Epic Games, the creator of the popular ‘Fortnite’ video game, is facing a class-action lawsuit from gamers over hacked Fortnite accounts, accusing the company of failing to maintain adequate security measures and notify users of the security breach in a timely manner.
The lawsuit, filed by ‘Franklin D. Azar and Associates’ in the United States District Court in North Carolina on behalf of over 100 affected users, claims that “affected Fortnite users have suffered an ascertainable loss in that they have had fraudulent charges made to their credit or debit cards.”
According to the lawsuit, Epic Games acknowledged a vulnerability in its system that allowed hackers to unauthorizedly access players’ account and purchase in-game currency using their saved credit or debit cards.
Apparently, the law firm is trying to connect two separate reports—first, a responsible vulnerability disclosure in Fortnite system and second, multiple password reuse and phishing attacks—alleging that the vulnerability which CheckPoint reported earlier this year was exploited in the wild.
However, at that time, neither security firm CheckPoint nor Fortnite developer Epic Games acknowledged or claimed that the reported vulnerabilities had actually been exploited to takeover Fortnite player accounts.
Instead, Epic Games released a separate advisory on its website warning its users about phishing and credential stuffing attacks, where hackers were successfully able to compromise an undisclosed number of Fortnite accounts using username/password combinations leaked from third-party sites.
For those unaware, in January 2019, Check Point researchers disclosed a cross-site scripting (XSS) flaw in Fortnite that could have allowed remote attackers to completely takeover player accounts just by tricking them into clicking an unsusceptible link.
Once compromised, attackers could perform various tasks, like accessing players’ personal information, buying in-game virtual currencies using their credit cards, and purchasing game equipment that would then be transferred to a separate account controlled by the attacker and resold.
The attackers even could have access to all the victim’s in-game contacts and conversations held by the player and his friends during the game, which can then be abused to exploit the account owner’s privacy.
Besides this, the law firm also claimed that “Check Point notified Epic Games of the vulnerability in November of 2018. Not until two months later did Epic Games acknowledge the flaw. Epic Games did not disclose how many accounts were affected by the data breach.”
The Hacker News has reached out to Epic Games, CheckPoint and Franklin D. Azar & Associates for their comment on this matter, and we will update the article as soon as we hear back from them.
Even if the reported account takeover vulnerability was not exploited, the lawsuit could still create problems for Epic Games, knowing the fact that hackers actively sell stolen Fortnite accounts on shady internet forums.
According to a report on BBC published late last year after interviewing 20 hackers, several teens, as young as 14, are found making thousands of pounds every week by selling hacked Fortnite accounts due to the popularity of the royal battle game that has over 200 million registered users.
Whatever be the outcome of the latest lawsuit filed against Epic Games, The Hacker News strongly recommends all users to remain vigilant while exchanging any information digitally and always check for the legitimacy of links to information available on the User Forum and other Fortnite websites.
To protect your accounts from being hijacked, you are also advised to enable two-factor authentication (2FA) which prompts you to enter a security code sent to your email upon logging into the Fortnite game, preventing account takeover even if your account credentials get compromised.
Most importantly: Using the same password across multiple websites is a bad, bad idea.