The EA Hack

The EA hack isn’t a special case. Not anymore. Hack, after hack, after hack, data leak after data leak, stolen game engine and asset, one after another. Game companies are being targeted deliberately for IP and code theft because it’s one of the few things that hackers can still steal with relative ease.

EA’s Track Record

This hack was due to a mix of authentication fraud and social engineering – it also seems to be their first major hack, if the lack of news about anything else is any evidence. Even Wikipedia doesn’t have much to say about past security instances. The one chance hackers had to get customer data was sealed off back in 2019, when a white-hat hacker group discovered the vulnerabilities and then alerted them that a sufficiently capable team would be able to get in, and then steal all of their customers’ payment data. EA’s record is cleaner than the industry average.

EA has a good track record with overarching security – many companies in the same worth bracket, including other game companies, can’t say that! Fellow gaming company Capcom got dinged with Ragnar ransomware, and while it “only” lost about 350,000 people’s worth of account data, it also lost its internal logs and couldn’t tell if they also lost credit card data. Blizzard, another big company with a good track record, suffers from persistent bot plagues that they’re unable to clear out. Human players then lose their data to particularly conniving bots and data thieves directly, no middleman hacked server necessary.

This Particular Hack

This hack was especially devious. A hacker used authentication cookies (cookies that “remember” the device or browser being authenticated with a code) to get into an EA slack channel, and then socially engineered their way past IT into the company’s internal network.

From there, downloading stuff was easy.

More than 780 GB of data (most of it source code) was captured, but the hacker group states that they couldn’t find a buyer. Source code is often trademarked, after all, and the consequences of buying another company’s coding aren’t worth having it. Many hackers would much rather have payment personal info than code. They then tried to extort EA by promising to release it, and uploading a little bit of the next FIFA game as proof that they were capable. After EA refused to pay the ransom, they released the remainder of the code as promised. Once again, using another company’s source code just doesn’t make sense in the long run, so it’s unclear what the long-term consequences will be for the company. However, they’re not the first ones to get extorted in this way: CD Projekt Red’s failed ransom should have served as a warning!

The CD Projekt Red Hack

CD Projekt Red, the game studio that created such classics as CyberPunk 2077 and Witcher 3, was hacked early last year. At that time, the hacker group responsible stole their game engine, and not much else – their customers were surprisingly uncompromised after the incident. The hacking team seemed to have a personal grudge against Projekt Red, so I can only assume the customer information was better-secured than the game engines themselves: who wouldn’t steal customer data if they were trying to completely trash a company’s reputation?

EA similarly partitioned customer data away. This is a good thing! Sort of like in a cruise  ship, separating data means that the entire company isn’t compromised as long as a gate somewhere stops the water from getting into other rooms.

And Other Examples

A Blizzard hack snatched emails (but not the unscrambled passwords) of an estimated 12 million players in 2012. This was easy to recover from – resetting the password was good enough for most accounts, but having those emails made the players unfortunately vulnerable to password stuffing attacks in the long run.

In 2011, an even bigger attack on Sony’s Playstation Network compromised the details of approximately 77 million users. This one stands out because both encrypted and unencrypted data was taken – credit card information that was encrypted wasn’t theoretically unscramble-able, but Sony, even with a week-long delay, couldn’t determine how much a hacker could actually squeeze from that data. Unencrypted data, which was basically all of the other personal details that could be attached to a player, was useable as soon as the hackers obtained it. Events like these served as warning for Blizzard, who encrypted much more, and then eventually for Xbox, Microsoft, CD Projekt Red, etc. as hacks became more prevalent.

Sources:

https://therecord.media/hackers-leak-full-ea-data-after-failed-extortion-attempt/

https://www.newsweek.com/electronic-arts-ea-origin-account-takeover-hacking-cybercrime-check-point-cyberint-1445976

https://www.ea.com/security