It's not customer data, it's the source code for the engines, which could lead to people more easily creating hacks for those engines in the future. Like people that cheat in online multiplayer matches.
Doesn't hurt to change your log in anyway, better safe than sorry.
Debug tools, SDK (Software Development Kit) and API (Application Programming Interface) keys
FIFA 21 matchmaking server
FIFA 22 API keys and some SDK & debugging tools
FrostBite engine source code and debug tools
Many proprietary EA games frameworks and SDKs
XBox and Sony private SDK and API key
XB, PS and EA PFX and CRT with key (file formats of SSL/TLS certificates)
They also included images of software samples to show proof of its authenticity.
Most importantly, the bid's description mentioned: "You have full capability of exploiting on ALL EA services"
Scary in the hands of a unethical but intelligent nemesis.
PS: I also want to add that what was hacked is NOT ransomeware = the hackers didn't approach EA demanding money for what they stole. Instead, they are selling this on the dark web for anyone with serious money.
Thank you for sharing @simgirl1010
I agree with what others have said about changing passwords just incase (in fact, I think regularly changing passwords is a good habit anyway!)
Could someone please help me, I'm not very technical-minded. I know what purpose someone would have for stealing customer data, but why would someone want source code? Would someone please explain to me, I'm curious.
Thank you for sharing @simgirl1010
I agree with what others have said about changing passwords just incase (in fact, I think regularly changing passwords is a good habit anyway!)
Could someone please help me, I'm not very technical-minded. I know what purpose someone would have for stealing customer data, but why would someone want source code? Would someone please explain to me, I'm curious.
When it comes to games, I'm not sure.
The people that stole the code will probably sell it on the black market, that's what happened to CDPR's stolen source code (for Witcher and Cyberpunk).
I think the things that EA and CDPR should worry about are potential vulnerabilities in the code which people could use to create programs that could be used for cheating or other things. I'm assuming that when you sell a game, it's pretty locked so people can't modify everything in it, maybe with encrypted files. Now EA and CDPR have to make sure that can't be exploited in their games.
This is why it's important that you have an antivirus software on your computer for example (at least for PC) because that program checks to make sure that your system files don't change or another file is causing a program to do something it shouldn't.
Thank you @logion I appreciate you taking the time to explain. I suppose it would be more an issue for online/multiplayer games?
Silly me tends to forget that EA do more games than the Sims .
I am not so concerned about log ins due to two factor and the fact I never used my card, but it does have me worry for online components of the game. With new insights into the source code and game code, who knows if something like the gallery could potentially hide malware. I have no idea what security they have in place for someone attempting to do that.
Who pays 28 million USD just to be able to hack some games? Must be really important to win at FIFA or something.
Yeah, some of those FIFA gamers are really obsessive to win their games! I think whoever buys the source code could stand to make a lot of money from reading through the source code and creating hacks from it. The source code for example would show what the true percentages are for acquiring the more valuable loot boxes, so the modder can produce programs to improve the likelihood of getting those more valuable assets. Also check for vulnerabilities in the game that they can take advantage of somehow. Or even just to copy the coding technology for their own games. I can imagine some of the Frostbite engine would be interesting to other game developers.
It was bound to happen sooner or later, nothing is hack proof. You can try change your passwords and what not but the bottom line is that it is EA's service you are using and it wouldn't really matter. If it can be done once it can be done twice, even after the changes from EA's side and nothing would prevent it from happening on that second attempt either.
The best you can hope for is that EA doesn't get hacked twice.
There have been some new information which explains how they managed to hack them as well. Turns out it was social engineering. They managed to make them believe that they were an employee who had lost their phone at a party and wanted a new one.
Unfortunately it's still common that this happens in companies because people don't believe that the person on the other end might not be who they claim to be...
There have been some new information which explains how they managed to hack them as well. Turns out it was social engineering. They managed to make them believe that they were an employee who had lost their phone at a party and wanted a new one.
Unfortunately it's still common that this happens in companies because people don't believe that the person on the other end might not be who they claim to be...
It's pretty worrisome how easy it was. I read these two articles based off an interview by Motherboard (tech section of Vice) with the actual hacking group (Like, what? Huh? How'd you do that?!?? You're not gonna turn them in??):
First, the hacking group purchased stolen EA cookies off the dark web for $10:
Cookies are one of the most commonplace convenience features of the internet and web services, responsible for saving login data and sessions. With them, you can avoid having to enter your authentication credentials every time you visit the same webpage, for instance, and they can also be used to record a log of visits. However what few may realize is that there’s also a marketplace for stolen cookies online, sold for nefarious purposes. -Slashgear
You know how lots of websites now ask your permission to allow for the use of cookies? So now I'm wondering whether I should give that permission or not. I always have the tendency to never have anything save passwords for auto-login. I always enter them manually even though having it automated would be so much easier. But now I'm wondering what else is being stored in the cookies created....
Also, I didn't know a $10 investment could potentially give you a $28 million return. 😲
Second, they used the information in the EA cookies to access a Slack channel that EA uses. Slack channels are group chat areas that a team uses for collaboration and communication on a project.
“Once inside the chat we messaged a (EA) IT Support members we explain to them we lost our phone at a party last night,” the hackers’ representative explains. -Slashgear
And then requested a multifactor authentication token which the EA IT Support granted. They did this TWICE, so they obtained two tokens in total.
After that, it was even more easy-peasy:
Once inside EA's network, the hackers found a service for EA developers for compiling games. They successfully logged in and created a virtual machine giving them more visibility into the network, and then accessed one more service and downloaded game source code. -Vice
This Needs Video Verification:
I think one of the major problems is that they were too lax about identification. EA players are urged to use 2-step verification which is great, but for employees, it should be so much more. Notice how everything is "anonymous"? No visual verification. I think it might be getting easier and easier for hackers to get passwords and answers to security questions, and getting verification codes from email. I think they should add a visual verification step for employees. I think they should add something like Skype or Zoom to prove that the person asking for an authentication token is actually working for the company. Not just still images of employees - it should need to be an actual live video of the employee requesting it - make sure it is live and not some prerecorded video.
I also wonder about EA's IT support that gave the authentication tokens. Are they still working for EA or are they fired now?
Hopefully EA focuses on security measures, like 2FA and VPN for employees and that they also always double check if a situation like that happens so they can confirm that you actually work at the company.
Meh, I have gotten so many emails & letters saying my info may have been compromised during a data breach that I have gone from panicking to 🤷🏼♀️ Whatever.
Meh, I have gotten so many emails & letters saying my info may have been compromised during a data breach that I have gone from panicking to 🤷🏼♀️ Whatever.
Um, okay. That's fine for one person I guess because it will only be your loss, but that kind of attitude for a corporation is how EA got hacked. Many reports on the EA hack also worried about employee data being compromised and exposed to the dark web.
Meh, I have gotten so many emails & letters saying my info may have been compromised during a data breach that I have gone from panicking to 🤷🏼♀️ Whatever.
You start to disbelieve them when they ask you for your personal details so that they can keep you safe! If they start doing that you should report them to a Fraud site in whatever country you are in.
There is a site to check on whether you might be compromised for emails and passwords. An old one I had was compromised a long time ago. I never leave my debit card saved anywhere now. An online shop lately did a check-up to see if I was who I said I was, so the well run sites are checking on this.
Comments
Yeah, source code and consumer data are different things, but you never know if they did find some, so it's best to veer on the safe side.
Doesn't hurt to change your log in anyway, better safe than sorry.
It's always a good idea to use 2 factor authentication.
https://www.youtube.com/watch?v=n92-ejFx2Bc
Article from MSN: FIFA 21, Battlefield, And More Games' Data Stolen From EA, Selling For $28 Million in Hacking Forums
Stuff reported to be "acquired":
They also included images of software samples to show proof of its authenticity.
Most importantly, the bid's description mentioned: "You have full capability of exploiting on ALL EA services"
Scary in the hands of a unethical but intelligent nemesis.
PS: I also want to add that what was hacked is NOT ransomeware = the hackers didn't approach EA demanding money for what they stole. Instead, they are selling this on the dark web for anyone with serious money.
I agree with what others have said about changing passwords just incase (in fact, I think regularly changing passwords is a good habit anyway!)
Could someone please help me, I'm not very technical-minded. I know what purpose someone would have for stealing customer data, but why would someone want source code? Would someone please explain to me, I'm curious.
PES is king.
When it comes to games, I'm not sure.
The people that stole the code will probably sell it on the black market, that's what happened to CDPR's stolen source code (for Witcher and Cyberpunk).
I think the things that EA and CDPR should worry about are potential vulnerabilities in the code which people could use to create programs that could be used for cheating or other things. I'm assuming that when you sell a game, it's pretty locked so people can't modify everything in it, maybe with encrypted files. Now EA and CDPR have to make sure that can't be exploited in their games.
This is why it's important that you have an antivirus software on your computer for example (at least for PC) because that program checks to make sure that your system files don't change or another file is causing a program to do something it shouldn't.
Silly me tends to forget that EA do more games than the Sims .
Yeah, some of those FIFA gamers are really obsessive to win their games! I think whoever buys the source code could stand to make a lot of money from reading through the source code and creating hacks from it. The source code for example would show what the true percentages are for acquiring the more valuable loot boxes, so the modder can produce programs to improve the likelihood of getting those more valuable assets. Also check for vulnerabilities in the game that they can take advantage of somehow. Or even just to copy the coding technology for their own games. I can imagine some of the Frostbite engine would be interesting to other game developers.
The best you can hope for is that EA doesn't get hacked twice.
Unfortunately it's still common that this happens in companies because people don't believe that the person on the other end might not be who they claim to be...
It's pretty worrisome how easy it was. I read these two articles based off an interview by Motherboard (tech section of Vice) with the actual hacking group (Like, what? Huh? How'd you do that?!?? You're not gonna turn them in??):
How Hackers Used Slack to Break into EA Games (Vice)
A representative for the hackers explained to Motherboard how the group stole a wealth of data from the game publishing giant.
First, the hacking group purchased stolen EA cookies off the dark web for $10:
You know how lots of websites now ask your permission to allow for the use of cookies? So now I'm wondering whether I should give that permission or not. I always have the tendency to never have anything save passwords for auto-login. I always enter them manually even though having it automated would be so much easier. But now I'm wondering what else is being stored in the cookies created....
Also, I didn't know a $10 investment could potentially give you a $28 million return. 😲
Second, they used the information in the EA cookies to access a Slack channel that EA uses. Slack channels are group chat areas that a team uses for collaboration and communication on a project.
And then requested a multifactor authentication token which the EA IT Support granted. They did this TWICE, so they obtained two tokens in total.
After that, it was even more easy-peasy:
This Needs Video Verification:
I think one of the major problems is that they were too lax about identification. EA players are urged to use 2-step verification which is great, but for employees, it should be so much more. Notice how everything is "anonymous"? No visual verification. I think it might be getting easier and easier for hackers to get passwords and answers to security questions, and getting verification codes from email. I think they should add a visual verification step for employees. I think they should add something like Skype or Zoom to prove that the person asking for an authentication token is actually working for the company. Not just still images of employees - it should need to be an actual live video of the employee requesting it - make sure it is live and not some prerecorded video.
I also wonder about EA's IT support that gave the authentication tokens. Are they still working for EA or are they fired now?
Um, okay. That's fine for one person I guess because it will only be your loss, but that kind of attitude for a corporation is how EA got hacked. Many reports on the EA hack also worried about employee data being compromised and exposed to the dark web.
You start to disbelieve them when they ask you for your personal details so that they can keep you safe! If they start doing that you should report them to a Fraud site in whatever country you are in.
There is a site to check on whether you might be compromised for emails and passwords. An old one I had was compromised a long time ago. I never leave my debit card saved anywhere now. An online shop lately did a check-up to see if I was who I said I was, so the well run sites are checking on this.
https://haveibeenpwned.com/