EA exposed to hackers: domain flaws left unfixed can lead to a breach

Cybersecurity teams warned EA, gaming giant chose ignorance and receives a lot of criticism

Researchers warn about issues with domain security, but the company remains ignorant.

Gaming giant EA, known for its well-known computer games like Sims, FIFA, or Need For Speed, is currently facing even more backlash. The company took the heat after the massive hack that led to severe exposure, and now more details pointing to the fact that the company knew about weak domains but chose to ignore all the flaws and alerts.

Apparently, Electronic Arts were warned by the cybersecurity industry and researchers back in December 2020. It was communicated that multiple domains could become subjects to takeover planned by hackers. Information about misconfigured and potentially unknown assets alongside domains with misconfigured DNS records was shared with the company ^[1].

What we found is the ability to take over assets of EA. It is more than just taking the assets of EA, it is about what can be done with these assets because we know EA. We know that if somebody can send emails from the domains of EA to us, the customers, or to suppliers of EA or to employees of EA, then that's the easiest door to the company. It isn't even a door. It is something simpler.

Cyberpion, Israeli based cybersecurity firm, contacted EA officials at the end of 2020 and has even sent a detailed document explaining the detected problems and a proof of concept. Co-founder of Cyberpion, Ori Engelberg, states that EA acknowledged the received information and even communicated that they will be in contact if more questions would arise. In the end, they never did and failed to address the issues, choosing to ignore the matter altogether.

Hackers shared obtained information on hacking forums

Engelberg explains how his researches stumbled upon EA domain vulnerabilities. Since many employees of the company play FIFA and other games, they were concerned about the findings. It was important to contact them and help.

Cybersecurity specialists found that there is the ability to take over the access of particular systems, which would result in hacked communication systems of the company. Stolen domains could be the tool used in sending emails purporting to be EA employees, and with this charade, many sensitive information and data could be obtained.

EA angered many loyal customers when it was revealed that a security breach could have helped hackers gather personal data and even take over accounts, the fact that other two Israeli cybersecurity teams, Check Point and CyberInt, pointed out too^[2].

Researchers found out that these vulnerabilities in EA's platform did not require the user to hand over any login details whatsoever. That led to the situation where the hackers behind the EA data breach announced that they were selling about 780 gigabytes of the stolen game source code and tools on an underground hacking forum^[3].

Later on, a spokesperson stated^[4]:

Following the incident, we’ve already made security improvements and do not expect an impact on our games or our business

Gaming companies became more targeted due to the popularity

The unstable situation considering cybersecurity that EA is in does not align with the experience that one of the world's largest games companies has. EA counts major series such as Battlefield, Star Wars: Jedi Fallen Order, The Sims. It not only develops but also publishes a vast array of annual sports games^[5].

On the other hand, gaming companies are the new focus for hackers as Capcom and CD Project Red were also hacked in 2020. While others are facing similar problems, it could be speculated that mainstream competitors to EA would not use any stolen data or this situation in general to boost their own sales, the fact that could only be met with positivity at this point.