Over 500,000 Activision accounts have reportedly been hacked in a new Activision data breach on September 20, leaving Call of Duty players in limbo. All Call of Duty players should be on notice after a major Activision hack has left millions of accounts in limbo. As of the time of publishing, over 500,000 Activision accounts have reportedly been hacked, with log-ins being leaked publicly. Hackers are then changing the account details, making it so the original owners can’t recover them. The breach was first reported by ‘oRemyy’ on Twitter. This was then confirmed by other content creators, like TheGamingRevolution, Prototype Warehouse, and Okami.
More information: https://www.
Stolen personal information is sold on the dark web and used by other cybercriminals to launch automated account takeover (ATO) attacks on other websites, where the same user might have had a registered account. The compromised accounts can then be used to commit fraud, which not only hurts the affected user but also the business whose website was targeted. For enterprises with an online presence, even if they are not part of a data breach, it is important to have bot mitigation capabilities to address ATO attacks. For consumers, it is best to use different passwords on different sites and lockdown their credit records as much as possible.
Gaming is not simply entertainment for children, it is a thriving industry with highly sophisticated technology. For example, games now offer highly advanced simulators whereby individuals can embody a soldier, fighter pilot or even a football player. With the support of Virtual Reality technology, these games can become even more realistic. Moreover, we are witnessing a rise in E-sports, where tournaments and winners amass large pots of money. As there is a lot of money involved, it is normal for cyber criminals to target known game brands to access user accounts.
One might think that the value of hacking into an account is through reusing its password on other services. However, in reality, some of these gaming accounts themselves are worth a lot of money. Many accounts have a collection of virtual goods which can be acquired by gamers for real money. That means cybercriminals could gain profits just by selling one or many accounts which hold valuable virtual goods. It is true that they could benefit from other goodies such as passwords, payment information and email addresses, but in gaming, the real money lies in selling virtual goods. The other threat is also in the linking of other accounts like PSN, Xbox or Battlenet… As such, users of Activision should change their password on services where it has been reused.
Looks like it\’s time for Call of Duty players to do the password change shuffle. COD players need to react quickly by changing their passwords and making sure that they didn\’t use the same password on other accounts. Plus, since Activision hasn\’t seen fit to offer two-factor authentication on player accounts, COD\’ers will need to keep an eye on their accounts and hope for the best. Also, keep an eye on any Xbox, Battlenet, or Playstation Network accounts they may have linked to their Activision accounts.
Online gaming has been a target of attackers for a several years now, with World of Warcraft, Zynga and Nintendo being just some of the big names that have been previously targeted. While in some games the accounts themselves can be monetized after the compromise, (for example when WoW was targeted, high ranking characters and special weapons could be sold to the highest bidder) in many cases the breaches are a result of credential stuffing attacks and the creation of a service specific username/password database.
These types of attacks use known email/password databases to check if users have reused their passwords on the gaming platform. If they have – the attackers can easily create a database of compromised accounts.
Users need to make sure they do not reuse passwords as even a strong password, once reused, becomes a security risk. In addition, users should always opt for additional security checks offered by the game such as two factor authentication. The gaming platform should provide these security features as well as use technologies such as CAPTCHA (to stop automated credential stuffing) and basic security checks such as device ID.
Still shy of the 77 million accounts exposed on the Playstation Network breach, this is a substantial breach. In parts the cleanup will be a large undertaking for Activision, we can only hope backups allow restoring original contact data, resetting access and managing the users who still cannot regain access which should be a smaller group. But also for anyone reusing information for the accounts it is critical to not only change the access to the platform but also any other places the credentials are used.