Fortnite Battle Royale security flaw leaves 80 million players vulnerable to hackers
Fortnite players’ accounts were left vulnerable for at least two months, revealing everything from bank details to in-game conversations.
Hacking
Don't miss out on the headlines from Hacking. Followed categories will be added to My News.
The personal details and bank accounts of Fortnite’s 80 million players were left vulnerable to hackers for at least two months, a cyber security firm revealed today, due to a flaw in the game’s sign-on technology.
The mistake left entire Fortnite accounts vulnerable to theft, and could have seen players’ names and contact details stolen, in-game currency purchased, and even allowed thieves to listen in to conversations while players were logged into the game.
Software security firm Check Point discovered and reported the vulnerability to Epic Games in November, though the flaw was only patched late last month.
Check Point product vulnerability research head Oded Vanunu said games like Fortnite were big targets for hackers given their large audiences, and players should take extra care to use all security features to lock their accounts.
“Fortnite is one of the most popular games played mainly by kids. These flaws provided the ability for a massive invasion of privacy,” he said.
“These platforms are being increasingly targeted by hackers because of the huge amounts of sensitive customer data they hold.”
Three security vulnerabilities were discovered in Fortnite Battle Royale’s login process, and hackers could have used one of Epic Games’ sub-domains to generate and intercept a legitimate token to enter another user’s account.
The flaw is more sophisticated than previous attacks on Fortnite accounts as it doesn’t rely on users handing over their login details — a scam previously used by attackers promising gamers free V-Bucks in-game currency.
Though the security hole has now been fixed, Mr Vanunu advised Fortnite players to add two-factor authentication to their accounts as it “could mitigate this account takeover vulnerability”.