Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security //

Data Leakage

3/14/2018
08:05 AM
Dawn Kawamoto
Dawn Kawamoto
Dawn Kawamoto
50%
50%

Fortnite Players Lob Shots at Epic Games Over Hacked Accounts

A number of Fortnite players recently suffered a breach of their Epic Game accounts, costing them hundreds of dollars and leaving them frustrated when they could not immediately reach the company for a refund.

Epic Games is facing a sizable challenge with its users, after a number of Fortnite players discovered cybercriminals had breached their game accounts and run up tabs worth hundreds of dollars.

Over the past several weeks, Fortnite players have been posting on Reddit and Fortnite's user forum board concerning problems they've faced in trying to get a refund for their breached accounts.

On Monday afternoon, for example, a player that goes by the name Darksplinter stated on Reddit:

So no idea how this happened, I don't click on stupid links that are shady. I never save my payment options to accounts but I must have accidentally saved it. Bought the standard save the world in February and I play it off and on with friends. Today I get emailed thanking for my purchases. Someone upgraded my standard to deluxe and then deluxe to ultimate, so that's $200 gone and well I kind of need that for my car payment.

Epic Games has issued some refunds, according to a smattering of Fortnite players on Reddit and the Fortnite forum board. Additionally, the company has also weighed in on the issue.

"We are aware of instances where users' accounts have been compromised using well-known hacking techniques and are working to resolve these issues directly with those players affected," Epic Games said in a statement to Kotaku.

Epic's tale
The game publisher recently posted a noticeon its website, acknowledging the breach and offering steps users should take. According to its statement:

We've seen several instances of account theft and fraud related to websites that claim to provide you free V-Bucks or the ability to share or buy accounts. Please never share your Epic account details with anyone. Epic will never ask you for your password through email, social media, or a non-Epic website. Groups claiming to provide special Fortnite deals this way are fraudulent.

At Epic, we've been working hard to try to hunt down password dumps in order to proactively reset passwords for player accounts when we believe they are leaked online. While this approach involves a lot of manual work on our side, we believe that it prevents a significant amount of fraud. However, this approach doesn't find every impacted account, or you might have created your Epic account after we checked a particular password dump.

As a result, we're working to further automate our process to check our account database against password dumps to close the gap on identifying impacted users and resetting their passwords. We're also working hard to enable multi-factor authentication in the next few weeks and plan to have an additional blog post with more details soon.

Got game? Cybercriminals do
According to a global surveylast year by Kaspersky Lab, 53% of survey respondents acknowledged they play online games.

Additionally, of the 17% of survey respondents who have experienced or been a target of an attack, 16% had their gaming accounts breached, according to the study.

Hacking gaming accounts, for example, can yield $1 per account, so it's potentially lucrative for cybercriminals to hack and sell online game accounts in mass, the report states.

Related posts:

— Dawn Kawamoto is an award-winning technology and business journalist, whose work has appeared in CNET's News.com, Dark Reading, TheStreet.com, AOL's DailyFinance and The Motley Fool.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-16275
PUBLISHED: 2020-08-10
A cross-site scripting (XSS) vulnerability in the Credential Manager component in SAINT Security Suite 8.0 through 9.8.20 could allow arbitrary script to run in the context of a logged-in user when the user clicks on a specially crafted link.
CVE-2020-16276
PUBLISHED: 2020-08-10
An SQL injection vulnerability in the Assets component of SAINT Security Suite 8.0 through 9.8.20 allows a remote, authenticated attacker to gain unauthorized access to the database.
CVE-2020-16277
PUBLISHED: 2020-08-10
An SQL injection vulnerability in the Analytics component of SAINT Security Suite 8.0 through 9.8.20 allows a remote, authenticated attacker to gain unauthorized access to the database.
CVE-2020-16278
PUBLISHED: 2020-08-10
A cross-site scripting (XSS) vulnerability in the Permissions component in SAINT Security Suite 8.0 through 9.8.20 could allow arbitrary script to run in the context of a logged-in user when the user clicks on a specially crafted link.
CVE-2020-15139
PUBLISHED: 2020-08-10
In MyBB before version 1.8.24, the custom MyCode (BBCode) for the visual editor doesn't escape input properly when rendering HTML, resulting in a DOM-based XSS vulnerability. The weakness can be exploited by pointing a victim to a page where the visual editor is active (e.g. as a post or Private Mes...