Back in January, Epic Games announced to its customers that there was a security breach that may have put many user accounts at risk. The company stated that Fortnite had a bug in its system that could have exposed the personal information of millions of player accounts. The issue was fixed, but that is only the beginning. According to an article on Gamespot, a class-action laswsuit has recently been filed against Epic Games by Franklin D. Azar & Associates in the US District Court in North Carolina. The suit claims that Epic Games didn’t “maintain adequate security measures” and didn’t take steps to notify the people whose accounts were hacked.
Check Point Security reported to Epic that they were breached back in November of 2018. Epic announced the security breach in 2019 with an announcer stating, “We thank Check Point for bringing this to our attention. As always, we encourage players to protect their accounts by not reusing passwords and using strong passwords, and not sharing account information with others.”
According to a Gamespot article, Check Point’s report stated that passwords didn’t matter in this breach. The breach, as explained by Check Point Security was one in which, “By discovering a vulnerability found in some of Epic Games’ sub-domains, an XSS attack was permissible with the user merely needing to click on a link sent to them by the attacker. Once clicked, with no need even for them to enter any login credentials, their Fortnite username and password could immediately be captured by the attacker.” In other words, a single click to an unsecure URL could place one’s personal information in the hands of a complete stranger. The head of products vulnerability at Check Point, Oded Vanunu explained that due to the fact that the breach existed in a legitimate domain, even if one had installed anti-phishing programs, they would not have been able to detect the breach.
The vulnerability came from an unsecure URL that was created back in 2004 for an Unreal Tournament records page. Before the page was removed, a hacker could have used the page to utilize the access tokens that players might have used to log into Epic Games’ servers and players’ Fortnite accounts. While all the major security breaches have been patched, Epic Games will still have to deal with the suit which has over 100 members involved. Little more is known about the suit at this time, but more will be revealed when new information is released.