EA Faces Criticism After Ignoring Warnings from Cybersecurity Researchers

 

After dismissing cybersecurity researchers' warnings in December 2020 that various flaws left the firm extremely vulnerable to hackers, gaming giant Electronic Arts is facing even more criticism from the cybersecurity industry. Electronic Arts Inc. is a video game developer and publisher based in Redwood City, California. As of May 2020, it is the second-largest gaming firm in America and Europe, after Activision Blizzard and ahead of Take-Two Interactive and Ubisoft in terms of revenue and market value.  

Cyberpion, an Israeli cybersecurity firm, contacted EA late last year to warn them about a number of domains that could be taken over, as well as misconfigured and potentially unknown assets and domains with misconfigured DNS records. Despite delivering EA a detailed document outlining the difficulties as well as a proof of concept, Cyberpion co-founder Ori Engelberg claims EA did nothing to fix the flaws. 

According to Engelberg, EA acknowledged receiving the information about the vulnerabilities and stated that they will contact Cyberpion if they had any further questions, but they never did. "We inspect the entire internet but as gamers, we are customers of EA. So many of our employees play FIFA and other games. We love EA so we wanted to contact them to help because their online presence is significant," Engelberg said. 

"What we found is the ability to take over assets of EA. It is more than just taking the assets of EA, it is about what can be done with these assets because we know EA. We know that if somebody can send emails from the domains of EA to us, the customers, or to suppliers of EA or to employees of EA, then that's the easiest door to the company. It isn't even a door. It is something simpler," Engelberg added. He said that malicious actors might use the stolen domains to send emails appearing to be from EA, asking customers to transfer account details or other data.

Last week, it was revealed that a "chain of vulnerabilities" might have allowed attackers to obtain access to personal information and take control of accounts, causing EA to face outrage. In recent weeks, Motherboard reported that EA's large data breach was caused by a hacker's ability to obtain access to an account by abusing Slack privileges. 

Hackers boasted on forums about stealing 780 GB of data from the company and acquiring full access to FIFA 21 matchmaking servers, FIFA 22 API keys, and various Microsoft Xbox and Sony software development kits. They also claim to have a lot more, such as the Frostbite source code and debugging tools, which is used to power EA's most popular games like Battlefield, FIFA, and Madden.