Gaming giant Electronic Arts has been hacked and the cyberattackers are now selling access to the company’s games and servers, according to screenshots of underground hacking forums obtained by Motherboard.
Messages found on the hacking forums indicate the attackers took 780 GB of data from the company and have full access to FIFA 21 matchmaking servers, FIFA 22 API keys and some software development kits for Microsoft Xbox and Sony. They also purport to have much more, including the source code and debugging tools for Frostbite, which powers EA’s most popular games like Battlefield, FIFA, and Madden.
“You have full capability of exploiting on all EA services,” one attacker’s message said, noting that there are hundreds of million of registered EA users around the world and nearly nine million FIFA users. The messages included samples of what was stolen and indicate that the attackers are selling the batch of data and access for $28 million.
In a statement to ZDNet, an EA spokesperson said it was not a ransomware attack and claimed a “limited amount of game source code and related tools were stolen” during the attack. The company said it does not expect any impact to its games or business.
“No player data was accessed, and we have no reason to believe there is any risk to player privacy,” the EA spokesperson said. “We are actively working with law enforcement officials and other experts as part of this ongoing criminal investigation.”
The cyber research and intelligence team for BlackBerry shared screenshots with ZDNet of the notes from someone behind the attack.
Eric Milam, vice president of Research and Intelligence at BlackBerry, said EA was probably targeted because “saying you hacked EA is like saying you hacked Blizzard.” With the source code of multiple video games, the attackers could compile and sell a game before it comes out, as well as add their own backdoors to certain games. Something like this would “give them access to a lot of computers.”
“Source code allows for review of everything that’s there without the need to reverse engineer. The source code could also help them understand the type of security around information and payment exchanges,” Milam said. “The source code could contain hardcoded credentials, keys, etc which can be used elsewhere or allow additional remote code capabilities.”
EA is far from the first gaming company to be hacked, with both Capcom and CD Projekt suffering from attacks in the last year. CD Projekt disclosed a ransomware attack in February and Capcom announced a hack in November that is now having far-reaching legal consequences for the company.
EA itself was hacked in 2011 and had to deal with a slate of vulnerabilities discovered in 2019.
Rajiv Pimplaskar, chief risk officer for cybersecurity company Veridium, said that like Capcom, there could be several downstream consequences such as loss of customer account credentials, biographic data, and more on top of the intellectual property losses.
“EA makes over $2.7 billion from microtransactions or in-game purchasing. App developers today have a higher responsibility to protect consumers and need to increasingly incorporate digital identity, authentication and privacy measures at a code level for improving cyber defense and mitigating fallout from such forms of theft,” Pimplaskar added.
Erich Kron, security awareness advocate at KnowBe4, told ZDNet it was strange that the attackers did not attempt to ransom the data back to EA before selling it on the open market. He noted that the proprietary information found in the leak may be valuable to competitors or may include information or vulnerabilities that could be used in future attacks against EA products or customers with installed EA games.
Many experts added that the theft of game source code was particularly damaging for a company like EA, which has popular brands like FIFA, Madden, Battlefield, Star Wars: Jedi Fallen Order, The Sims, and Titanfall.
“Game source code is highly proprietary and sensitive intellectual property that is the heartbeat of a company’s service or offering. Exposing this data is like virtually taking its life,” said Saryu Nayyar, CEO of Gurucul.
“The heartbeat has been interrupted and there’s no telling how this attack will ultimately impact the life blood of the company’s gaming services down the line.”