Major bug in Fortnite gave hackers access to millions of player accounts
If you or your child plays Fortnite, you might want to take a closer look at your recent credit card statements.
Epic Games, the maker of the hit online battle royal title, admitted Wednesday, Jan. 16, that a flaw in the game's log-in system could have allowed hackers to impersonate real players and purchase in-game currency using the credit cards on file.
It's unclear how many players may have been directly affected by the bug; Epic declined to comment on the scope of the vulnerability and said the matter has been addressed. But roughly 80 million people play Fortnite every month, and as many as 200 million users have registered accounts, the company has previously said.
"We encourage players to protect their accounts by not re-using passwords and using strong passwords, and not sharing account information with others," Epic said in a statement.
Epic's admission follows a report by Check Point Research, an information security group, which said it privately notified Epic of the flaw after tests revealed it could lead to widespread fraud.
The bug worked by giving hackers the ability to steal pieces of code used to identify a player when he or she logs into the game using a third-party account such as Facebook or Xbox Live, the researchers said. Players could have been exposed to the flaw if they clicked a malicious phishing link designed to exploit the vulnerability. Along with their report, the group also published a YouTube video explaining the research.
After using these security tokens to access a player's account in Fortnite, hackers could then take actions such as buying in-game currency, according to the report. The report also said, but Epic did not confirm, that hackers could have eavesdropped on players' conversations in the game's voice chat.
The enormous popularity of Fortnite makes it a juicy target for hackers, experts say. Check Point did not disclose how long the vulnerability may have existed, nor whether hackers could have siphoned their ill-gotten rewards out of player accounts. But the possibility of a breach affecting the equivalent of two-thirds the U.S. population is a serious risk, the group said.
"Fortnite is one of the most popular games played mainly by kids," Oded Vanunu, Check Point's head of products vulnerability research, said in a statement. "These flaws provided the ability for a massive invasion of privacy."
This article was written by Brian Fung, a reporter for Washington Post.