A security breach at Electronic Arts is said to have compromised information and sensitive data from around 700 million accounts. The company responded – but a little too hesitantly in the view of the discoverer.
Hackers could have easily accessed sensitive data from about 700 million Electronic Arts accounts. This is the discovery that security researcher Sean Kahler claims to have made. In a blog post, he demonstrated how easy it is to take over the identity of players.
“The story begins,” as Kahler writes, with him starting some tests with an internal EA development environment that he “found some time ago”. Using an unprotected programming interface, he was able to access millions of user accounts, according to his own account.
Hackers would have had free rein to run riot, he said. They could have stolen personal data, taken over identities or blocked accounts. According to the security researcher, players of the first-person shooter game Battlefield 2042 were particularly affected.
“A bit strange” how long it took EA to release patches
Kahler showed his discovery to the video game company. “Given the severity of the problem, it’s a bit strange how long it took EA to release patches,” he comments. He understands that it’s “more complicated internally, but a quick patch would have been advisable.”
On June 16 of this year, he submitted the vulnerabilities to Electronic Arts. The first patch arrived on July 8, followed by the second ten days later. This was followed by updates three and four on September 6 and 10, and the last one to date on October 8.
For Kahler, it is “also disappointing that EA has not yet launched a bug bounty program”. In other words, an initiative that promises rewards for identifying and reporting bugs. “Since there is no real incentive to report vulnerabilities, I know people who have chosen to keep them to themselves instead,” Kahler said. He would be “pleased if EA followed the example of the rest of the industry here.”