After reports surfaced that 500,000 Activision accounts may have been hacked, impacting online Call of Duty (CoD) players, the gaming giant is disputing the claim.
The alleged breach was first flagged by the #oRemyy account on Twitter, and was quickly amplified by others, who claimed that accounts were being taken over and credentials changed, so that the legitimate users couldn’t recover them. The claims were picked up by gaming news outlet Dexterto.com.
“Yeah it’s legit guys. Change your Activision account passwords immediately. Apparently over 500,000 accounts have been breached already and it’s still ongoing,” one user going by “Okami” tweeted. And at least one user claimed to have “solid proof”:
Regarding the Activision account breach, I just seen solid proof, change your password.
— Prototype Warehouse (@ProtoWarehouse) September 20, 2020
Nonetheless, Activision is calling the claims false, after the tweets caused an online hullaballoo amongst CoD fans.
— Activision Support (@ATVIAssist) September 22, 2020
Threatpost has reached out to the company for more details.
Activision accounts are linked to Call of Duty franchise titles, like Warzone and Modern Warfare, and can be linked to Xbox, PlayStation, Steam and other gaming systems and networks. They can also contain payment details. Two-factor authentication is unfortunately not an account security option, making brute-force attacks to crack accounts more possible.
“There is obvious value in obtaining personal identifiable information (PII) and account details of users, but these are also a goldmine for malicious actors intending to plan further attacks – be it phishing or otherwise,” Dean Ferrando, systems engineer manager – EMEA at Tripwire, said via email.
He added that breach or no, the incident should be a security wakeup call: “Those within the gaming industry should take this opportunity to visit their own security controls to ensure they are adequately deployed,” he said. “A security team should be able to easily assess how many of what kind of assets are on the network, how securely they are configured, and what the vulnerability posture of those assets are. Organizations like Activision want to provide a safe and secure space for gamers and not a game over experience.”
The supposed attack is entirely plausible, according to Kim DeCarlis, CMO at PerimeterX, and should also put consumers on notice.
“Stolen personal information is sold on the dark web and used by other cybercriminals to launch automated account takeover (ATO) attacks on other websites, where the same user might have had a registered account,” DeCarlis said via email. “The compromised accounts can then be used to commit fraud, which not only hurts the affected user but also the business whose website was targeted. For enterprises with an online presence, even if they are not part of a data breach, it is important to have bot mitigation capabilities to address ATO attacks. For consumers, it is best to use different passwords on different sites and lockdown their credit records as much as possible.”