Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security //

Data Leakage

3/14/2018
08:05 AM
Dawn Kawamoto
Dawn Kawamoto
Dawn Kawamoto
50%
50%

Fortnite Players Lob Shots at Epic Games Over Hacked Accounts

A number of Fortnite players recently suffered a breach of their Epic Game accounts, costing them hundreds of dollars and leaving them frustrated when they could not immediately reach the company for a refund.

Epic Games is facing a sizable challenge with its users, after a number of Fortnite players discovered cybercriminals had breached their game accounts and run up tabs worth hundreds of dollars.

Over the past several weeks, Fortnite players have been posting on Reddit and Fortnite's user forum board concerning problems they've faced in trying to get a refund for their breached accounts.

On Monday afternoon, for example, a player that goes by the name Darksplinter stated on Reddit:

So no idea how this happened, I don't click on stupid links that are shady. I never save my payment options to accounts but I must have accidentally saved it. Bought the standard save the world in February and I play it off and on with friends. Today I get emailed thanking for my purchases. Someone upgraded my standard to deluxe and then deluxe to ultimate, so that's $200 gone and well I kind of need that for my car payment.

Epic Games has issued some refunds, according to a smattering of Fortnite players on Reddit and the Fortnite forum board. Additionally, the company has also weighed in on the issue.

"We are aware of instances where users' accounts have been compromised using well-known hacking techniques and are working to resolve these issues directly with those players affected," Epic Games said in a statement to Kotaku.

Epic's tale
The game publisher recently posted a noticeon its website, acknowledging the breach and offering steps users should take. According to its statement:

We've seen several instances of account theft and fraud related to websites that claim to provide you free V-Bucks or the ability to share or buy accounts. Please never share your Epic account details with anyone. Epic will never ask you for your password through email, social media, or a non-Epic website. Groups claiming to provide special Fortnite deals this way are fraudulent.

At Epic, we've been working hard to try to hunt down password dumps in order to proactively reset passwords for player accounts when we believe they are leaked online. While this approach involves a lot of manual work on our side, we believe that it prevents a significant amount of fraud. However, this approach doesn't find every impacted account, or you might have created your Epic account after we checked a particular password dump.

As a result, we're working to further automate our process to check our account database against password dumps to close the gap on identifying impacted users and resetting their passwords. We're also working hard to enable multi-factor authentication in the next few weeks and plan to have an additional blog post with more details soon.

Got game? Cybercriminals do
According to a global surveylast year by Kaspersky Lab, 53% of survey respondents acknowledged they play online games.

Additionally, of the 17% of survey respondents who have experienced or been a target of an attack, 16% had their gaming accounts breached, according to the study.

Hacking gaming accounts, for example, can yield $1 per account, so it's potentially lucrative for cybercriminals to hack and sell online game accounts in mass, the report states.

Related posts:

— Dawn Kawamoto is an award-winning technology and business journalist, whose work has appeared in CNET's News.com, Dark Reading, TheStreet.com, AOL's DailyFinance and The Motley Fool.

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/13/2020
Where Are the 'Great Exits' in the Data Security Market?
Dave Cole, Cofounder and CEO, Open Raven,  10/13/2020
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15256
PUBLISHED: 2020-10-19
A prototype pollution vulnerability has been found in `object-path` <= 0.11.4 affecting the `set()` method. The vulnerability is limited to the `includeInheritedProps` mode (if version >= 0.11.0 is used), which has to be explicitly enabled by creating a new instance of `object-path` and settin...
CVE-2020-15261
PUBLISHED: 2020-10-19
On Windows the Veyon Service before version 4.4.2 contains an unquoted service path vulnerability, allowing locally authenticated users with administrative privileges to run malicious executables with LocalSystem privileges. Since Veyon users (both students and teachers) usually don't have administr...
CVE-2020-6084
PUBLISHED: 2020-10-19
An exploitable denial of service vulnerability exists in the ENIP Request Path Logical Segment functionality of Allen-Bradley Flex IO 1794-AENT/B 4.003. A specially crafted network request can cause a loss of communications with the device resulting in denial-of-service. An attacker can send a malic...
CVE-2020-6085
PUBLISHED: 2020-10-19
An exploitable denial of service vulnerability exists in the ENIP Request Path Logical Segment functionality of Allen-Bradley Flex IO 1794-AENT/B 4.003. A specially crafted network request can cause a loss of communications with the device resulting in denial-of-service. An attacker can send a malic...
CVE-2020-10746
PUBLISHED: 2020-10-19
A flaw was found in Infinispan version 10, where it permits local access to controls via both REST and HotRod APIs. This flaw allows a user authenticated to the local machine to perform all operations on the caches, including the creation, update, deletion, and shutdown of the entire server.