CPO Magazine - News, Insights and Resources for Data Protection, Privacy and Cyber Security Leaders
CPO Magazine - News, Insights and Resources for Data Protection, Privacy and Cyber Security Leaders
  • Home
  • News
  • Insights
  • Resources
Boy and father playing games showing account takeover via phishing and social engineering
Cyber SecurityNews
·3 min read

EA Confirms Account Takeover Attacks Compromising High-Profile Gamers via Phishing and Social Engineering Attacks

Alicia Hope·January 20, 2022
TwitterFacebookLinkedIn

Electronic Arts (EA) confirmed that attackers used phishing and social engineering tactics to execute account takeover attacks against high-profile FIFA Ultimate Team (FUT) gamers.

In a statement posted on its website, EA disclosed that fewer than 50 accounts have been compromised via phishing techniques and employee mistakes. However, reports of lower-ranking hacked FIFA 22 accounts have also surfaced online, suggesting that the number of account takeovers via phishing could be much higher than EA has admitted.

Subsequently, EA adopted stringent account verification measures to protect accounts from illegal takeovers. The company also promised to contact affected gamers and restore the accounts to their legitimate owners.

At least two high-profile victims reported on social media alleged identity theft originating from the EA breach. One victim has considered suing the company.

Attackers bypassed two-factor authentication through phishing social engineering techniques

EA confirmed that attackers used phishing and other social engineering techniques to bypass the account verification process and compromise high-profile accounts.

“Utilizing threats and other “social engineering” methods, individuals acting maliciously were able to exploit human error within our customer experience team and bypass two-factor authentication to gain access to player accounts,” EA wrote.

According to Javvad Malik, a security awareness advocate at KnowBe4, social engineering attacks are the worst attacks against organizations and individuals. He recommended using strong and unique passwords and activating multi-factor authentication (MFA) to defeat phishing attacks.

“However, even with these technical controls, it is still possible that an account can be compromised through social engineering.”

Eurogamer first reported the account takeover attacks after realizing that several accounts had been stripped of FIFA points and coins. The attackers reportedly used Gamertags from FIFA leaderboards to convince EA staff that they were the legitimate owners.

Additionally, EA account service representatives allegedly revealed the account email addresses associated with the Gamertags, reset the passwords, thus allowing the attackers to complete the account takeover process.

EA implements stringent security measures to protect players from account takeover attacks

EA acknowledged that human factor was a risk element in account security, and admitted that it could try harder to protect user accounts from social engineering attacks.

“Hackers prey on human vulnerabilities and, in this case, have capitalized on the fact that customer service teams are under considerable pressure to deliver a good customer experience and help people with their queries as quickly as possible,” said James Alliband, Senior Manager Product Strategy at Tessian.

EA is implementing additional steps to the account management process and reinforcing account security practices to protect its users from account takeover attacks.

All workers at the service of EA accounts will receive individualized re-training and additional team training with a specific emphasis on account security best practices and defending against social engineering attacks such as phishing.

Malik highlighted the importance of user cybersecurity training in protecting accounts from phishing and other social engineering attacks.

“Whether that be through an organization rolling out a security awareness and training program, or be it through useful on-screen hints and tips on consumers login pages reminding them to not share personal details or login codes with others, and to be wary of emails claiming to be from the organization,” said Malik.

Additionally, EA introduced additional requirements to the account ownership verification process, such as mandatory managerial approvals for sensitive changes like email change requests.

The company will also update its customer experience software to identify suspicious activity, flag at-risk accounts, and eliminate the potential for human error in the account update process.

EA warned that the new security measures would affect its users’ customer experience. However, many FIFA gaming fans on Reddit were less critical of the proposed security changes, considering they would protect them from account takeover attacks.

Additionally, EA also promised to examine every claim of suspicious email change and reported account.

“This is a good opportunity for EA to review their policies on such high-profile attacks to understand the user and ask them out-of-the-box questions about their activity that would be much harder to find out,” Alliband added. “Also utilizing voice ID, biometrics, SMS authentication, and alternative email authentication can be a great way to make bad actors’ lives a little more difficult and add another layer of security measures for organizations when users are contacting customer support.”

EA account service representatives allegedly revealed the account email addresses associated with the Gamertags, reset the passwords, thus allowing the #hackers to complete the #accounttakeover process. #cybersecurity #respectdataClick to Tweet

However, some FUT gamers were apprehensive of the repercussions of the account takeovers. NickRTFM tweeted that someone tried to apply for a credit card using his details. Similarly, FUT Donkey complained that the victims had not received any communication from the company. The ranking gamer also threatened to sue the company for allegedly violating data protection laws, and claimed that one of the attackers used his leaked account details to register on various websites, such as IMDB, Quora, Blockchain.com, Pornhub, and XVideos.

 

TwitterFacebookLinkedIn
Tags
Account TakeoverPhishingSocial Engineering
Alicia Hope
Staff Correspondent at CPO Magazine
Alicia Hope has been a journalist for more than 5 years, reporting on technology, cyber security and data privacy news.
Related
Man logging into laptop showing social engineering attacks on super administrators
Cyber SecurityNews

Okta: Sophisticated Social Engineering Attacks Are Targeting Super Administrators

September 15, 2023
Social media interactions on mobile phone showing business communication tools and social engineering
Cyber SecurityInsights

How to Secure Business Communication Tools in an Increasingly Digital Work Environment

July 28, 2023
Hacker working on computer showing Verizon DBIR on social engineering and ransomware
Cyber SecurityNews

Verizon DBIR 2023: Social Engineering Attacks Exploding, Ransomware Doubles in Cost

June 14, 2023
Backlit hand using tablet with abstract glowing digital skull showing bad bots and account takeover and API attacks
Cyber SecurityNews

Bad Bots Account For 30% Of Internet Traffic and Are More Frequent in Account Takeover and API Attacks

May 30, 2023
Businessman working on computer with warning sign showing social engineering
Cyber SecurityInsights

Hacking Humans: How Social Engineering Works

May 24, 2023
Facebook screen in the hands of a woman showing account takeover of Facebook profiles
Cyber SecurityNews

An Effective Account Takeover Trick Is Helping Scammers Steal Thousands of Facebook Profiles

May 3, 2023
Businessman touching display with icon for email security
Cyber SecurityNews

Email Security Nightmare as 75% Of CISOs Expect a Severe Email-Borne Attack in the Next 12 Months

March 3, 2023
Hacker using mobile smartphone calling victim showing remote monitoring and management software used in phishing of federal agencies
Cyber SecurityNews

Hackers Breached Multiple Federal Agencies via Remote Monitoring and Management Software

February 2, 2023

Latest

Virtual locks on laptop screen showing Europe and post quantum computing

Why Europe Needs to Prioritize the Switch to Quantum-Safe Encryption

Police car siren flashing blue in the night showing third-party data breach

Greater Manchester Police Investigating a Third-Party Data Breach From a Ransomware Attack

Locks on laptop screen showing Iranian hackers target defense organizations with password spraying attacks

Iranian Hackers Use Password Spray Attacks to Compromise Defense Organizations, Pharmaceutical Firms

Jet engine from Airbus showing data breach involving compromised account

Airbus Data Breach from a Partner Airline’s Compromised Account Leaks Confidential Information

- Advertisement -

Learn More

About
Contact
Our Advertising
Privacy Policy
Cookie Policy
Terms of Use

Stay Updated

CPO Magazine

News, insights and resources for data protection, privacy and cyber security professionals.

Learn More

About
Contact
Our Advertising
Privacy Policy
Cookie Policy
Terms of Use
Do Not Sell My Data

Categories

Data Privacy
Data Protection
Cyber Security
Tech
Insights
News
Resources
Press Releases

Stay Updated

© 2023 Rezonen Pte. Ltd.
CPO Magazine - News, Insights and Resources for Data Privacy, Protection and Cybersecurity Leaders
  • Home
  • News
  • Insights
  • Resources
    Start typing to see results or hit ESC to close
    U.S. Data Breach Regulations EU GDPR Facebook
    See all results