Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security //

Data Leakage

3/14/2018
08:05 AM
Dawn Kawamoto
Dawn Kawamoto
Dawn Kawamoto
50%
50%

Fortnite Players Lob Shots at Epic Games Over Hacked Accounts

A number of Fortnite players recently suffered a breach of their Epic Game accounts, costing them hundreds of dollars and leaving them frustrated when they could not immediately reach the company for a refund.

Epic Games is facing a sizable challenge with its users, after a number of Fortnite players discovered cybercriminals had breached their game accounts and run up tabs worth hundreds of dollars.

Over the past several weeks, Fortnite players have been posting on Reddit and Fortnite's user forum board concerning problems they've faced in trying to get a refund for their breached accounts.

(Source: Epic Games)\r\n\r\n
(Source: Epic Games)\r\n\r\n

On Monday afternoon, for example, a player that goes by the name Darksplinter stated on Reddit:

So no idea how this happened, I don't click on stupid links that are shady. I never save my payment options to accounts but I must have accidentally saved it. Bought the standard save the world in February and I play it off and on with friends. Today I get emailed thanking for my purchases. Someone upgraded my standard to deluxe and then deluxe to ultimate, so that's $200 gone and well I kind of need that for my car payment.

Epic Games has issued some refunds, according to a smattering of Fortnite players on Reddit and the Fortnite forum board. Additionally, the company has also weighed in on the issue.

"We are aware of instances where users' accounts have been compromised using well-known hacking techniques and are working to resolve these issues directly with those players affected," Epic Games said in a statement to Kotaku.

Epic's tale
The game publisher recently posted a noticeon its website, acknowledging the breach and offering steps users should take. According to its statement:

We've seen several instances of account theft and fraud related to websites that claim to provide you free V-Bucks or the ability to share or buy accounts. Please never share your Epic account details with anyone. Epic will never ask you for your password through email, social media, or a non-Epic website. Groups claiming to provide special Fortnite deals this way are fraudulent.

At Epic, we've been working hard to try to hunt down password dumps in order to proactively reset passwords for player accounts when we believe they are leaked online. While this approach involves a lot of manual work on our side, we believe that it prevents a significant amount of fraud. However, this approach doesn't find every impacted account, or you might have created your Epic account after we checked a particular password dump.

As a result, we're working to further automate our process to check our account database against password dumps to close the gap on identifying impacted users and resetting their passwords. We're also working hard to enable multi-factor authentication in the next few weeks and plan to have an additional blog post with more details soon.

Got game? Cybercriminals do
According to a global surveylast year by Kaspersky Lab, 53% of survey respondents acknowledged they play online games.

Additionally, of the 17% of survey respondents who have experienced or been a target of an attack, 16% had their gaming accounts breached, according to the study.

Hacking gaming accounts, for example, can yield $1 per account, so it's potentially lucrative for cybercriminals to hack and sell online game accounts in mass, the report states.

Related posts:

— Dawn Kawamoto is an award-winning technology and business journalist, whose work has appeared in CNET's News.com, Dark Reading, TheStreet.com, AOL's DailyFinance and The Motley Fool.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Enterprises are Attacking the Cybersecurity Problem
Concerns over supply chain vulnerabilities and attack visibility drove some significant changes in enterprise cybersecurity strategies over the past year. Dark Reading's 2021 Strategic Security Survey showed that many organizations are staying the course regarding the use of a mix of attack prevention and threat detection technologies and practices for dealing with cyber threats.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-42258
PUBLISHED: 2021-10-22
BQE BillQuick Web Suite 2018 through 2021 before 22.0.9.1 allows SQL injection for unauthenticated remote code execution, as exploited in the wild in October 2021 for ransomware installation. SQL injection can, for example, use the txtID (aka username) parameter. Successful exploitation can include ...
CVE-2020-28968
PUBLISHED: 2021-10-22
Draytek VigorAP 1000C contains a stored cross-site scripting (XSS) vulnerability in the RADIUS Setting - RADIUS Server Configuration module. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the username input field.
CVE-2020-28969
PUBLISHED: 2021-10-22
Aplioxio PDF ShapingUp 5.0.0.139 contains a buffer overflow which allows attackers to cause a denial of service (DoS) via a crafted PDF file.
CVE-2020-36485
PUBLISHED: 2021-10-22
Portable Ltd Playable v9.18 was discovered to contain an arbitrary file upload vulnerability in the filename parameter of the upload module. This vulnerability allows attackers to execute arbitrary code via a crafted JPEG file.
CVE-2020-36486
PUBLISHED: 2021-10-22
Swift File Transfer Mobile v1.1.2 and below was discovered to contain a cross-site scripting (XSS) vulnerability via the 'path' parameter of the 'list' and 'download' exception-handling.