Epic patches Fortnite security hack that may have exposed more than 200 million players' data

A security flaw resembling Facebook's previous hack was discovered, ostensibly wouldn't even require a password to access user information.

With a ship big enough to hold millions of people, there’s bound to be a few pirates. According to a report by cybersecurity firm Check Point, a security flaw in Fortnite’s platform may have exposed the credit card data, personal information, and even voice chat audio of the game’s entire player base, which totals more than 200 million people.

Epic Games stated to Gamasutra that it has since fixed the security flaw.

"We were made aware of the vulnerabilities and they were soon addressed. We thank Check Point for bringing this to our attention," Epic told Gamasutra. "As always, we encourage players to protect their accounts by not re-using passwords and using strong passwords, and not sharing account information with others."

As detailed by Check Point, the security flaw was notably more sinister and devious than previous, more simple attempts to get players to hand over their login information. Check Point was able to spot a vulnerability in some of Epic Games’ subdomains, an “XSS” attack could be performed.

“Check Point Research discovered multiple vulnerabilities in Epic Games’ online platform that could have allowed a threat actor to take over the account of any game player, view their personal account information, purchase V-bucks, Fortnite’s virtual in-game currency and eavesdrop on and record players’ in-game chatter and background home conversations,” the company wrote in a blog post.

An XSS attack is when an attacker discovers a vulnerability in a site that would allow them to upload their own script, which can steal individual users’ cookie information. That cookie info is sent to the attacker, who can then use it at will. In a way, it works similarly to the Facebook hack back in October 2018 that compromised somewhere around 10-30 million accounts. Both then and now, the security flaw relied on acquiring a user’s “access token,” which is what keeps your login info already typed out in the username and password boxes when you return to the site in question.

If a hacker acquires that cookie data, they can ostensibly log into your account without ever having discerned your password, because the system thinks you and they are the same person logging in on the same computer.

To wit, Check Point has even produced a video laying out the security flaw, for the more visually oriented.

“By discovering a vulnerability found in some of Epic Games’ sub-domains, an XSS attack was permissible with the user merely needing to click on a link sent to them by the attacker,” Check Point wrote in a blog post. “Once clicked, with no need even for them to enter any login credentials, their Fortnite username and password could immediately be captured the attacker.”

Check Point wrote in the same blog that they informed Epic Games of the security flaw, and “a fix was responsibly deployed, ensuring their millions of players can continue their gameplay in a secure environment.”

GameDaily has reached out to Epic Games for comment regarding future plans to avoid security issues.

With Fortnite’s unique position as a major game with full crossplay functionality, the question of security threats potentially impacting other services rightfully comes into question. Thankfully, a representative from Check Point says that shouldn’t be an issue.

“The attack puts users of Epic Games at risk,” Eran Vaknin of Check Point told GameDaily in an email. “It does not put at risk any third-party authentication providers such as PlayStation.”

Epic Games announced it had hired game and player security firm Kamu in October 2018. The company, which was founded in 2013, runs the Easy Anti-Cheat service, which is used by more than 100 million players across 80 games worldwide. The company’s services are described as cheat prevention, network protection, and “anomaly detection,” among others.

It’s unclear if Kamu would be the go-to service for addressing issues like the flaw Check Point discovered, but GameDaily has reached out to clarify what role they may play in future security assessments.

For more stories like this one delivered straight to your inbox, please subscribe to the GameDailyBiz Digest!

Joseph Knoop is a writer for Game Daily, IGN, PC Gamer, and plenty more. He owns an irresponsible amount of Overwatch merch. Break it down with him on Twitter @JosephKnoop.

Platinum Sponsors
Gold Sponsors