Epic Games under legal fire with a class-action lawsuit revolving around Fortnite data breach

[AnotherGills 25]

In November 2018, Check Point Research (a group known for cyber threat intelligence and analysis) discovered an exploit that exposed the personal information (including credit and debit cards on file) of millions of Fortnite players registered to Epic Games. Epic Games did not make any acknowledgment of this exploit until two months later, in January 2019.

While Epic Games has since alleviated the issue, Franklin D. Azar & Associates has filed a class-action lawsuit in response to Epic’s seemingly poor network security.

The firm lists their reasoning for the lawsuit, stating:

Quote

Affected Fortnite users have suffered an ascertainable loss in that they have had fraudulent charges made to their credit or debit cards and must undertake additional security measures, some at their own expense, to minimize the risk of future data breaches including cancelling credit cards associated with their Epic Games/Fortnite accounts and changing passwords for those accounts. Furthermore, Fortnite users have no guarantee that the above security measures will in fact adequately protect their personal information. Fortnite users therefore have an ongoing interest in ensuring that their personal information is protected from past and future cybersecurity threats.

They also state that users may have a claim against Epic Games if they “have an Epic Games or Fortnite account, a credit or debit card linked to that account, and incurred charges on that linked card that you did not authorize or recognize.”

What are your thoughts on the matter? Do you think this lawsuit is excessive? And if you are eligible for a claim, will you take it?

[Andytizer 269]

It looks like to join the class action lawsuit you need to have 'suffered' some financial loss (beyond having your account details hacked). Not great press for Epic!

[Aemony 141]

I am still waiting for more details about this lawsuit coming out since... well... it seems as of this moment to be baseless. Nowhere from what I can tell have neither Check Point nor Epic Games concluded that the vulnerability they found and fixed was ever exploited by anyone (I believe Tim Sweeney on Twitter mentioned the opposite, in fact), which makes the number of affected users by that vulnerability in specific a big 0. Fixing security vulnerabilities before they're found and exploited "in the wild" should never result in a class action lawsuit, as it seemingly have done here...

Even Check Point's own report on the vulnerability uses phrasing such as "could have allowed a threat actor" as they also seemingly did not find any indications that the vulnerability was actively being used and exploited by bad actors.

Beyond that, users whom have lost access to their accounts most likely lost that access due to a lack of appropriate security on their own part, through e.g. reusing passwords, or being affected by malware on their PCs, etc, which all are outside the ability of Epic to prevent.

Honestly speaking, in terms of preventive action, Epic Games takes a much more active approach that I've publicly seen from organizations. Checking accounts against known password dumps online and resetting the password for those affected is a slowly growing occurrence in IT, but I am not aware of any corporation within the video games industry that does this yet, except for Epic.

 

So yeah... We'll have to see where this goes, but I don't expect it to go anywhere since seemingly nobody have actually been affected by the vulnerability this whole class action lawsuit seems based around...

[Rose 268]

The law firm statement makes the matter even more confusing.

It starts by describing the vulnerability but then quotes the Epic page that addresses password dumps in general.

Here is the tweet Aemony mentioned:

 

AnotherGills has done a great job at writing for the news section but there should be more research done before re-posting news or outright fake news from the biased Steam-centric communities of reddit. The scope should also be widened. The recent Steam vulnerability that's only been patched in the beta so far is much more severe than the alleged Epic Games vulnerability in that it allows a malicious game creator to gain access to the owners' computers, not just one account from a link that needs to have been clicked on, yet we're not seeing big titles or much publicity for that.

[Suicide machine 53]

I just like how safely Epic puts themselves. Might be our fault, but you can't prove it that the few hundred $ of micro that we charged you wasn't just your fault. Fek, off.

[Aemony 141]

21 hours ago, Suicide machine said:

I just like how safely Epic puts themselves. Might be our fault, but you can't prove it that the few hundred $ of micro that we charged you wasn't just your fault. Fek, off. 

Of the below three possibilities, which one do you find most likely to be the case?

• A nefarious actor have obtained access to Epic's internal systems. Instead of going crazy and making big bucks of all of the millions of accounts they have access to, they only make charges against a few random accounts at a time.
• A nefarious actor downloads a publicly available password dump and tries known email and password combinations against Epic's sign-in page, and finds a couple of accounts that reused their password across multiple services.
• A nefarious actor sends phishing links to potential victims to a custom webpage that has been crafted to look like a legit sign-in page for Fortnite, instructing users to sign in using their Epic account to obtain free "V-bucks" (or whatever they're called), and users fall for it and hand their accounts and passwords over.

Personally, I'd say the second or third ones, as a lot of users still fall for phishing attempts and password reuse is extremely common and few users (even technical minded ones) applies proper password management for their accounts and services. This is probably even more true for Fortnite in particular, which have repeatedly been mentioned to have a lot of young players.

Epic Games is not responsible for either the second or third possibilities. They're only responsible for the first one.

 

An argument can be made, however, that the situation of the hacked accounts might have been partially influenced by Epic's lack of forcing some basic protections unto their users earlier. For example, EGS did not require email verification on sign-up for the longest of time. While this by itself isn't an issue, it does mean that multi-factor authentication in the form of sign-ins requiring an randomized access code sent to the mail address wouldn't be possible on a newly created account, and therefor additional protection for the account wouldn't be available.

But that is sorta true for most services or websites, and if that alone was enough to shift the blame from the users (whose bad password management allowed it to happen) to the service provider, then that sorta can set a dangerous precedence for other services and websites, I think...

 

 

22 hours ago, Rose said:

Here is the tweet Aemony mentioned:

Yeah, that's the tweet I was thinking of. I tried to find it myself but couldn't, so thanks for finding it! 🙂