Focus on someone playing with an Xbox video game controllerIn June of 2021, video game developer and publisher Electronic Arts acknowledged a breach into their network after a report from Vice’s Motherboard. The hackers allegedly made off with an absolute treasure trove of data, 780GB in total, including the source code for popular video game FIFA 21, as well as the source code for EA’s proprietary video game engine, Frostbite. The hackers are selling the stolen data.

Breaches into the networks of video game companies are not new. In the past year, well known companies including CD Projekt Red and Nintendo have both had digital materials stolen.

The novelty is how the hackers gained access to EA’s corporate network. According to Motherboard, the hackers first purchased stolen login cookies for a Slack channel used by EA for just $10. Once in the Slack channel, the hackers posed as an employee and requested a two factor authentication token from IT support, claiming to have lost their phone at a party. This method of entry worked more than once.

After that, the hackers used a combination of various internal EA services and a virtual machine they had spun up to access and steal the data.

 

So here’s what the EA breach means to your company.

It does not matter how complex your password rules are, or in some cases, even if you use two factor authentication. Many breaches are the result of social engineering. Your humans are often the points of failure, not your systems. Whether it’s email phishing attempts or sketchy phone calls, the intent is to trip up a person, not a digital safeguard.

Criminals are all in on exploiting these methods because, unfortunately, they work. In the defense of the humans who find themselves bamboozled, the number of attack vectors are already numerous and always increasing, and the methods are becoming unbelievably sophisticated. It is very difficult for your average employee to do their job, while also acting as a constant vanguard against network intrusions. It is not an unfair assumption on the part of EA’s IT team that someone in a corporate Slack channel is legitimately one of the 9,800 EA employees. However, it has become necessary to be skeptical of anything and anyone.

The solution is continuous education. Cybersecurity training can’t stop at crude email phishing attempts. Criminals are escalating their attacks and it is imperative that your employees are educated about new and novel methods for intrusion, such as stolen Slack credentials with this EA breach.

Cybersecurity education must be an ongoing effort within your workplace, not a one and done thing. Your company’s overall awareness will quickly fall behind and you’ll find yourself open to attack. It doesn’t matter if you are a major corporation like EA, or a small 10 person company. The attack vectors are the same, and your human preparedness must also be the same.

 

Download our FREE brochure to learn how I-M Technology protects our clients with world class cybersecurity