Posts Tagged

EA

The EA Pride and Accomplishment Incident

Elizabeth Uncategorized November 26, 2021

EA – You can’t just do that.

I’ve talked about the incident before in my article on loot boxes, but the event was historic.

Star Wars Fans – Some Background

Star Wars fans are some of the most intense fans out there. People form units of stormtroopers IRL and march in parades for fun. Replica blasters, replica lightsabers, and good replica costumes cost upwards of hundreds of dollars. Disney has (or had, at least) an entire section of their park dedicated to it. There’s no question: the original trilogy is near – universally loved, and many people adopted it as a cornerstone of their childhoods, an aspect of their personality, or a way of understanding the world. It brings people together, for better or worse.

 Make a good series or game based off of this universe, and rake in money – The Mandalorian, for example, is quickly becoming what the prequels could not. Make a bad series or game, and your name goes down in infamy. Even though they’ve said several times that their hands were tied when it came to the script, Kellie Marie Tran and John Boyega got nonstop harassment until they either left Twitter or responded forcefully enough to stop the constant complaints after The Last Jedi.

Anyway, what I’m saying here is that the Star Wars fan base is not the kind of fan base you can just toss IP at and hope they take it. It takes capturing the right ‘vibe’ of Star Wars, and even if you get the color palette, the story, and the general setting right, you can still produce something they don’t like if the concept itself is off.

EA – Star Wars Battlefront and Battlefront II

As a result, when a company stumbles upon something the fans really like, they’ll ride that horse as long as they can! Enter Star Wars Battlefront in 2004, one of the most loved action-based Star Wars games out there. I remember playing it myself! It really is a good game, even if you don’t like Star Wars. Very enjoyable. It came before a lot of other ‘contested’ or ‘non-canon’ content entered the universe, so fans were willing to trust and enjoy it from the get-go.

Star Wars is nothing if not sequels, though, so now we get to the point of this article (skipping over some other well-liked sequels and reboots to get there) Star Wars Battlefront… II.

The world has changed since the first entries into the series. Fans are more polarized than ever – the critics saying The Last Jedi was merely okay were said to have been paid off, because the idea that anybody even slightly liked the film was unbelievable in some corners of the web. This produces a lot of pressure for game studios. Their old work is put on a pedestal, and their new work has to live up to it. If it does live up to it, the game’s as good as gold. If it doesn’t, fans may remove themselves from the game network. Not everyone playing the game has to be a Star Wars fan, and not every Star Wars fan has to leave, but annoying too many fans of any franchise is a good way to throw away the money you spent on licensing. As such, it’s critical to maintain good relationships with the community.

 Anyway, Battlefront II released in 2017, and fans were pretty happy with it, at first. It’s online multiplayer was decent, it’s arenas were diverse and exciting, and the gameplay was really good, except for one factor. Darth Vader and Luke Skywalker took 40 hours to unlock. Each.

Pride And Accomplishment

That’s an enormous amount of time. An entire workweek. You could play nearly the entire main line of Halo games in 40 hours. EA did not have the kind of record that would allow fans to overlook this.

EA has made mistakes that got it bad press before: it used to regularly acquire smaller studios, and then eat the content they had lined up before discarding said studios; it used to force developers into perma-crunchtime, so every week was release week; and it got into some nasty licensing issues when it owned exclusive rights to make NFL games with NFL logos and players. That’s barely even gameplay related! It got awarded Worst Company of the Year from Consumerist just months after BP spilled millions of gallons of oil into the coast with a burst pipeline. Why? The endings to Mass Effect 3 were all the same.

So it’s not unfair to say EA’s gotten into trouble with their public perception before. The issue this time is that they tried to explain themselves on Reddit, a public forum where anyone with an account is able to comment. Earlier, players had discovered that it was nearly impossible to earn the character Darth Vader in the game with in-game points. That’s frustrating – Darth Vader is a really good character. But whatever, right? Everyone’s on the same footing, so people with Darth Vader just worked really hard to get him, and spent like 40 hours getting credits to unlock him, and then 300 hours grinding for the top level, right?

Right?

You wouldn’t allow some players to bypass this system with real money, right??

Turns out, that’s exactly what they did! Players could purchase Darth Vader and gain an undue advantage over other players with plain ol’ cash. May I remind you, this game isn’t free-to-play. It cost 60$ just to play the game! Tacking on in-game purchases is already iffy on cheaper games, but a Triple A title? Obviously people were upset, and EA decided to comment where they saw negativity on the Battlefront subreddit. When asked how they could justify the double-charging for what was essentially the game’s easy-mode, they responded with this:

Screenshot directly from the original Reddit Thread

Note the number of downvotes. This is the single-most downvoted comment in Reddit history. There are roughly six times as many downvotes on this post as there were total members of the subreddit at the time. People point out how ridiculous it is to expect players to stay on their game for an entire work week’s worth of time. Others speculate that Darth Vader takes so many credits because they want users to spend all their in game credits on Vader, thus forcing them to buy the lootboxes in-game for upgraded gear. No matter how EA tried to spin it, the ‘sense of pride and accomplishment’ came down to spending money. The people running the Reddit account had no idea what they actually looked like in the customer’s eyes. Star Wars fans turned on EA – highly polarized audiences will meme on anything, and EA’s poor response splattered the front page of other subreddits.

How could they have possibly salvaged it, though? The gameplay plan was already implemented. They either didn’t listen to Beta testers or didn’t test for this specific issue – getting Vader was hard. Obnoxiously hard. The thought of the potential profits likely blinded them to the possibility of Star Wars fans not simply accepting new IP and being happy. After all, the series was good, right? Star Wars fans will shell out a lot of money for good content, right? Some did – many more were upset, though.

 Fixing it once the cat was out of the bag would mean shortening the length of time it took to get Vader and Luke, which would irritate the people who already bought him. They painted themselves into a corner, and their only option was to walk on the wet paint, one way or another.

Sources:

https://fortune.com/2017/11/29/ea-star-wars-battlefront-2-controversy-stock/

https://www.reddit.com/r/StarWarsBattlefront/comments/7cff0b/seriously_i_paid_80_to_have_vader_locked/dppum98/?st=JH2MUORV&sh=5997c5a5 (the original thread)

The EA Hack

Elizabeth Uncategorized November 19, 2021

The EA hack isn’t a special case. Not anymore. Hack, after hack, after hack, data leak after data leak, stolen game engine and asset, one after another. Game companies are being targeted deliberately for IP and code theft because it’s one of the few things that hackers can still steal with relative ease.

EA’s Track Record

This hack was due to a mix of authentication fraud and social engineering – it also seems to be their first major hack, if the lack of news about anything else is any evidence. Even Wikipedia doesn’t have much to say about past security instances. The one chance hackers had to get customer data was sealed off back in 2019, when a white-hat hacker group discovered the vulnerabilities and then alerted them that a sufficiently capable team would be able to get in, and then steal all of their customers’ payment data. EA’s record is cleaner than the industry average.

EA has a good track record with overarching security – many companies in the same worth bracket, including other game companies, can’t say that! Fellow gaming company Capcom got dinged with Ragnar ransomware, and while it “only” lost about 350,000 people’s worth of account data, it also lost its internal logs and couldn’t tell if they also lost credit card data. Blizzard, another big company with a good track record, suffers from persistent bot plagues that they’re unable to clear out. Human players then lose their data to particularly conniving bots and data thieves directly, no middleman hacked server necessary.

This Particular Hack

This hack was especially devious. A hacker used authentication cookies (cookies that “remember” the device or browser being authenticated with a code) to get into an EA slack channel, and then socially engineered their way past IT into the company’s internal network.

From there, downloading stuff was easy.

More than 780 GB of data (most of it source code) was captured, but the hacker group states that they couldn’t find a buyer. Source code is often trademarked, after all, and the consequences of buying another company’s coding aren’t worth having it. Many hackers would much rather have payment personal info than code. They then tried to extort EA by promising to release it, and uploading a little bit of the next FIFA game as proof that they were capable. After EA refused to pay the ransom, they released the remainder of the code as promised. Once again, using another company’s source code just doesn’t make sense in the long run, so it’s unclear what the long-term consequences will be for the company. However, they’re not the first ones to get extorted in this way: CD Projekt Red’s failed ransom should have served as a warning!

The CD Projekt Red Hack

CD Projekt Red, the game studio that created such classics as CyberPunk 2077 and Witcher 3, was hacked early last year. At that time, the hacker group responsible stole their game engine, and not much else – their customers were surprisingly uncompromised after the incident. The hacking team seemed to have a personal grudge against Projekt Red, so I can only assume the customer information was better-secured than the game engines themselves: who wouldn’t steal customer data if they were trying to completely trash a company’s reputation?

EA similarly partitioned customer data away. This is a good thing! Sort of like in a cruise  ship, separating data means that the entire company isn’t compromised as long as a gate somewhere stops the water from getting into other rooms.

And Other Examples

A Blizzard hack snatched emails (but not the unscrambled passwords) of an estimated 12 million players in 2012. This was easy to recover from – resetting the password was good enough for most accounts, but having those emails made the players unfortunately vulnerable to password stuffing attacks in the long run.

In 2011, an even bigger attack on Sony’s Playstation Network compromised the details of approximately 77 million users. This one stands out because both encrypted and unencrypted data was taken – credit card information that was encrypted wasn’t theoretically unscramble-able, but Sony, even with a week-long delay, couldn’t determine how much a hacker could actually squeeze from that data. Unencrypted data, which was basically all of the other personal details that could be attached to a player, was useable as soon as the hackers obtained it. Events like these served as warning for Blizzard, who encrypted much more, and then eventually for Xbox, Microsoft, CD Projekt Red, etc. as hacks became more prevalent.

Sources:

https://therecord.media/hackers-leak-full-ea-data-after-failed-extortion-attempt/

https://www.newsweek.com/electronic-arts-ea-origin-account-takeover-hacking-cybercrime-check-point-cyberint-1445976

https://www.ea.com/security