Epic Games with with another class-action suit, this time over account hacking
Fortnite is an incredibly popular game, and as the game only continues to grow in reach and value, the incentive for black-market activities within the game grows as well. Account hacking is a pretty major endeavor for scammers in any game, and that’s doubly true for the most popular battle royale title. That means that RMT (Real Money Trading) of in-game currency and items could potentially be a major influence in this whole kerfuffle.
Hackers will use many different tricks, with a very common one being those fake “free V-Bucks generators”. Often, these fake programs are bundled with malware that steals account information, including financial and gaming-related accounts. Some scammers also ask for your Epic login details as part of these scams. Either way, never use these programs, there is no legitimate way to obtain free V-Bucks using third-party tools.
One method that scammers make money with stolen accounts, rather than just selling them directly, is to use any V-Bucks on the account to purchase skins that can then be traded for real cash via shady third-party services.
There are restrictions in place on skin gifting that makes this a less viable option, but Fortnite accounts still hold some value despite these restrictions:
- iOS users are prohibited from gifting due to Apple policies.
- You must first purchase skins you wish to gift.
- Multi-factor authentication must be enabled on the user’s account. More information on how this can be accomplished can be found on the Epic Games website.
- You have to be friends with another player for 48 hours before you’ll be able to send a gift to them.
- Only three gifts can be given within a single 24 hour period.
- Gift purchases are completely non-refundable.
- You can only gift an item that is currently available in the Fortnite Item Shop.
So even though Epic takes account security seriously, there’s obviously room for improvement as thousands of accounts are breached on their services every year. And with the introduction of the GDPR privacy protections, breaches concerning personal information are taken much more seriously.
The General Data Protection Regulation 2016/679 is a regulation in EU law on data protection and privacy for all individual citizens of the European Union and the European Economic Area. The policy is designed to enforce privacy online, requiring any service that deals with EU citizens to make reasonable efforts at disclosure when it comes to how they use consumer data. The laws also enforce and opt-in approach to consumer data, stating that personal data for users may not be utilized without consent.
Fines for violating this policy are severe. The law can levy fines for violations of up to 10 million Euros, or, in the case of an undertaking, up to 2% of its entire global turnover of the preceding fiscal year, whichever is higher.
In this case though, simple account hacking is just the start. In January 2019, a bug in Fortnite was reported to expose the personal details of millions of player accounts. It allowed a hacker to take over the account of any game player, view sensitive information, purchase V-bucks, and listen to and record players’ in-game and background home conversations.
The attack itself was a relatively simple and common method, involving XSS or cross-site-scripting to gain access to a user account. According to Check Point Research, “By discovering a vulnerability found in some of Epic Games’ sub-domains, an XSS attack was permissible with the user merely needing to click on a link sent to them by the attacker. Once clicked, with no need even for them to enter any login credentials, their Fortnite username and password could immediately be captured the attacker.”
Epic patched the problem swiftly, but damage was still done, as it’s doubtless that player account details were leaked, and people had their privacy invaded.
The class-action lawsuit, filed by Franklin D. Azar & Associates, asserts Epic Games’ “failure to maintain adequate security measures and notify users of the security breach in a timely manner.” The lawsuit is already more than 100 members strong, and states that the plaintiffs “have an ongoing interest in ensuring that their [sensitive information] is protected from past and future cybersecurity threats.”
This isn’t the first time Epic has run into legal problems with their flagship game. A few months ago, the company was hit with another suit over their handling of loot boxes within the Save the World game mode. A trend which they’ve promised to help reverse. While the lawsuit is still in the very early stages, things could get very rough for Epic should it move forward.
ISKMogul is a growing video game publication that got its start covering EVE Online, and has since expanded to cover a large number of topics and niches within the purview of gaming.