EA Was Warned Of Critical Server Vulnerabilities Months Prior To Massive Security Breach
The devastating security breach publisher Electronic Arts disclosed earlier this month may have been worse than initially thought. Not in terms of the scope of how much data was stolen (which is a lot), but in regards to EA possibly having prior knowledge that its systems were at risk, and allegedly choosing not to take appropriate measures that could have prevented the breach.
Let's back up for a moment. A couple of weeks ago, hackers began bragging on private hacking forums that they infiltrated EA's servers and swiped a massive amount of data
—around 780GB of source code, proprietary frameworks, software development kits, and engine tools. The stolen data was made available for sale.
In response, EA said it was "investigating a recent incident of intrusion," saying the culprit(s) made off with "a limited amount of game source code and related tools." EA also assured users that "no player data was accessed, and we have no reason to believe there is any risk to player privacy."
Nevertheless, cybersecurity experts say this could and should have been avoided. Ori Engelberg, co-founder of Israeli cybersecurity firm Cyberpion, told ZDNet
that his company provided the publisher with a document last year, which detailed various security issues
. It is said to have outlined misconfigured DNS settings that left multiple domains susceptible to takeovers by hostile actors.
Engelberg also said his firm provided EA with a proof-of-concept in December of last year. According to Engelberg, EA acknowledged receiving the document, and said it would be in touch if it had any questions. After that, EA never contacted Cyberpion, he says.
The co-founder says he and his team have a sort of vested in interest in EA, because they are gamers and "customers of EA." Apparently many of Cyberpion's security force plays FIFA and other EA titles.
"We love EA so we wanted to contact them to help because their online presence is significant," Engelberg said. "What we found is the ability to take over assets of EA. It is more than just taking the assets of EA, it is about what can be done with these assets because we know EA. We know that if somebody can send emails from the domains of EA to us, the customers, or to suppliers of EA or to employees of EA, then that's the easiest door to the company. It isn't even a door. It is something simpler."
Even though EA says no player data was stolen, having access to customer email addresses and domains belonging to the publisher could allow an attacker to carry out a more convincing phishing scheme
. All because of things like mismatched security certificates, several hundred misconfigured DNS settings, and other relatively easy-to-fix vulnerabilities.
"Suppliers are even more vulnerable than employees and customers because it is very common for them to get emails from people inside the customer organization that they don't know," Engelberg added.
Whether it comes as any consolation to EA or not, it is not the only major company to have these security shortfalls. Engelberg says these kinds of vulnerabilities are common across the web, and affect a whole bunch of Fortune 500 companies.
EA has been busy patching up these security holes, and is expected to release a more thorough comment on the situation at some point.