The cost of the EA data breach: $10 and a bit of social engineering

Shawn Knight

Shawn Knight

Posts: 15,294   +192
Staff member
Facepalm: The hackers responsible for the recent data breach involving Electronic Arts have divulged how they did the deed. A representative for the hacking group told Motherboard they got the ball rolling by purchasing stolen cookies online for just $10. Ouch.

From there, the hackers were able to use the cookies to gain access to a Slack channel used by EA employees.

Once on Slack, one of the hackers messaged an EA IT support member and explained that they had lost their phone at a party the night before. They were successful in getting a multifactor authentication token that gave them access to EA’s corporate network (this apparently worked twice, the rep said).

With access to EA’s network, the hackers located a service for developers compiling games that they were able to log into. Creating a virtual machine reportedly gave them even more visibility on the network, allowing them to access another service and download game source code.

Motherboard said the rep provided screenshots to back up their story, including images of the Slack chats. When Motherboard reached out to EA, a rep “confirmed to Motherboard the contours of the description of the breach given by the hackers.”

Motherboard said yesterday that the hackers made away with roughly 780GB of data including the source code for FIFA 21 and code related to the Frostbite engine.

Image credit AkuAlip

Permalink to story.

https://www.techspot.com/news/90032-hackers-broke-ea-network-using-stolen-cookies-social.html

 
The issue here is how we usually treat help desk staff and their jobs. For internal facing departments like theirs, they're usually trapped behind a pretty strict hierarchy and constant reminders about securing information and data.

So just saying "follow your guidelines and this would never happen" might seem intuitive. But anyone who's actually worked on an office environment knows that sometimes people play fast-and-lose with your job when they want something from you and are not willing to wait in line. I've been pretty frequently blindsighted by users that seemed perfectly fine and pleasant and polite when I had to decline their request only to suddenly get calls from my boss cause the general manager got a called about our department putting roadblocks on people and such.

It's not hard to figure out that almost 100% of the time you'll be able to find somebody disgruntled, somebody worn down by the same strict hierarchy they work for in a thankless and poorly remunerated position.
 
  • Like
Reactions: Paulo Soares, thelatestmodel, JKnight and 1 other person
Per the screenshot, "You have full capability of exploiting on all EA services"

Guess we've found the weakness in the "gaming as a service" model. One can only hope this hack will result in its - and EA's - decline and destruction.
 
BadThad said:
Death penalty for hackers!
Click to expand...
Disagreed, especially in this case.

Ironically, this hack is probably the only way that these codes and assets will be preserved for posterity. Video game companies are notoriously bad at preserving source code and assets, even for their biggest games. When Trent Oster and his team wanted to do their remaster of Baldur's Gate, they went to EA looking for the source code and original assets - all of them had been basically lost, for one of the most important western RPGs in history.

And considering we're in the cursed nightmare era of "games as a service" this creates an even bigger potential for cultural loss, with so much of game code obfuscated and hidden on central servers.

In the future, the labor of hackers like these might pan out being seen not unlike the labor of medieval monks, who copied down works that otherwise would have been lost to time.
 
Last edited:
  • Like
Reactions: Reehahs, Rayneofpayne, envirovore and 2 others
Dimitriid said:
The issue here is how we usually treat help desk staff and their jobs. For internal facing departments like theirs, they're usually trapped behind a pretty strict hierarchy and constant reminders about securing information and data.

So just saying "follow your guidelines and this would never happen" might seem intuitive. But anyone who's actually worked on an office environment knows that sometimes people play fast-and-lose with your job when they want something from you and are not willing to wait in line. I've been pretty frequently blindsighted by users that seemed perfectly fine and pleasant and polite when I had to decline their request only to suddenly get calls from my boss cause the general manager got a called about our department putting roadblocks on people and such.

It's not hard to figure out that almost 100% of the time you'll be able to find somebody disgruntled, somebody worn down by the same strict hierarchy they work for in a thankless and poorly remunerated position.
Click to expand...

I lived this reality, I think the best way to get rid of it is to become "independent", so saying no to those who want to break the rules becomes easier, when a director decides to call me because he received a complaint from an employee I say "I get paid to ensure security, not to be nice" I haven't lost customers so far.
 
  • Like
Reactions: Dimitriid
You must log in or register to reply here.

Similar threads

midian182
TSMC to receive $11.6 billion from US under CHIPS Act, will build third Arizona plant
Replies
9
Views
152
Starscream07
Starscream07
midian182
Graphics card prices on the rise in China as demand surpasses supply, could impact global markets
Replies
5
Views
99
Starfals
Starfals
midian182
Microsoft CEO Satya Nadella warns that hackers could cause breakdown in world order, calls...
Replies
21
Views
324
WarrenSpeck
W

Latest posts

Back