Hackers Leak Full EA Data After Failed Extortion Attempt (therecord.media) 56
The hackers who breached Electronic Arts last month have released the entire cache of stolen data after failing to extort the company and later sell the stolen files to a third-party buyer. From a report: The data, dumped on an underground cybercrime forum on Monday, July 26, is now being widely distributed on torrent sites. According to a copy of the dump obtained by The Record, the leaked files contain the source code of the FIFA 21 soccer game, including tools to support the company's server-side services. The existence of this leak was initially disclosed on June 10, when the hackers posted a thread on an underground hacking forum claiming to be in possession of EA data, which they were willing to sell for $28 million.
Lousy business people (Score:5, Interesting)
Offered for sale and when no-one bought it they gave it away for free. Hard to believe they will have any takers for future stolen data. I'm not sure they thought this one through.
Re: (Score:3)
Or they just proved they are willing to actually leak the data if their terms are not met in the future.
Re:Lousy business people (Score:5, Insightful)
As they victim has absolutely no assurance beyond the word of criminals that if they pay the ransom, the data will not get sold and not eventually published anyways, there still is no reason to pay. That is a very fundamental problem with this type of criminal business model and I do not think it can be fixed. The whole idea is kind of a non-starter.
Re: (Score:2)
Data is so easy to copy how could it possibly be escroed?
"Here's the data, now see it being deleted. Now give me the money."
Next week: "Just happened to find another copy of that here, so who wants to buy it today?"
Re: (Score:2)
Re: (Score:2)
Data is so easy to copy how could it possibly be escroed?
Indeed. Only way to do it was if the escrower was not only right there, but carefully monitors and audits everything the attackers do. I do not see that working practically or legally...
Re: (Score:1)
As they victim has absolutely no assurance beyond the word of criminals that if they pay the ransom
Wait are we talking actual criminals here or the world in general? Because I think criminals have more integrity than most corporations do these days.
Re: (Score:3)
Incentives right - groups like ReVil etc have a reputation to maintain. Holding up their end and not releasing when ransoms get paid lets victims research their history and see that they can be if not exactly 'trusted' relied upon to not double dip. In that sense they have the same incentive a business does in terms of reputation.
Your roofer or hvac contractor might give you bad advice or do shoddy work hoping to come back and make money on repairs later but eventually that sort of business practice catch
Re: (Score:2)
Does not work. The data could still be released years or decades back. Unless they build that reputation over a few decades, they do not have it.
Re: (Score:2)
Other than its already working.
Re: (Score:2)
You can have a contract with a corporations and sue them if they breach it. Try that with criminals...
Re: (Score:2)
You can have a contract with a corporations and sue them if they breach it. Try that with criminals...
You don't need contracts. Even criminals understand the value of a reputation as a good "business partner".
Re: (Score:2)
I presume they needed to do something 'scary' to the victim for failing to pay the ransom. Your confidential data will leak even if you don't think someone would buy it.
Except here, while *technically* confidential, no one cares. The fact that it is legally intended to be confidential suffices in this case from it being a problem that it is out.
Re: (Score:3)
They clearly did not thinks this one through. The real problem is that the data is essentially worthless to anybody except EA, except for embarrassment value. Nobody can use the tools or the code. The risk of being found out is just way to great. And learning from it is far too much effort.
Even the embarrassment value may well be low, because you have to dig through things and digging through this amount of data (nearly a TB) is the work of years or decades. So by the time anybody finds anything, it will be
Re: (Score:3)
The data is valuable for those who are trying to crack DRM or those who make and sell hacks to cheat at online play. Having access to source code can make their jobs much easier. I doubt either group are willing to spend money to get the code though.
Another party are moders. But they would be even less likely to pay since most dont make a cent from their mods are do it as a hobby anyways.
It's like learning to lock your shit up (Score:3, Funny)
OK EA, you've basically lost control of FIFA2021.
So, how much are you willing to spend on your cybersecurity this year, again?
How much is it worth to you to tighten stuff up?
Re:It's like learning to lock your shit up (Score:4, Insightful)
They haven't lost a thing. There were no security credentials, only source code which remains EA's full property.
At most that'll open ways for enthusiasts to produce additional content, mods, or other fun stuff, drawing even more attention to FIFA and making them make more money. Or it will allow some to recompile the game (good luck with that) and play the game offline, if that's even possible.
Re:It's like learning to lock your shit up (Score:5, Funny)
They lost more than you may think, very obviously you don't know how EA games work. Basically they lost FIFA forever, all people now have to do is to reskin the models, recompile the code and they have FIFA 2022, FIFA 2023, FIFA 2024...
Re:It's like learning to lock your shit up (Score:5, Funny)
All I did was making a joke, with the punchline being that EA basically sells the same game over and over.
I know, jokes don't improve when you need to explain them.
Re:It's like learning to lock your shit up (Score:5, Insightful)
Re: (Score:3)
I think it was a little too close to their actual business strategy for it to be taken as a joke.
*sigh*. THAT'S THE JOKE!
Re: (Score:1)
Re: (Score:2)
Yup, my bad.
Note to self: Don't post when its late and I'm tired.
Re: (Score:2)
To take that seriously for a moment, the set of people who would be able to do that and the set of people who gives a rats ass about the teams and rosters being up to date is probably pretty small. Oh and you'd need the new art assets anyway.
Re: (Score:2)
Soccer is one of the biggest sports in the world. I'm sure there are people out there who have the requisite skill and also the interest in the sport.
Re: (Score:2)
https://slashdot.org/story/04/... [slashdot.org]
(Whew! 12 pages of replies, those were the days).
It seemed like such a momentous event. 'Will the Microsoft empire fall?'
Didn't change a thing.
Re: It's like learning to lock your shit up (Score:4, Interesting)
People use and buy software, not source code. People in the industry never understand that. There is nothing brilliant in source code that needs to be hidden.
And that is pretty much it. Even if there were the occasional valuable thing in there, it would be next to impossible to find. Unless you already know what it is, in which case it would probably be cheaper to re-implement it yourself. It is also really quite possible to put parts of Windows through a decompiler.
Re: (Score:2)
Re: (Score:2)
I wonder if there is anything about their loot boxes, pay-to-win, and algos designed to make the player spend more?
Might be of interest to lawyers, or to players who want to understand how the RNG works. Usually with gambling it's not really random, it's weighted to deliver maximum profit.
Reminds me of when emulators started appearing for fruit machines, or one-arm-bandits or whatever you want to call them. Save states showed that they were not random at all, and some games had to be withdrawn because peopl
You can't trust criminals (Score:2)
Horray to EA for not paying.
You can't trust criminals; if they'd paid, they'd only get hit again in another month and asked to pay again. Once the criminals find a cow, they don't stop milking it just because they got paid once.
https://www.newsweek.com/most-... [newsweek.com]
Re: (Score:2)
Indeed. Doing a trade requires some level of honesty and integrity on both sides. Or at least some real possibility for retaliation. All these are missing here, so only fools will pay anything.
Difficult to offload (Score:2)
Re: (Score:2)
Not every criminal is a mastermind.
Re: (Score:2)
Yeah, humanity is very fortunate that criminals - for the most part - tend towards the lower range of the IQ continuum.
Re: Difficult to offload (Score:1)
Re: (Score:2)
Yeah, that could be worth a buck or two. 28 millions, well, maybe not, but ponder if you will what it may be worth to get every Playstation on the planet to mine bitcoins for you.
Online games, and nowadays pretty much every AAA-game is one, is a still fairly untapped malware potential. Which is kinda odd considering that games do routinely have administrative privileges because they need them for anti-cheat and anti-piracy measures and also generally have very, very poor security standards.
Re: (Score:2)
If the games are so poor, they should get a job.
Re: (Score:2)
Yeah, that could be worth a buck or two. 28 millions, well, maybe not, but ponder if you will what it may be worth to get every Playstation on the planet to mine bitcoins for you.
While I agree on principle, you should first convince all those Playstations to run unsigned binaries. On the other hand, PC users who use some shady pirated version of a game know perfectly well (or they should) that it is probably full of malware.
Re: (Score:2)
The idea is here that due to improper input sanitation, a manipulated packet can be used to make the binary, which was signed and sanctioned by Sony, execute the malicious code. Not that I have the console "knowingly" execute my binary.
Re: (Score:2)
Singing a binary means jack shit if you manage to get the binary to execute your code. Why do you think this would avoid any kind of malware execution?
You may have heard about how manipulated saved games have allowed console jailbreaks in the past. Same thing here. You take input from the network, fail to sanitize it properly and you end up with the old game of buffer overflows leading to return address into data segments. Yes, we now have ways to deal with that, but that only makes the exploit harder to pu
Re: (Score:2)
Having access to the source makes finding exploits heaps easier. Instead of having to wade through a disassembly of some network code that deals with packets that are very likely by no means standardized which keeps you wondering what kind of input may even be found somewhere with the checks being near certainly somewhere else, you now have commented source code where the relevant portions are referenced, either with code or even with comments.
Believe me, it gets SO much easier that way. ;)
Next mobe by EA (Score:2)
Fair Market Value (Score:2)
Finally, EA stuff is selling for its natural fair market value.
Code review anyone? Much to learn here. (Score:2)
Not all that useful to competitors (Score:2)
People--programmers and corporations alike--tend to think of their source code as their primary business asset, the lifeblood of their company. It generally is not. The real life of a company is wrapped up in its people, and the relationships they have built with other people and other companies. You can steal the code, but if you don't know how to run a business based on that code, you are going nowhere.
I'm not saying the code isn't valuable, it is. But to make real use of it, you have to know how to make
karma? (Score:1)
I think the bigger point is that EA is THE classic hated company in the video game world. It's unsurprising that a disgruntled employee or former employee would leak this for reasons having more to do with revenge. In all likelihood the goal was to leak it and generate bad press with the ransom demand.
Activision Blizzard, anyone?