Overview
Late in 2018 Epic Games experienced a data breach relating to Fortnite accounts. Users reported accounts being stolen and their linked credit or debit card used to make fraudulent in-game purchases. Hackers then sold those accounts, loaded up with in-game purchases, for a profit on the dark web and other sites. If you think your account may have been compromised, you may be entitled to monetary damages. Please fill out the contact box and one of our experienced data breach attorneys will contact you promptly.
How the Data Breach Occurred
On January 16, 2019, Epic Games, creators of the Fortnite video game, acknowledged that a flaw in Fortnite’s login system allowed hackers to impersonate players and purchase in-game currency using credit or debit cards on file with the account. This acknowledgement came after Check Point, a cybersecurity research firm, successfully exploited a security vulnerability on an old, unsecured webpage operated by Epic Games. Check Point notified Epic Games of the vulnerability in November of 2018. Not until two months later did Epic Games acknowledge the flaw. Epic Games did not disclose how many accounts were affected by the data breach. Fortnite has an estimated 200 million registered users.
A Bleeping Computer report contains a graphic illustrating the hacking process where users would be redirected from Epic Games’ main login page to an old, unsecured Epic Games’ page where authentication tokens (the equivalent of digital keys that keep people logged in so that they do not need to re-enter their password every time they play the game) were stolen through injected JavaScript Code.
Before news of the data breach broke, the BBC reported that hackers were earning thousands of British pounds a week to hack Fortnite accounts, take them over, and resell them online.
A Kotaku report revealed that another means by which hackers profited from hacking Fortnite accounts was by purchasing upgraded versions of the otherwise free game. When an upgraded version is purchased (for $99.99 or $150.00), the hacked account receives codes for free downloads of the standard edition of Fortnite, which retails for approximately $40. Hackers would then sell the codes online at deep discounts. Accounts may also have been hacked through “password dumps,” where hackers take thousands of known email and password combinations for other websites and load them into software that tests the combinations with Epic Games’ client. When hackers get a hit, they can access player accounts.
Epic Games’ Response
In response to the data breach, Epic Games posted an “Account Security Bulletin.” Under the “What Are We Doing To Help” section, Epic Games provides that:
At Epic, we’ve been working hard to try to hunt down password dumps in order to proactively reset passwords for player accounts when we believe they are leaked online. While this approach involves a lot of manual work on our side, we believe that it prevents a significant amount of fraud. However, this approach doesn’t find every impacted account, or you might have created your Epic account after we checked a particular password dump.
As a result, we’re working to further automate our process to check our account database against password dumps to close the gap on identifying impacted users and resetting their passwords. We’ve also enabled multi-factor authentication, which provides players with additional security options.
However, affected Fortnite users have suffered an ascertainable loss in that they have had fraudulent charges made to their credit or debit cards and must undertake additional security measures, some at their own expense, to minimize the risk of future data breaches including cancelling credit cards associated with their Epic Games/Fortnite accounts and changing passwords for those accounts. Furthermore, Fortnite users have no guarantee that the above security measures will in fact adequately protect their personal information. Fortnite users therefore have an ongoing interest in ensuring that their personal information is protected from past and future cybersecurity threats.
FDAzar Files a Class Action Lawsuit
On August 8, 2019, attorneys at FDAzar filed a class action lawsuit against Epic Games seeking monetary damages and injunctive relief on behalf of Epic Games users nationwide in case number 5:19-cv-00348-BO in the United States District Court for the Eastern District of North Carolina Western Division. The case is being presided over by The Honorable Terrence W. Boyle.
Claim Against Epic Games
You may have a claim against Epic Games if you have an Epic Games or Fortnite account, a credit or debit card linked to that account, and incurred charges on that linked card that you did not authorize or recognize. Contact FDAzar immediately. We will fight to get you the recovery you deserve.