Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security IT

Hackers Explain How They Stole Wealth of Data From EA (vice.com) 50

The group of hackers that stole a wealth of data from game publishing giant Electronic Arts broke into the company in part by tricking an employee over Slack to provide a login token, Motherboard reported Friday. From the report: The group stole the source code for FIFA 21 and related matchmaking tools, as well as the source code for the Frostbite engine that powers games like Battlefield and other internal game development tools. In all, the hackers claim they have 780GB of data, and are advertising it for sale on various underground forums. EA previously confirmed the data impacted in the breach to Motherboard.

A representative for the hackers told Motherboard in an online chat that the process started by purchasing stolen cookies being sold online for $10, and using those to gain access to a Slack channel used by EA. In this case, the hackers were able to get into EA's Slack using the stolen cookie. "Once inside the chat we messaged a IT Support members we explain to them we lost our phone at a party last night," the representative said.

This discussion has been archived. No new comments can be posted.

Hackers Explain How They Stole Wealth of Data From EA

Comments Filter:
  • Shitty process (Score:5, Insightful)

    by Rick Zeman ( 15628 ) on Friday June 11, 2021 @09:53AM (#61476986)

    Sounds like some IT team members will be looking for new jobs, not to mention whatever managers thought that Slack was an acceptable channel for such unverified requests.

    • Yup, that should be handled face to face. None of this remote work business. ;-)

    • The manager wont get fired. The tech will be thrown under the bus. The tech was prolly told to do it.
    • Re:Shitty process (Score:4, Informative)

      by Murdoch5 ( 1563847 ) on Friday June 11, 2021 @10:15AM (#61477086) Homepage
      100% - You lost your phone, and your phone had access to company property, then we need to quickly look and shutdown all access tokens that are active, including locking the phone out of all systems. Once the system is secured against the phone you lost, then we can start a detailed process of allocating you access, including a multi step verification process.
      • by bws111 ( 1216812 )

        What makes you think the phone had access to company property? My phone has no access to any company property, but it can be used for 2FA. This sounds like the same thing, he claimed he couldn't do the 2FA because he didn't have the phone. The failure was that someone was social engineered into allowing access without the 2FA.

        • Re:Shitty process (Score:5, Insightful)

          by Murdoch5 ( 1563847 ) on Friday June 11, 2021 @01:39PM (#61477844) Homepage
          It was just a 2FA issue they could have used the recovery codes to access the system, which is the point of recovery codes.

          If a user called me and didn't have the 2FA device, and didn't have access to any recovery codes, they wouldn't be getting anything from me without a multi stage verification process, which would involve showing up on Video and having multiple people agree he works for us.
    • by bws111 ( 1216812 )

      Who says managers thought Slack was an acceptable channel for such requests? Someone got a message and acted on it, what makes you think they had management approval to do that?

      • Someone got a message and acted on it, what makes you think they had management approval to do that?

        Shhh. Let them rant. It makes them feel better when they don't have to accept responsibility and can blame someone else. Like when programmers always say it's not their fault X happens in software. They were told to do that by management.
  • by rwrife ( 712064 ) on Friday June 11, 2021 @09:58AM (#61477016) Homepage
    Slack seems a little insecure if you can gain access using a hijacked cookie.
  • by Rosco P. Coltrane ( 209368 ) on Friday June 11, 2021 @10:06AM (#61477044)

    any Tom Dick and Harry who breaks into computers they have no business using and breaks or steals shit. Those are thieves, blackmailers, exortionists, racketeers, vandals... but they sure ain't hackers: in most case, there is little to no technical know-how involved: just a bit of luck, a dictionary of default passwords or basic social engineering.

    Hacking used to be a noble technical activity. Now hacker has come to mean computer criminal. It's really deplorable.

    • Hacking used to be a noble technical activity. Now hacker has come to mean computer criminal. It's really deplorable.

      Whaaa! They stole ma definition!

    • by ZorinLynx ( 31751 ) on Friday June 11, 2021 @10:09AM (#61477066) Homepage

      Give it up, man. Language evolves and the general accepted meaning of "hacker" today is someone who breaks into computer systems.

      Believe me, I used to fight this definition too, back in the day. But it's a lost cause. It just makes you look pedantic when you make this statement these days.

      Plenty of other words you can use, like "guru" for example.

    • by geekmux ( 1040042 ) on Friday June 11, 2021 @10:24AM (#61477118)

      any Tom Dick and Harry who breaks into computers they have no business using and breaks or steals shit. Those are thieves, blackmailers, exortionists, racketeers, vandals... but they sure ain't hackers: in most case, there is little to no technical know-how involved: just a bit of luck, a dictionary of default passwords or basic social engineering.

      Little history lesson. We used to call them script kiddies. Not sure why we stopped because it was a decent label to segregate lucky morons from people who know what they're doing.

      Hacking used to be a noble technical activity. Now hacker has come to mean computer criminal. It's really deplorable.

      Settle down now. If it was really all that "deplorable", society wouldn't be shelling out high-paying jobs for Certified Ethical Hackers and inviting them into the boardroom.

      • by larwe ( 858929 ) on Friday June 11, 2021 @11:11AM (#61477292)

        We used to call them script kiddies. Not sure why we stopped because it was a decent label to segregate lucky morons from people who know what they're doing.

        That phrase is absolutely still in use, and still refers to people (mostly younger, but not all) using, without any real technical understanding, off-the-shelf tools to locate and target systems with known vulnerabilities. It is not, however, an appropriate label for professional cybercriminals (even though many of them probably started as script kiddies). Crafting a scam like https://www.wired.com/story/bravomovies-fake-streaming-site-bazaloader/ [wired.com] for instance is a great deal more than script kiddie behavior (and you will notice that Wired uses "hacker" in the modern, bad-actor sense here).

      • by cfalcon ( 779563 )

        "script kiddie" is a thing. It's not what these guys did. This attack was not, for instance, done by script kiddies. This was social engineering for access followed by possibly a bit of hacking to exfiltrate.

        • "script kiddie" is a thing. It's not what these guys did. This attack was not, for instance, done by script kiddies. This was social engineering for access followed by possibly a bit of hacking to exfiltrate.

          I'm well aware of that. I was offering a simple clarification, ironically marked Informative. You assumed otherwise. Read my comment again.

      • We used to call them script kiddies

        This looks like a successful social engineering hack. What makes you think they were script kiddies as opposed to real hackers?

        • We used to call them script kiddies

          This looks like a successful social engineering hack. What makes you think they were script kiddies as opposed to real hackers?

          What makes you think I made that mistake based on my feedback?

          I was merely explaining a term to the parent that addressed the complaint regarding the overuse of "hackers" when talking about people using low-skill attacks.

          You're not the only one who assumed, but still very odd I had to explain that here.

      • Even when Script Kiddy was the word du jour we never used it to refer to people who executed social engineering attacks. Don't pretend that this is just some stupid moron running some software. Social engineering takes a bit of skill, just not necessarily "hacking the gibson" kind of skill.

        • Even when Script Kiddy was the word du jour we never used it to refer to people who executed social engineering attacks. Don't pretend that this is just some stupid moron running some software. Social engineering takes a bit of skill, just not necessarily "hacking the gibson" kind of skill.

          Don't pretend my simple offering of a definition, translates into me not knowing what this attack was. I was merely offering a clarification because "hacker" can be quite over-abused.

          And even "hacking the gibson" required a hell of a lot more than scripts (dumpster diving, line taps, and even physical intrusion) C'mon man, even your example is bad. And you're correcting me?

    • I'm having flashbacks to the 1990's when people tried to create the term "cracker" to differentiate the two connotations of "hacker". Nobody bit, and it didn't take off. Two different meanings for a word really isn't difficult for people to understand.
      • cracker [wowroms-photos.com] / kracker was someone who hacked and removed copy protected.
        i.e. This game cracked by ...

        It is a shame it never got accepted. Now we have specify the slightly more verbose "white hat" or "black hat" hackers.

        • by neoRUR ( 674398 )

          And we used to call the social engineering part Phreakers, with the hacking part getting into the phone system.
           

  • Some explanation (Score:5, Informative)

    by enriquevagu ( 1026480 ) on Friday June 11, 2021 @10:17AM (#61477096)

    The summary does not explain clearly the process, neither does the article.

    It explains that they bought some cookies online. HTTP is a stateless protocolo, and HTTP cookies are the mechanism employed to maintain session information. Therefore, if you clone a cookie you can impersonate a different user. If I understand correctly, a list of the AE slack servers has been accidentally posted online [vice.com], and they obtained the cookies of the slack server corresponding to an AE developer. In this channel, they alleged that their phone was lost, so they could not get the 2FA code required to log in into the development servers at AE. Another AE member simply helped them log in, and it was all done.

    So these hackers did not really hack anything, but used social engineering. The actual hack comes from the guy who originally obtained and sold the cookie. Apparently, there was a known attack to slack using HTTP Request smuggling [hackerone.com] (HTTP Request smuggling is explained here [portswigger.net], for example), but it was corrected in 24h after the notification (kudos to the slack team). Either the cookies were very old (unlikely), or some developer at AE suffered a similar attack recently.

    Please correct any error in the previous explanation, since this is what I understood from the article.

    • EA should borrow an idea from the military. Compartmentalization.

    • Thank you for taking the time to write this up. You did a better job than the article.

      Wish I had mod points!

    • So these hackers did not really hack anything, but used social engineering.

      Social engineering is a form of hacking(or a tool in the toolbox, if you want to pick nits). Getting access is the hack. It doesn't matter how you get access as long as you get access.

    • In this channel, they alleged that their phone was lost, so they could not get the 2FA code required to log in into the development servers at AE. Another AE member simply helped them log in, and it was all done.

      So these hackers did not really hack anything, but used social engineering.

      That is often the easiest path to information. People are the weak link, and no matter how careful you are someone always wants to be helpful, and can be cowed if necessary into helping.

      Years ago I did a research product for a group of scientists wanting to commercialize an idea. I called up the companies who were the potential competitors and asked a lot of questions to garner insights on where the new product might have an advantage and if they were working on something similar. I had to get past sales

    • What's the lifetime of Slack cookies ?
  • by bhcompy ( 1877290 ) on Friday June 11, 2021 @10:48AM (#61477192)
    Social engineering once again shows the biggest security risk is the human with access to the data. How many decades has it been since Mitnick was jailed for demonstrating this?
    • Yes, now ask yourself why ONE person had access to so much?

      • You don't have to ask. You already know. They're dumb and/or willfully ignorant. This is evident by the fact they're using Slack for tech support.
      • Yes, now ask yourself why ONE person had access to so much?

        From the sound of it they just helped them login, which is not unusual for TS. Even so, they should have had an alternative way to verify the person is who they say they are. For example, one place I worked at would only leave the password on the phone of record on your account; if you said that didn't work you either had to come in or have it sent to your boss or account approver who is listed on the account. "I can't access that" was not a valid reason to give it out directly; if you can call in you ca

    • Social engineering once again shows the biggest security risk is the human with access to the data. How many decades has it been since Mitnick was jailed for demonstrating this?

      OnIy's older than that. No need to get the boss to spy, just seduce the right secretary. Often cheaper and easier.

    • Social engineering once again shows the biggest security risk is the human with access to the data. How many decades has it been since Mitnick was jailed for demonstrating this?

      You want to read about a real pro @ social engineering check out Frank Abagnle [slashdot.org]

  • by burtosis ( 1124179 ) on Friday June 11, 2021 @11:01AM (#61477248)
    The hackers have agreed to return the stolen data if EA purchases a series of boxes, each having a chance to get more files back.
  • by bb_matt ( 5705262 ) on Friday June 11, 2021 @11:28AM (#61477352)

    ... I'm sure that will now be addressed ;)

    The company I work for - very large, lots of Ecommerce - is super hot and strict on security education, including social engineering.
    We have pretty much mandatory very in-depth security courses on a myriad of subjects and platforms - all counting toward employee improvement schemes and ultimately bonuses.
    There's an active ongoing phishing test across the organisation and metrics are tracked for how many people are fooled by them, with follow up emails detailing the stats and explaining these tests. We have a reporting tool - if you spot a suspected phishing attack, click a button to report it. You'll be informed if it was part of a test.

    We also do fairly frequent War Games scenarios.

    Our network is heavily locked down, which can be a PITA, but everyone knows WHY this is being done.

    Sounds like EA need to wake up and make these kinds of changes - yep, they aren't cheap, they aren't easy - but are a damn side better than losing 780gb of data ;)

    • by Aereus ( 1042228 )

      Given they ship the same sports titles every year, and would rather peddle gambling to children than produce a legitimate product, I'm thinking very little will change.

    • by antdude ( 79039 )

      Yep, my former employers was like that. They require everyone to take online courses, take tests, etc. every year or so.

    • very interesting, thanks.

      Are your courses and tools developed in house, or can you recommend something? I work in a healthcare setting and this is the nightmare combination of Very sexy data and Very tech illterate workforce. Pointing people to informative and useful courses would be really helpful.

Single tasking: Just Say No.

Working...