Epic Games, the developer of Fortnite, is being sued in a class-action lawsuit after a security breach allowed hackers to access the personal information of users with Epic Games accounts.
The class-action lawsuit was filed by Franklin D. Azar & Associates in US District Court in North Carolina. The suit cites Epic's "failure to maintain adequate security measures and notify users of the security breach in a timely manner." It goes on to mention that there are more than 100 class members involved in the lawsuit.
Epic acknowledged the breach back in January, surmising that a bug in Fortnite may have exposed the personal information of millions of user accounts. The company fixed the issue, but the suit alleges that the company failed to notify affected users to the possibility of their personal information being compromised. The filing says that the plaintiff and anyone else affected by the breaches "have an ongoing interest in ensuring that their [personally identifiable information] is protected from past and future cybersecurity threats."
Check Point security researchers discovered the breach in November 2018 before Epic acknowledged it in January 2019. "We were made aware of the vulnerabilities and they were soon addressed," said an Epic Games spokesperson at the time. "We thank Check Point for bringing this to our attention. As always, we encourage players to protect their accounts by not reusing passwords and using strong passwords, and not sharing account information with others."
However, Check Point's report details an exploit that couldn't have been avoided by constant password changes. "By discovering a vulnerability found in some of Epic Games' sub-domains, an XSS attack was permissible with the user merely needing to click on a link sent to them by the attacker. Once clicked, with no need even for them to enter any login credentials, their Fortnite username and password could immediately be captured by the attacker."
"Even if you [had] a security product looking for anti-phishing, it wouldn't catch [the hack] because it's coming from a legitimate domain," Check Point's head of products vulnerability research Oded Vanunu said. Vanunu went on to encourage players to enable two-factor authentication for their Epic accounts. "Token hijacking is something that is happening on all major platforms," Vanunu continued. "We are starting to see malicious attackers looking for tokens more."