Around half a million Activision account details have been breached, after an apparent credential stuffing attack.
According to a series of user reports on social media, detailed by Dexerto, attackers leaked the user credentials and locked users out of their accounts too.
Activision, whose games include Call of Duty, the Tony Hawk skateboarding series and Crash Bandicoot, do not have two-factor authentication offered on accounts, and users encouraged each other to change passwords. In a statement, Activision said “reports suggesting Activision Call of Duty accounts have been compromised are not accurate.” It recommended players “take precaution to protect their Activision accounts, as well as any online accounts, at all times.”
A support blog featured advice on basic cybersecurity steps, such as using strong passwords and password re-use.
Martin Jartelius, chief security officer at Outpost24 said while this is much lower than the 77 million accounts exposed in the Playstation Network breach of 2011, this is still a substantial breach. “In parts the cleanup will be a large undertaking for Activision, we can only hope backups allow restoring original contact data, resetting access and managing the users who still cannot regain access which should be a smaller group,” he said.
Boris Cipot, senior security engineer at Synopsys, said: “Gaming is not simply entertainment for children, it is a thriving industry with highly sophisticated technology. For example, games now offer highly advanced simulators whereby individuals can embody a soldier, fighter pilot or even a football player. With the support of Virtual Reality technology, these games can become even more realistic.
“Moreover, we are witnessing a rise in E-sports, where tournaments and winners amass large pots of money. As there is a lot of money involved, it is normal for cyber-criminals to target known game brands to access user accounts.“
He suspected that the access is used for financial gain, rather than for account access, as “many accounts have a collection of virtual goods which can be acquired by gamers for real money.” Cipot said cyber-criminals could gain profits just by selling one or many accounts which hold valuable virtual goods. “In gaming, the real money lies in selling virtual goods,” he said.
Dean Ferrando, lead systems engineer (EMEA) at Tripwire, recommended those within the gaming industry to take this opportunity to review their own security controls to ensure they are adequately deployed. “A security team should be able to easily assess how many of what kind of assets are on the network, how securely they are configured, and what the vulnerability posture of those assets are,” he said. “All organizations should use this as a wakeup call to ensure that security is not just a check box for compliance. Organizations like Activision want to provide a safe and secure space for gamers and not a game over experience.”