Security researchers said that millions of players of the hit online game Fortnite may have been vulnerable to a security breach that gave hackers access into user accounts.
A bug in the game’s log-in system allowed attackers to gain access to unsuspecting users’ accounts if they clicked a phishing link sent in a message on the platform, researchers for the information security company Check Point Research said this week. If players clicked the link, attackers would have been able to access account log-in credentials, which could then be used to gain access to user accounts.
In a detailed post and accompanying video explaining the vulnerability, researchers for the Tel Aviv-based security company said the bug would have allowed bad actors to do anything that a logged-in player might be able to do, like chat with other players, purchase virtual in-game currency using saved credit card information or view the personal information of the account holder.
According to Check Point, researchers were first made aware of a possible vulnerability on the Fortnite platform in the fall of 2018. After confirming the existence of the bug, researchers reached out to Epic Games in mid-November to tell them about the vulnerability. Epic Games didn’t directly report back to Check Point, but the researchers said they believe the bug was patched sometime in December.
Epic Games, the company that develops the battle royale game that’s become an obsession for millions of kids, teens and adults, confirmed that it had patched the bug.
Eran Vaknin, a security expert at Check Point, said users should watch out for warning signs like no longer being able to access their account, account information changing without their knowledge or unusual credit card transactions from the game.
Vaknin also said, “Fortnite players who have an account should implement a two-factor authentication mechanism to secure [their accounts] from account takeover vulnerabilities”.
Vaknin also recommended Epic Games implement updated security protocols “and perform full application testing from time to time” to proactively catch vulnerabilities before they could be exploited.
“We were made aware of the vulnerabilities and they were soon addressed,” a spokesperson for Epic Games said in an emailed statement. “We thank Check Point for bringing this to our attention. As always, we encourage players to protect their accounts by not reusing passwords and using strong passwords, and not sharing account information with others.”
Fortnite—which Adweek named to its annual Hot List for its unprecedented success—is one of the most popular game franchises in video game history, with about 80 million monthly players and more than 200 registered accounts. Researchers said they had no proof that the vulnerability had been exploited, and an Epic Games spokesperson declined to provide more information. It’s unclear exactly how many accounts, if any, were accessed by hackers.
This isn’t the first time that Fortnite players were vulnerable to hacking. Kotaku reported in March 2018 that a few dozen players of the game said that hackers had gotten into their accounts and made fraudulent charges. Epic Games issued refunds for players and rolled out two-factor authentication for account holders.