EA Video games’ enormous recreation theft, which noticed supply code for FIFA 21 and different key titles stolen, hinged on a $10 cookie and a few disturbingly easy social engineering, in line with the hackers accountable. Digital Arts confirmed it had been the sufferer of the cybercrime earlier this week, with round 780GB of information – together with recreation code and extra – yanked from its servers.
The lack of the supply code for one among its highest-profile titles can be unhealthy sufficient, however the hackers additionally made off with copies of EA’s matchmaking code for FIFA 21, together with supply code and instruments for Frostbite, and numerous frameworks and SDKs. EA has stated that it doesn’t imagine buyer knowledge was impacted, nevertheless.
“No participant knowledge was accessed, and now we have no cause to imagine there’s any threat to participant privateness,” EA stated in a press release. “Following the incident, we’ve already made safety enhancements and don’t count on an influence on our video games or our enterprise.”
Nonetheless the precise mechanism for simply how the hackers managed to entry the info has been revealed, and it’s ominously easy. In an interview with Motherboard, a consultant says that the entire thing hinged on buying a stolen cookie that was being bought on-line. That value all of $10.
Cookies are one of the commonplace comfort options of the web and internet providers, chargeable for saving login knowledge and periods. With them, you’ll be able to keep away from having to enter your authentication credentials each time you go to the identical webpage, for example, and so they may also be used to report a log of visits. Nonetheless what few could notice is that there’s additionally a market for stolen cookies on-line, bought for nefarious functions.
On this case, with the EA cookie, the hackers have been capable of entry the sport firm’s Slack. That’s the interior messaging platform EA makes use of for its numerous groups to collaborate and, vitally, to speak with divisions like IT Help.
“As soon as contained in the chat we messaged a IT Help members we clarify to them we misplaced our telephone at a celebration final evening,” the hackers’ consultant explains. That led to the assist group issuing two authentication tokens with which entry to the EA company community was doable. Past that, it was a matter of accessing the varied supply code servers and making copies of what they discovered.
EA confirmed the mechanism by which the hack had run, and has stated it’s working with legislation enforcement within the aftermath of the exploit.
It’s a reminder that, whereas two-factor authentication and different superior safety could current important obstacles to hackers, people typically stay essentially the most readily-exploited ingredient of the general system. EA definitely isn’t the one firm to find this in an embarrassingly public means, with many high-profile hacks ensuing from the perpetrators managing to persuade staff that their requests are innocuous or real.