlayStation.com or Qriocity.com will be unable to do so for the time being. This is due to essential maintenance and at present it is unclear how long this will take."
The issue doesn't affect PSN on consoles, so if you've already changed your password you'll still be able to play games online.
When users change their passwords they should have been sent an email with a confirmation link. But we've seen reports, such as this one on the Neogaf forum, that allege ne'er-do-well hackers have been able to exploit the password reset page so that the password is changed without the owner of the email account clicking that confirmation link. We expect more details will emerge shortly.
This is enormously embarrassing for Sony, which is desperate to convince users it's serious about security in the wake of the.
Stick your thoughts and facepalms in the comments, or on our Facebook wall.