Experts On Major Activision Hack Reportedly Compromises Over 500k CoD Accounts

Over 500,000 Activision accounts have reportedly been hacked in a new Activision data breach on September 20, leaving Call of Duty players in limbo. All Call of Duty players should be on notice after a major Activision hack has left millions of accounts in limbo. As of the time of publishing, over 500,000 Activision accounts have reportedly been hacked, with log-ins being leaked publicly. Hackers are then changing the account details, making it so the original owners can’t recover them. The breach was first reported by ‘oRemyy’ on Twitter. This was then confirmed by other content creators, like TheGamingRevolution, Prototype Warehouse, and Okami.

More information: https://www.dexerto.com/call-of-duty/major-activision-hack-reportedly-compromises-over-500k-cod-accounts-1422141

Experts Comments

September 22, 2020
Kim DeCarlis
CMO
PerimeterX
Stolen personal information is sold on the dark web and used by other cybercriminals to launch automated account takeover (ATO) attacks on other websites, where the same user might have had a registered account. The compromised accounts can then be used to commit fraud, which not only hurts the affected user but also the business whose website was targeted. For enterprises with an online presence, even if they are not part of a data breach, it is important to have bot mitigation capabilities to .....Read More
Stolen personal information is sold on the dark web and used by other cybercriminals to launch automated account takeover (ATO) attacks on other websites, where the same user might have had a registered account. The compromised accounts can then be used to commit fraud, which not only hurts the affected user but also the business whose website was targeted. For enterprises with an online presence, even if they are not part of a data breach, it is important to have bot mitigation capabilities to address ATO attacks. For consumers, it is best to use different passwords on different sites and lockdown their credit records as much as possible.  Read Less
September 22, 2020
Boris Cipot
Senior Sales Engineer
Synopsys
Gaming is not simply entertainment for children, it is a thriving industry with highly sophisticated technology. For example, games now offer highly advanced simulators whereby individuals can embody a soldier, fighter pilot or even a football player. With the support of Virtual Reality technology, these games can become even more realistic. Moreover, we are witnessing a rise in E-sports, where tournaments and winners amass large pots of money. As there is a lot of money involved, it is normal.....Read More
Gaming is not simply entertainment for children, it is a thriving industry with highly sophisticated technology. For example, games now offer highly advanced simulators whereby individuals can embody a soldier, fighter pilot or even a football player. With the support of Virtual Reality technology, these games can become even more realistic. Moreover, we are witnessing a rise in E-sports, where tournaments and winners amass large pots of money. As there is a lot of money involved, it is normal for cyber criminals to target known game brands to access user accounts. One might think that the value of hacking into an account is through reusing its password on other services. However, in reality, some of these gaming accounts themselves are worth a lot of money. Many accounts have a collection of virtual goods which can be acquired by gamers for real money. That means cybercriminals could gain profits just by selling one or many accounts which hold valuable virtual goods. It is true that they could benefit from other goodies such as passwords, payment information and email addresses, but in gaming, the real money lies in selling virtual goods. The other threat is also in the linking of other accounts like PSN, Xbox or Battlenet… As such, users of Activision should change their password on services where it has been reused.  Read Less
September 22, 2020
Chris Hauk
Consumer Privacy Champion
Pixel Privacy
Looks like it's time for Call of Duty players to do the password change shuffle. COD players need to react quickly by changing their passwords and making sure that they didn't use the same password on other accounts. Plus, since Activision hasn't seen fit to offer two-factor authentication on player accounts, COD'ers will need to keep an eye on their accounts and hope for the best. Also, keep an eye on any Xbox, Battlenet, or Playstation Network accounts they may have linked to their Activision .....Read More
Looks like it's time for Call of Duty players to do the password change shuffle. COD players need to react quickly by changing their passwords and making sure that they didn't use the same password on other accounts. Plus, since Activision hasn't seen fit to offer two-factor authentication on player accounts, COD'ers will need to keep an eye on their accounts and hope for the best. Also, keep an eye on any Xbox, Battlenet, or Playstation Network accounts they may have linked to their Activision accounts.  Read Less
September 22, 2020
Etay Maor
Director of Security Strategy
Cato Networks
Online gaming has been a target of attackers for a several years now, with World of Warcraft, Zynga and Nintendo being just some of the big names that have been previously targeted. While in some games the accounts themselves can be monetized after the compromise, (for example when WoW was targeted, high ranking characters and special weapons could be sold to the highest bidder) in many cases the breaches are a result of credential stuffing attacks and the creation of a service specific.....Read More
Online gaming has been a target of attackers for a several years now, with World of Warcraft, Zynga and Nintendo being just some of the big names that have been previously targeted. While in some games the accounts themselves can be monetized after the compromise, (for example when WoW was targeted, high ranking characters and special weapons could be sold to the highest bidder) in many cases the breaches are a result of credential stuffing attacks and the creation of a service specific username/password database. These types of attacks use known email/password databases to check if users have reused their passwords on the gaming platform. If they have – the attackers can easily create a database of compromised accounts. Users need to make sure they do not reuse passwords as even a strong password, once reused, becomes a security risk. In addition, users should always opt for additional security checks offered by the game such as two factor authentication. The gaming platform should provide these security features as well as use technologies such as CAPTCHA (to stop automated credential stuffing) and basic security checks such as device ID.  Read Less
September 21, 2020
Martin Jartelius
CSO
Outpost24
Still shy of the 77 million accounts exposed on the Playstation Network breach, this is a substantial breach. In parts the cleanup will be a large undertaking for Activision, we can only hope backups allow restoring original contact data, resetting access and managing the users who still cannot regain access which should be a smaller group. But also for anyone reusing information for the accounts it is critical to not only change the access to the platform but also any other places the.....Read More
Still shy of the 77 million accounts exposed on the Playstation Network breach, this is a substantial breach. In parts the cleanup will be a large undertaking for Activision, we can only hope backups allow restoring original contact data, resetting access and managing the users who still cannot regain access which should be a smaller group. But also for anyone reusing information for the accounts it is critical to not only change the access to the platform but also any other places the credentials are used.  Read Less
September 21, 2020
David Kennefick
Product Architect
edgescan
While reports of a database leak are unconfirmed, it might be worth to go and change your Activision passwords just in case. In general, it is best practice to enable MFA where possible, especially on accounts where there is valuable information available. This option doesn’t seem to be available on Activision.com, and there are also a few questionable password policies including limits of 20 characters and disallowed special characters such as []{}|". When using a password manager there are .....Read More
While reports of a database leak are unconfirmed, it might be worth to go and change your Activision passwords just in case. In general, it is best practice to enable MFA where possible, especially on accounts where there is valuable information available. This option doesn’t seem to be available on Activision.com, and there are also a few questionable password policies including limits of 20 characters and disallowed special characters such as []{}|". When using a password manager there are less limitations on password complexity, so they may consider removing these restrictions to encourage better password complexity and management. Much like all supposed breaches, you should be cautious and change any associated passwords. It may also be a good time to go and review any permissions or linked accounts that may be associated with your Activision account. There is the possibility to link all major gaming platforms such as Steam, Xbox, PlayStation as well as Twitch, YouTube for streaming, and if you are not utilising these integrations it might be best to remove them.  Read Less
September 21, 2020
Niamh Muldoon
Senior Director of Trust and Security EMEA
OneLogin
This just goes to show the importance of multi-factor authentication. Strong authentication is a requirement to implement strong access control to make it harder for cybercriminals to access accounts. It is also a reminder that users should be setting strong and unique passwords, employing a password manager if necessary to avoid reusing passwords across accounts. Affected individuals need to be on the lookout for suspicious activity and be wary of any potential phishing emails that come.....Read More
This just goes to show the importance of multi-factor authentication. Strong authentication is a requirement to implement strong access control to make it harder for cybercriminals to access accounts. It is also a reminder that users should be setting strong and unique passwords, employing a password manager if necessary to avoid reusing passwords across accounts. Affected individuals need to be on the lookout for suspicious activity and be wary of any potential phishing emails that come through. If in doubt, contact the source directly. Given the profile of Call of Duty end-users, predominantly young male adults who may not be security conscious and/or aware, Activision now have a great opportunity to consider rolling out access control training and awareness through their platform as well as implement strong access control into their platform. Partnering with Trusted Security platform providers will support Activism deliver quality services to their end-users while balancing cost and risk.  Read Less
September 21, 2020
Javvad Malik
Security Awareness Advocate
KnowBe4
Any account that is created online, even if it has no direct monetary value, or seems trivial, has some value to criminals. Therefore, criminals are always looking for ways to compromise accounts and use them for nefarious purposes. Many games require accounts to be created to play online. For many players, this is a trivial affair and not much thought is given to security. However, this is precisely what makes them an appealing target looking to compromise large numbers of accounts quickly......Read More
Any account that is created online, even if it has no direct monetary value, or seems trivial, has some value to criminals. Therefore, criminals are always looking for ways to compromise accounts and use them for nefarious purposes. Many games require accounts to be created to play online. For many players, this is a trivial affair and not much thought is given to security. However, this is precisely what makes them an appealing target looking to compromise large numbers of accounts quickly. Therefore, people should always take care to not reuse passwords and secure their accounts with 2FA wherever it is made available. Similarly, service providers have a responsibility to ensure that any accounts are secured appropriately and there are layered defences that protect, detect, and respond to any attacks quickly.  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.