When your username and password is compromised, it opens the door to all manner of unexpected consequences.
A few weeks ago, Mic Fok got a weird email. The person writing it claimed they'd been playing Overwatch on a PlayStation Network account for more than six months, but the password had changed recently. But why would Fok know anything about this random dude's account? As it turns out, they'd "purchased" Fok's account through a website called PSN Games, one of many businesses trafficking in the selling of cheap games by sketchy means.
The individual who bought Fok's account was an Overwatch fan named Bennett Eglinton.
"Hello I purchased overwatch from psngames.org and this email was used as the account info," reads an email from Eglinton, sent in early March. "However the password I was given for the PlayStation Network sign in no longer works. Did you happen to change it? Can I get the new info."
Taken aback, Fok pressed Eglinton for more information, and informed him he probably got scammed; Fok was still using this account. After Eglinton was able to produce Fok's old (and legitimate) password, he stopped responding to the emails. That's when he contacted me, and put me in touch with Eglinton, who passed along the PSN Games confirmation email with Fok's password.
Eglinton discovered PSN Games while looking for the cheapest way to get the game through a website called AllKeyShop.com, which aggregates key sellers, including PSN Games.
(Though called PSN Games, the website sells accounts tied to PlayStation 4 and Xbox One games. They also sell a lot of Microsoft software?)
"A quick search on them didn't show anything negative, so I decided to try it out," said Eglinton. "The site claimed to buy games in other regions, put them on an account, and the sell them for cheaper."
Here's how PSN Games, which claims to offer "legal and genuine digital downloads, but sent in the form of an account," works. Let's say you want to play Mass Effect: Andromeda, but don't want to pay the game's full price, $60. Right now, PSN Games is offering it for $41.99. After checking out, PSN Games sends you the login information for an account, complete with email address and password. You then sign into that account and mark your PlayStation 4 as the primary device, which grants you access to play the game locally on your machine. After downloading the game, you're supposed to log out of the account and switch back to yours.
On a PlayStation 4, if a game is locally installed, you can play it, even if you're logged into a different account. PSN only kicks someone person off if they're on the same account. This is why PSN tells you to log out. That way, PSN has no way to verify what's happening. Additionally, Sony doesn't notify you, via email or notification, if the primary device for an account has changed, so if you're the original owner of the account, you likely won't notice that this has happened.
Sony did not respond to my request for comment on PSN Games or clarity on how it might better protect some of its users in the future. (Sony only added two-factor authentication to PSN last year, long after it'd become the standard elsewhere.)
This is how Bennett Eglinton was able to log in to Mic Fok's account, download his copy of Overwatch, log out of Mic's account, switch back to his account, and start playing Overwatch.
"I only found out cause PSN asked me to do a routine password change," said Fok, "and I guess I locked him out."
Fok had stopped playing Overwatch on his PS4 months ago, after buying it on PC.
PSN Games' website says the games are purchased "from distributors in cheaper regions," and the reason they tie them to accounts is so that people from other regions can use them. But if PSN Games is simply buying keys and making their own accounts, how exactly did Fok's account, complete with legitimate username and password, get mixed up in there?
PSN Games didn't have a public relations department for me to contact, so I used the website's customer support chat to get an email address for a supervisor named Jack Cage.
"We are reselling accounts that we purchase from multiple different suppliers," said Cage. "Sometimes also from people that reach out to us directly offering to sell their profiles."
But Fok didn't sell his account to PSN Games, and when I asked a PSN Games customer service representative whether it was possible to sell your profile to the website, they denied it.
"As much as we'd like to avoid those issues," said Cage, "with the large amount of sales it's not possible to verify each individual account we sell, and those situations sometimes sadly happen. If we do hear about it, we're usually trying to resolve the situation with the person that sold the specific profile to us."
Cage claimed he could put me in touch with the mysterious distributor who sold him Fok's account, but after passing along the required information, Cage went silent. He hasn't responded to several emails looking for clarification about the business or this incident.
It doesn't take much to become an amateur PSN hacker, either. (Though hacker might be a generous term, in this case.) A simple Google search, which I'm not going to share here, can bring up software that will scrape databases of compromised accounts, automatically test them against the PSN login page, and if it works, compile how many games are tied to the account.
All of this can be accomplished in minutes.
The website PSN Games isn't alone, of course. There are others that operate similarly, such as Discount Digital Games. (That website didn't respond to my request for comment, either.) And though it's technically against Sony's terms of service, there are plenty of resources, like Player Auctions, that will help facilitate the buying, selling, and trading of your PSN account.
Again, PSN Games did not respond to requests for clarification on this, but this provides fresh reason for people to immediately add two-step verification to their PSN accounts, download password management software like 1Password, and check to see if your accounts have been previously compromised by using services like haveibeenpwned.com. (Believe me, you have!)
When I ran Fok's email through haveibeenpwned.com, it showed his login information had been compromised on a number of websites. It'd help explain how his password got out there.
And you don't have to go far to find to find more proof of a hit-or-miss relationship with PSN Games, like these reviews on AllKeyShop.com.
"The account got banned after only 24 hours," said one user.
"My version of Overwatch had the same issue," said another user in reply.
But these are just anonymous comments. To learn more about the service, I spoke to several others about their experience with PSN Games, and found stories with all manners of red flags. One user, who asked to remain anonymous, purchased an account associated with a copy of Mafia III, but when they logged in, someone's credit card was still attached to it.
"I lost my 35 Euros because I don't want to get in trouble," they told me. "When I discovered it, I deleted the account from my PS4. I don't care [about] the money."
PSN Games also sells what it calls "bundles" of games, where you can "try your luck" to get anywhere from one to five games, ranging from big-budget releases to independent games.
A PSN Games customer I spoke to, who also requested anonymity, said they purchased an account promising Dishonored 2 for only $20. When they loaded it up, the just-released Resident Evil 7 was there, too. Excited at the prospect of free stuff, they bought a random game for $5, which came with an account sporting more 40 games available to download.
"I wasn't complaining," they told me.
When confronted with the possibility they could be playing on hacked accounts, they played it off, and said they were more worried about getting scammed by losing access to the games.
This is how Edward Hasley, who's been buying from PSN Games for a while now, feels.
"That is the gamble you take to access cheaper games," said Hasley, "but that gamble becomes stupid once you take away the time and cost incentives previously in play."
Hasley prefers buying games digitally over physical discs, but found himself annoyed at how games would go down in price at the local video game store, while remaining the same price online. He turned to places like PSN Games, which beat the prices on Amazon and eBay.
"That is the gamble you take to access cheaper games, but that gamble becomes stupid once you take away the time and cost incentives previously in play."
Recently, though, Hasley said he had to wait several days to get access to his games, some codes haven't worked, and it's been a pain to deal with the website's online customer service.
"In short, the risk vs reward no longer stacks up," he said, noting he'd heard "murmurs" that places like PSN Games might not entirely be on the up and up, making him "uncomfortable."
The pursuit of cheap games is an understandable one. Who wants to pay full price? Why not get two games for the price of one? But some deals might be too good to be true, and while it's possible sites like PSN Games are getting accounts from distributors who've said their data includes users who decided to sell their own accounts, it doesn't answer our original mystery: just how did someone's copy of Overwatch, and their PSN account, get sold on a website they've never heard of?