Last week, news broke that games publisher Electronic Arts (EA) fell victim to a data breach. While EA won’t say when the incident occurred, the ramifications are clear: the malicious actors made off with a whopping 780gb of data.
While no player’s personal data was compromised in the breach, among the stolen data were source codes and dev-tools for a number of high-profile games, including hits like FIFA 21, the Battlefield series, and even the source code for the company’s proprietary FrostBite game engine. This could represent a boon for rivals looking to develop their own games, as well as unscrupulous developers that specialize in cheating software for online multiplayer games.
In fact, the hackers are already trying to sell the data for a cool $28 million, promising buyers “full capability of exploiting all EA services”. The trove extends to all PC games as well as consoles, with SDK and API keys for Microsoft’s Xbox and Sony’s Playstation platforms.
So how did hackers manage to penetrate the second-largest gaming company in the world? The answer is shockingly simple, and one that could’ve been easily prevented.
How EA Got Hacked
Step 1: Get cookies
According to a Motherboard interview, the hackers began by buying stolen cookies online for $10 each. One of the cookies contained the login details of EA employees for third-party apps, one of which was Slack.
Step 2: Infiltrate Slack
Once inside the corporate Slack channel, the hackers made their way to the IT support group. EA’s Slack security isn’t exactly known for being robust: last year, researchers found that a former engineer left the names of the company’s Slack channels in a public code repository.
Step 3: Apply a bit of social engineering
With the hackers having a direct line to EA’s IT support, it was just a matter of coming up with the right sob story. In this case, they pretended to have lost their phone “at a party last night”, and requested a multi-factor authentication token.
Step 4: Profit
With MFA in hand, the attackers breezed right through multiple security defenses and into EA’s corporate network, not once but twice.
Once inside, they used a virtual machine to map the network and immediately hit a goldmine: EA’s service for compiling games. The motherlode included game source codes, debug tools, and SDK and API keys.
In the age of endpoint security and MFA, all it took was $10 and a few Slack messages to penetrate one of the largest game publishers in the world.
How it Could’ve Been Prevented
As we can see above, this breach took numerous steps, and each of these steps was an opportunity to stop the breach in its tracks. Multiple things went wrong here, which means there are also multiple lessons. Here’s what EA could’ve done better.
Zero trust security
Much of this hack relied on an unwitting IT administrator handing over sensitive credentials to the hacker, believing that they were a legitimate employee. Had the company practiced the principle of zero trust security, this could’ve been avoided. Zero trust centers around the idea that organizations should not automatically trust anything inside or outside its perimeters. They must be verified first.
In this instance, the IT administrator could have practiced zero trust in a few different ways. He could have, for example, used two forms of communication to confirm the user’s identity, such as asking them to join a video call, as well as communicating over Slack, to double-confirm the request. Alternatively, the IT administrator could have sent the authentication token to the user’s email, as an additional protective step.
Create a security aware culture
EA’s Slack security record is quite poor. We’ve discussed the vulnerabilities in Slack before and, as this attack reinforces, the tool is often a low-hanging fruit for cyber criminals, because it offers a relatively easy route to access sensitive information. Slack, of course, also has numerous benefits – particularly for employee collaboration in the remote working world.
We’re not suggesting that EA, or your company, removes Slack. Instead, organizations must cultivate security awareness – especially for collaboration tools. This should start with a robust, real-time security training program. It’s not enough to make employees take an annual, one-day course on cybersecurity. Training needs to be integrated into the daily workflow. Nudge-based training programs, which prompt users on security best practices as they work, are the most effective way to build security awareness, while preventing data loss in real-time.
As well as this, a good security culture also encourages strong password hygiene. In the case of EA, this breach started due to stolen cookies that contained Slack login information. Had EA’s employees been mandated to change their password on a more regular basis, the hackers would likely not have even been able to login to Slack in the first place.
Use DLP software
Even with the right cultural frameworks in place, it’s important to remember that company team members are only human. People will always make mistakes at some point – as was the case for the EA IT administrator. They may have been in a hurry, and probably didn’t even consider that the user on the other end of Slack was a fraud.
To safeguard against this kind of human error, it is a must to backup a strong security culture with the right security technologies – particularly for collaboration tools like Slack.
New-age data loss prevention (DLP) solutions, like Polymer, can monitor the information being shared on collaboration tools, such as Slack, Teams and Dropbox. Through predefined policies set by the IT team, our solution automatically monitors, intercepts, and redacts sensitive data. This helps the IT team to improve data visibility, while also drastically reducing the risk of a data breach.
Even in the age of advanced AI learning and sophisticated malware, some successful network intrusions still happen the old-fashioned way. In EA’s case, all it took was a bit of data mining and social engineering. To stay one step ahead, organizations need to complement their security tools with robust policies and proper IT security awareness.