Email security is shit

This is going to be a tale of bullet points because it’s hilarious.

So we got a PS4 Pro for my brother’s birthday. He used to have a PS3 until about 5 years ago when he sold that one. He had an account on the PSN (obviously). This is how signing in to THAT account went:

  1. “Uh... which email address did I use? I think it was this one...”
  2. Search the email address for Playstation related emails to confirm that he’d used that one.
  3. Got it, reset the email address, get an email with the reset link, rejoice.
  4. Log in, set the PSN account, he’s in!
  5. Turns out it’s not THAT account. He had a different one.
  6. More thinking.
  7. “I think it was this hotmail address.”
  8. I search for that, and find a couple of emails sent to that from like 8 years ago.
  9. Kay, we just need to reset it, but we need access to the email address first.
  10. Let’s reset the password for the email address.
  11. Outlook says email address no longer exists.
  12. (´༎ຶД༎ຶ`)
  13. Meanwhile we are literally a button away from sending the reset email to the email address from the Playstation Network.
  14. Think...
  15. Oh, so if it doesn’t exist, we can theoretically sign up with it?
  16. Yes.
  17. We now have the old-new email address!
  18. Send the reset email to the new-old email address from the PSN.
  19. Receive it.
  20. Rejoice because information security is dumb.

We technically doxed him and took over his own PSN account. It was hilarious. And bad.