Normally, I list such emails as "junk" right away, but these felt a bit more legitimate. There weren't any obvious spelling or grammatical errors and the formatting had that je ne sais quoi which made me think it could be legitimate. I decided to keep them in my Inbox and check my PlayStation when I got home from work to see if I could still log in (I didn't want to walk up the stair to my living room just then).
Unfortunately, I discovered that they were legitimate when Janelle woke up and came into the dining room asking if I had made a bunch of purchases on the PlayStation last night. It turns out that I had the energy to rush up the stairs, after all. Sure enough, I could no longer log in.
When I tried to restore my account, I discovered why the thief started by activating 2-step authentication. Doing so required me to talk to a real person to reset my account rather than just doing so online. Most likely, the thief was buying in-game currency which could then be traded in for real-world money. Thankfully, our credit card stopped them after only five transactions, and even put those into "pending" status.
Meanwhile, Janelle blocked the charges they made on our card and had our card cancelled. Our credit card company reassured us that we would not be held responsible for these charges. We use a credit card for online purchases precisely for these extra security measures. Unfortunately, we now have to wait for another set of cards to arrive.
The good news is that I was able to get a hold of a live representative at Sony with a fairly short wait time. I was able to verify my identity and retake my account, setting up a new password and my own 2-step verification (which now makes signing in on my PlayStation a bit of a pain). They also reimbursed my credit card for the amount that had been used (something my credit card company probably appreciates).
I was vulnerable to this attack because I was still using an old password that had likely been leaked during a previous data attack on Sony. I have since made certain to change the passwords on any other accounts that used that email or a similar password. Each of of the new passwords are unique and follow a strong password formula which will hopefully avoid anything like this from happening again.