Fortnite is all of a sudden facing all sorts of problems in the press. On Wednesday, the company was forced to respond to accusations that its V-Bucks platform, which is used to buy in-game upgrades and items, is being used by cybercriminals to launder money. But it’s another headline that grabbed our attention today—one that posits the game’s 200 million-plus registered users’ accounts exposed to hacking.
According to an NBC News report, hackers used an elaborate phishing scam to dupe players into clicking a link that opened them up to the hacking. First discovered by cybersecurity firm Check Point Software Technologies back in November, the scheme took advantage of a security flaw in a couple of Epic Games’ (the studio that runs Fortnite) subdomains that were susceptible to a malicious redirect, giving hackers the ability to swipe a user’s legitimate authentication tokens—i.e. their login information.
Check Point said that it immediately alerted Epic Games to the flaw, and the studio confirmed to NBC News that it fixed the security hole earlier his month.
“We were made aware of the vulnerabilities and they were soon addressed,” a spokesperson told the news outlet. “We thank Check Point for bringing this to our attention. As always, we encourage players to protect their accounts by not re-using passwords and using strong passwords, and not sharing account information with others.”
Assurances aside, the type of information and access that hackers were able to obtain while the flaw was still exposed is rather frightening. Once the user clicked on the link and had their account exploited, the hacker was able to gain access to the user’s account, including being able to purchase virtual in-game currency (V-Bucks) using the user’s payment card details. Additionally, the hacker would’ve been able to listen to in-game chats if they joined a Fortnite match with the hacked account.
“Fortnite is one of the most popular games played mainly by kids. These flaws provided the ability for a massive invasion of privacy,” Oded Vanunu, head of products vulnerability research for Check Point, told NBC News. “[Instances like these] show how susceptible cloud applications are to attacks and breaches. These platforms are being increasingly targeted by hackers because of the huge amounts of sensitive customer data they hold. Enforcing two-factor authentication could mitigate this account takeover vulnerability.”