The cost of the EA data breach: $10 and a bit of social engineering

Shawn Knight

Posts: 13,294   +132
Staff member
Facepalm: The hackers responsible for the recent data breach involving Electronic Arts have divulged how they did the deed. A representative for the hacking group told Motherboard they got the ball rolling by purchasing stolen cookies online for just $10. Ouch.

From there, the hackers were able to use the cookies to gain access to a Slack channel used by EA employees.

Once on Slack, one of the hackers messaged an EA IT support member and explained that they had lost their phone at a party the night before. They were successful in getting a multifactor authentication token that gave them access to EA’s corporate network (this apparently worked twice, the rep said).

With access to EA’s network, the hackers located a service for developers compiling games that they were able to log into. Creating a virtual machine reportedly gave them even more visibility on the network, allowing them to access another service and download game source code.

Motherboard said the rep provided screenshots to back up their story, including images of the Slack chats. When Motherboard reached out to EA, a rep “confirmed to Motherboard the contours of the description of the breach given by the hackers.”

Motherboard said yesterday that the hackers made away with roughly 780GB of data including the source code for FIFA 21 and code related to the Frostbite engine.

Image credit AkuAlip

Permalink to story.

 

Dimitriid

Posts: 729   +1,322
The issue here is how we usually treat help desk staff and their jobs. For internal facing departments like theirs, they're usually trapped behind a pretty strict hierarchy and constant reminders about securing information and data.

So just saying "follow your guidelines and this would never happen" might seem intuitive. But anyone who's actually worked on an office environment knows that sometimes people play fast-and-lose with your job when they want something from you and are not willing to wait in line. I've been pretty frequently blindsighted by users that seemed perfectly fine and pleasant and polite when I had to decline their request only to suddenly get calls from my boss cause the general manager got a called about our department putting roadblocks on people and such.

It's not hard to figure out that almost 100% of the time you'll be able to find somebody disgruntled, somebody worn down by the same strict hierarchy they work for in a thankless and poorly remunerated position.
 

terzaerian

Posts: 960   +1,399
Per the screenshot, "You have full capability of exploiting on all EA services"

Guess we've found the weakness in the "gaming as a service" model. One can only hope this hack will result in its - and EA's - decline and destruction.
 

terzaerian

Posts: 960   +1,399
Death penalty for hackers!
Disagreed, especially in this case.

Ironically, this hack is probably the only way that these codes and assets will be preserved for posterity. Video game companies are notoriously bad at preserving source code and assets, even for their biggest games. When Trent Oster and his team wanted to do their remaster of Baldur's Gate, they went to EA looking for the source code and original assets - all of them had been basically lost, for one of the most important western RPGs in history.

And considering we're in the cursed nightmare era of "games as a service" this creates an even bigger potential for cultural loss, with so much of game code obfuscated and hidden on central servers.

In the future, the labor of hackers like these might pan out being seen not unlike the labor of medieval monks, who copied down works that otherwise would have been lost to time.
 
Last edited:
The issue here is how we usually treat help desk staff and their jobs. For internal facing departments like theirs, they're usually trapped behind a pretty strict hierarchy and constant reminders about securing information and data.

So just saying "follow your guidelines and this would never happen" might seem intuitive. But anyone who's actually worked on an office environment knows that sometimes people play fast-and-lose with your job when they want something from you and are not willing to wait in line. I've been pretty frequently blindsighted by users that seemed perfectly fine and pleasant and polite when I had to decline their request only to suddenly get calls from my boss cause the general manager got a called about our department putting roadblocks on people and such.

It's not hard to figure out that almost 100% of the time you'll be able to find somebody disgruntled, somebody worn down by the same strict hierarchy they work for in a thankless and poorly remunerated position.

I lived this reality, I think the best way to get rid of it is to become "independent", so saying no to those who want to break the rules becomes easier, when a director decides to call me because he received a complaint from an employee I say "I get paid to ensure security, not to be nice" I haven't lost customers so far.