By logging in to EA’s Slack as an existing employee and tricking IT support staff, hackers got away with stealing the source code for FIFA 21 and Frostbite, as well as classified documents on AI, VR, and digital FIFA crowds.
After telling the IT staff that they’d “lost their phone at a party last night”, they were issued a multi-factor authentication token granting them access to EA’s corporate network. The hackers were able to log in to Slack as an EA employee after buying stolen cookies for $10 on an underground forum. (Cookies save login details that can potentially allow someone else to sign in as you).
As reported by bleepingcomputer.com, the hackers boasted on underground platforms that anyone willing to pay $28 million will “gain full capability of exploiting all EA services”.
Here’s what they stole:
- Source code for FIFA21, including matchmaking tools.
- Source code for Frostbite which powers games like Battlefield.
- FIFA22 API keys, SDK, and debug tools.
- Proprietary EA games frameworks.
- XBOX and Sony private SDK and API key.
- XB PS and EA pfx and crt with key.
Screenshot of the hackers post found on an underground forum.
How the hack happened
This was a social engineering attack, which is a fancy way of saying “you were tricked by a hacker”. We’ve been warning our readers about the dangers of social engineering attacks for years, and now you can see just how easy it is to cause massive damage.
5 make-or-break points of the hack
We defined 5 make-or-break points for this hack to work, which we’re going to outline below to help you strengthen your security:
- The IT support employee: Although the hacker managed to log in to Slack as an EA employee, perhaps other measures should have been taken by IT to grant access to the network. This one staff member was a small but major gateway into EA’s systems. And all it took was a petty excuse like losing your phone at a party the night before.
- The EA engineer: In a supposedly unrelated 2020 incident, an EA engineer left a list of EA Slack channels in a public facing code repository. It may seem insignificant, but if a hacker knows your work’s Slack channel names, all they have to do is steal login credentials and wreak havoc in your name.
- Lack of cookie security: This brings us nicely to the risks of cookie session data. Hackers stole login data from stolen cookies purchased for $10 on underground forums. Cookies on websites and apps save your login details and other data that could potentially allow a hacker to sign in to places with your details.
- Lack of network security: OK, so hackers managed to infiltrate EA’s network, but that doesn’t mean they should automatically get access to certain files and documents. With EA, this was the case when the hackers found and accessed the service that developers use for compiling games. Certain files and services should be locked and at least require 2FA authentication to access. It might seem annoying, but it’s better than having an impersonator ransack years of your company's hard work.
- Lack of domain security: 15 EA sites served login pages over HTTP rather than HTTPS, EA subdomains were left exposed online from expired certificates, and multiple DNS misconfigurations left their domains vulnerable to takeovers. EA allegedly ignored these security holes in their domains for months after they were discovered by the Israeli cybersecurity firm Cyberpion.
What can be done with this stolen data?
Source code allows hackers to meddle with the inner workings of a game. It could allow someone to:
- Create cheats and cracks.
- Reveal secret projects and game ideas.
- Expose comments made by developers.
- Cause huge public embarrassment and ruin a company's reputation.
While EA are working on improving their security, the attack is being treated as a criminal investigation. As far as we know, no player data was stolen, and EA have said that there is no risk to players’ privacy. EA has over 450 million registered players worldwide, with a net revenue of $5.5 billion in 2020.
What the EA hack teaches us
Any one of us can fall for a social engineering hack. Some hackers will send you phishing emails that infect your device with password-stealing malware, while others simply pretend to be your co-worker. Hackers are catching us off-guard and executing massive attacks worth millions of dollars, so it’s best to be prepared.
Here are some tips:
- Never share passwords over chat apps like Slack, WhatsApp, or email: Use an encrypted password manager instead. NordPass encrypts data on your device before it reaches the servers so that even NordPass employees can’t see or access it.
- Secure your domains: Companies should decommission all unused subdomains, or at least keep their certificates up to date to protect their networks. Websites and especially login pages should always be served over HTTPS rather than HTTP. The ‘S’ stands for ‘secure’ and prevents hackers from spying on the sensitive traffic travelling through those pages.
- Always use a VPN: VPNs encrypt your entire connection when you’re online. They secure your traffic and protect your sensitive data from spies, trackers, and other third parties. Companies can use NordLayer to help protect their entire network from intruders, and you can use the NordVPN app on up to 6 devices with just one subscription for less than $4/month.
Online security starts with a click.
Stay safe with the world’s leading VPN