Sony has disabled the network password reset and sign-in for some of its websites, such as Playstation.com and the Playstation forums. They have also made all the Playstation game titles unavailable. The reason? there is now solid evidence confirming rumors claiming that the Sony Playstation Network password reset system allows an attacker to change the password of an account by only using the PSN account e-mail and the date of birth. These bits of information were part of the massive data leak that affected Sony on April 20th.
A community team member from Sony posted the following on their forums:
Please note that PSN sign in is currently unavailable for the following services:
Unfortunately this also means that those who are still trying to change their password password via Playstation.com or Qriocity.com will be unable to do so for the time being. This is due to essential maintenance and at present it is unclear how long this will take.
In the meantime you will still be able to sign into PSN via your PlayStation 3 and PSP devices to connect to game services and view Trophy/Friends information.
The exploit was first revealed on Nyleveia.com. The website has suggested that to secure the PSN accounts, the best thing to do is to create a completely new e-mail that will not be used anywhere else, an e-mail that cannot be traced back to the original user, and switching the PSN account to that e-mail, otherwise, as the exploit spreads, users could risk once again having their account stolen.
The exploit does not affect the ability to do password resets on the actual PS3 system.
Nyleveia.com did not go into details of how the exploit works for obvious reasons, but stated that it was related to verifying tokens improperly on the forms for password resets on Sony's sites. Also, the website claimed to contact Sony regarding the exploit to make them aware of the issue.