Epic Games’ massively popular Fortnite is a natural target for hackers, and one particularly devious exploit that was found by Check Point Research and subsequently patched allowed hackers to glean players’ account details undetected through a middleman attack of sorts. Players were required to do nothing more than click on a link sent to them by the hackers, and the attack would then take advantage of Fortnite’s cross-platform multi-login capabilities to grab a player’s details in transit to the legitimate server.
Once the compromised details were in hackers’ hands, they could not only get into players’ accounts to make fraudulent V-Bucks purchases or transfer existing V-Bucks to mule accounts, but could even hop on in other platforms at the same time as the player, and eavesdrop on in-game and background conversations. In essence, the hack gave outside parties full and complete control of unsuspecting players’ Epic Games accounts through Fortnite, and any payment methods associated.
Background: The vulnerability in question was found back at the tail end of 2018, and though it was massive in scale and scope, it could only affect accounts that did not have two-factor authentication enabled. The attack was aimed at some of the subdomains that Fortnite used in its login processes. So long as a player was logged in on a given device, all a hacker had to do was send the player a link, and once that link was clicked, they had the player’s login information.
From there, they had full control of the account. This meant that they could very easily transfer resources around, monitor the player in question, make bogus transactions with linked payment methods, or even lock the player out of their account entirely. The rather vicious exploit has since been patched, but its seemingly innocuous nature made it exceedingly difficult for players to tell that they were falling victim.
One of the more important details in the whole saga was the fact that the exploit could only affect accounts that had not enabled two-factor authentication. Even if hackers got Epic Games account information, that did not give them access to linked email addresses, and obviously didn’t give them the physical access to players’ smartphones needed to get past two-factor authentication through Epic Games’ authentication app. In fact, a login attempt on a two-factor enabled account would alert the player to the heinous act, drawing attention to the hackers.
Impact: Since the hack has been patched up, players need not worry now. Those who were affected have little recourse at this point, unfortunately, save for what Epic Games can do for them. Any app or game as complex and server-heavy as Fortnite is bound to have more vulnerabilities, of course, simply lying in wait for hackers to find and exploit.
The lesson to learn here is to always use two-factor authentication when it’s available, and to change your passwords regularly just in case such an attack nabs your info and you’re left in the dark. That’s no guarantee of safety, of course, as exploits get more and more complex and sinister. It is an added layer of protection, and will ensure that something as simple as a login info grabber won’t manage to get into your account.