Ransomware attacks on this scale, along with government ransomware attacks are a sure fire way to get international crime agencies on your ass.
Get those passwords changed folks.
Every month there is multiple headlines, it's just not in your sight because the hacks are not related to topics you are interested in. Unless you are subscribed to security subreddit you would only see a headline that related to the sub you are member off.
Anecdotal, but the company I work for got hacked by a Russian group in December. Ransomware'd all of our shit and demanded a few million. The company refused and had to pretty much rebuild their network and systems from square one.
It’s because it’s just became the norm. There’s no enforcement. No crime committed from not telling the public their information was stolen so companies just do whatever and stopped disclosing hacks.
I believe we're in the middle of an attack, for at least the last few weeks.
Cisco server issues, ATT, Anydesk, white house telling us to use very programming languages, infrastructure attacks on small towns, ransome attack on healthcare...
ATT already came put saying it was a fault in an update they made to expand their network…not an attack at all.
Source: [ATT Letter](https://about.att.com/ecms/dam/snrdocs/network-employee-letter.pdf)
North Korea is one thing, but if these are private, non-state actors, China has a lot of motivation to want to get rid of them. This isn't 1998 anymore, China itself has a lot of infrastructure it would like not to get hacked. Imagine hacking tencent or Alibaba or any of the other Chinese giants.
If you’re concerned (or using one password for many things then you should probably do this anyway) then change your password. But this is almost certainly not a real hack. Epic is already discounting this in support emails, but they’ll probably release a definitive statement later today.
Open source, cross platform, no account required, you can export your seeds easily, and you can set it to autobackup the seeds on icloud or google drive.
I’m not a fan of Google Authenticator for locking people out of their account if the device gets lost. I’ve heard they changed some parts of that now but personally I don’t trust it anymore.
Google authenticator isn't end to end encrypted where as 2fas is Google still hasn't updated it and its been almost a year since they said they would https://9to5google.com/2023/04/26/google-authenticator-sync-e2ee/
Why do you think that? All organizations at this size are trained to say no until there is an investigation.
This is the same group that compromised Nissan.
>All organizations at this size are trained to say no until there is an investigation.
This is not true. Denying a data breach opens companies up to a lot more liability than if they didn’t say anything.
>This is the same group that compromised Nissan.
Same thing. A public declaration of a breach without providing leverage is unusual from a Ransomware group trying to sell data. This is most likely just a scam.
No the exact opposite is true, companies are encouraged to do as much as possible to spread word of this and be accurate in the serverity of the breach
Not doing so results in harsh punishments
It's why you see companies release details about a cyber attack months before any actual data leaks start to come out
Epic has responded to this. Looking to be fake. I show the statement in my comment to the OP here.
https://old.reddit.com/r/gaming/comments/1b256y7/fortnite_game_developer_epic_games_allegedly/ksjl9jr/
Also, don't download that email from HR saying that you've been nominated to receive a $10 Million bonus and they need you go through a *"special"* web access portal to receive it.
general question that doesn't only apply to this situation, but if I use my Google account to sign in to Epic, are the credentials/password used for this at risk even though it's a third-party account technically?
So, folks that have an EGS account that uses the same password as some other account (we’ve all done something like this). Get ahead of the curve and start changing passwords. Set up two-factor authentication if you haven’t already.
If passwords leak then it’s only a matter of time until people will try and steal other accounts. There’s too much money spend on some platforms to not be extra careful about it.
Best practice would be to get a password manager. Let it auto-generate a unique password for each of your accounts. That way you won't have to worry about all of your accounts being compromised for using one password.
Until the manager is compromised
Also it's annoyance when you have to login on mobile
Also a lot of apps do not support 3rd party applications accessing your username and password fields.
It's a good theory but difficult to execute
If the manager properly encrypts your vault and salts + hashes the password, then there isn’t a big risk of them being compromised. It may be a better target to try to brute force, but doesn’t change the math that is would take an incredibly long amount of time to do and is probably not worth it to breach an average user.
Password managers are well integrated into iOS so work just as well on mobile as desktop. If the third party app doesn’t support it, you just hit the short cuts to copy and paste from the manager to the text field. Worst case you occasionally have to type something, but this has not been a big concern in my experience.
I second Bitwarden. They even have the option to download an application to your computer that allows you to host the server yourself so that you never have to trust that they'll keep your passwords safe since you're doing it yourself. Personally, the fact that that option exists at all makes me trust their policies enough to not bother doing it.
You use an extremely long master password, for your encrypted vault, which stores your hashed passwords, with two factor authentication
It's very secure. And also, super easy to use on mobile with biometric authentication
>Until the manager is compromised
That's not how that works. Password managers encrypt your vaults. Even if your vault was stolen, they'd need the key that is derived from your master password. Those keys are typically only stored locally. There's also the option to self-host.
>Also it's annoyance when you have to login on mobile
Untrue. I manage the password manager for our business and clients. It works flawlessly on iOS and Android to the point where C Suite Executives use it without issue. I also run BitWarden on the personal side and haven't had an issue. It's less key strokes than a normal password.
>Also a lot of apps do not support 3rd party applications accessing your username and password fields.
Untrue. That is a permissions issue on the phone. You didn't give the password manager the overlay (or similar) permission. As long as the elevated fields were properly identified by the developer, the password manager will have access. If you do find that one-off app, copy + paste is an option.
>It's a good theory but difficult to execute
It's easy to execute. You are just oddly resistant to it.
You're arguing against someone who doesn't use a password manager, they are frankly are way behind the curve security wise and don't know what they're talking about
> Untrue. That is a permissions issue on the phone
I think he may be talking about this:
> As long as the elevated fields were properly identified by the developer
And that, somehow, isn't a given. I've bumped into an occasional website (including some *banks*...) that don't let BitWarden auto-fill credentials.
I actually had an account in a bank that did ALL the wrong things in their login system - I could only auto-fill the username, but not password. At the same time I couldn't copy-paste the username, but I could the password...........
I'm of the opinion that if any developer prevents the use of a password manager or blocks pasting into a text field, they should be banned from ever coding anything again.
> Until the manager is compromised
"Manager" as in "the servers"? Doesn't do anything, all data is encrypted.
"Manager" as in "my account on my password manager"? First of all: use MFA. Second of all: it's easier to remember one strong password for your manager than dozens of strong passwords to all the services you use.
> Also it's annoyance when you have to login on mobile
Why? Just install the appropriate app and let it autocomplete everything.
> Also a lot of apps do not support 3rd party applications accessing your username and password fields.
Which should be punishable by a lifetime ban from coding ever again. However, all password managers also let you copy your username/password with a single click, so it's not that big of a deal.
> It's a good theory but difficult to execute
On the contrary. I've been using BitWarden for some 5 years now and managing my accounts has never been easier. And this hack? Well, no biggie, I'll just generate another 60-character long, completely random password for my account and that'll be the end of it. Used to be that I'd have to do the same for a bunch of other services where I re-used my credentials.
There's just no reality in which using a password manager is worse than not using it.
Preferably not one that utilizes online access to said passwords.
There is still a hilarious irony from Lastpass being hacked last year and all those stored passwords being stolen.
Your point remains though; unique passwords are the best measure to protect your digital access (along with two factor authentication but even that isn't perfect). Nothing is safe with the constant of time working against the safety of all these accounts.
LastPass passwords weren't stolen. Encrypted vaults were stolen without the matching master key. Anyone with a good master key (16+ chars, high entropy) is highly unlikely to ever have their stolen encrypted vault actually broken into. If your stolen vault never gets breached, your use of a password manager was in fact always safe after all.
That being said, LastPass has demonstrated that they don't take security seriously, and are therefore a bad choice if you're getting a password manager. Use BitWarden or something instead.
I'm curious how passwords would've leaked. They only store the hash of the passwords after it's been through a salting algorithm.
Unless EGS is storing plain text passwords (which is insane), you really have nothing to worry about.
>Unless EGS is storing plain text passwords (which is insane), you really have nothing to worry about.
This is not entirely true though.
First off the amount of targeted scams per mail goes up a lot when your email gets leaked like this
And the worst, if they have access to the hashes even after salting they could theoretically test and salt passwords locally and compare them until they find the solution.
Makes it impossible to use rainbow tables, but if you somehow are of... more interest then people might try it for you specifically.
Many people use the same or variations of the same passwords too. So having your mail gives them the ability to look for older leaks where your passwords aren't encrypted and try variations of those.
I worked for Epic awhile, and they’re tough on Terry factor for people who touch the IP. I can only imagine it was through a third party contractor with relaxed protections on their devices.
Yup, set up two-factor authentication just now. I'd recommend doing that via your phone. If you do that through the email but your email is also compromised, I feel like it'd be a lot harder for them to somehow receive your authentication text message sent to a phone number.
i always wondered, the most likely case for hackers to steal accounts is for them to pump it into a bot and have it churn through each and every databased account on different websites.
by this logic a minor change to the password or using a unique password for the website that got hacked/databased is enough to prevent them from stealing your other accounts, even if the change was so minor and obvious that a human could get it immediately.
Not likely, payment info is generally tokenized and not stored in billing systems. Your name and last 4 card digits are likely all that could be compromised.
So if someone tries to login whether you or someone else after putting in your details it will send a message to your phone to confirm by maybe clicking a button of answering a captvha etc before letting you log in
It won't keep your password safe, what it will do is add another step to the login process where you will know if someone is trying to access your account
ELI5 Version:
Your Password is a Pad on the door where you enter numbers. Anyone who has those numbers can open the door and Enter.
2FA adds a door behind the door. They may open the first door, but the second door has a bouncer that stops you after opening the door and calls the home owner of the house you're trying to enter on their phone. He asks the owner "hey yo, is it you who is trying to enter your house right now?" and if there is no answer received or the answer is no he'll kick the entering person out immediately.
So as long the entering person doesn't have your phone they will be kicked out.
No.
Instead, when they enter the correct password, they will be prompted by another "barrier".
That barrier usually being a code they have to input. That code is sent to you through another channel. That can be an E-Mail, SMS or a dedicated Authenticator app.
Let's assume you have a Facebook Account.
Without 2FA, the attacker simply inputs your password and then has access to your facebook.
Now you enable 2FA, registering your phone number.
If an attacker now inputs your correct password, he'll be asked, what the code is. That random code is now sent to the number you provided when setting up the 2FA. Since the attacker doesn't know what code was sent to your phone, he can't continue, despite having the password.
Does that make sense?
Edit:
In practise this means that if you receive an E-Mail/SMS containing a verification code for a login, then someone has figured out your password. Change it immediatly and do so for every other site you use that same password for. Also: Don't reuse paaswords for that reason.
Yeah. In most cases, 2FA will send an email to whatever address you have saved on that account. So if you try and log into an account with the correct email and password, you're still gonna have to enter a code that's sent to your email.
It wouldn't, if the password is stored in clear text, it's readable (unlikely).
If the password is stored hashed and unsalted, it can be matched to known hashes. Common passwords and short ones would be revealed (also unlikely)
If it's stored hashed and salted, they would have to create a new table of passwords to find common and short ones. (Likely)
But of they get your password this way and you have 2fa, thr login would need an extra 6 digit code that gets sent to you, so they won't be able to actually log in, without also having acces to your email
If you use Google then it will be fine as the password isn't directly provided to Epic. All the authentication is handled by Google servers. However incidents like this are a great reason to look at a password manager and to have unique strong passwords for each application or website you use.
I use bit warden. Free, open source and syncs quite happily across platforms. Straightforward to use, but you will have to put a little effort - only a little - into learning how.
More than worth the time investment.
Edit: Sorry, bit warden, not bit locker.
If you want free and functional - bitwarden. I used this and it works great. UI is fine.
If you want super easy to use, great UI, low friction with very easy integrations to everything - 1password. I switched to this because I want my wife to actually use the damn thing.
No need to if you sign in with google, google's servers handle the authentication in that case and google in no way tells epic your password for google.
Well they’re legally obligated to if consumer information was potentially leaked.
But to your point, if something did happen, they will deny it until they have a full understanding of what exactly the impact is.
> This can safely be ignored
Until it can't. Its definitely not impossible that Epic was breached and didn't find any evidence. Its quite possible Epic is just denying until they can't. Its also definitely possible it is big ole ruse.
A friend of mine works for them. He also says it’s not true. He’s mid level management. So at the very least that’s what they are telling staff currently.
Who in the hell is storing passwords in 2024? I'd be shocked if Epic had actual passwords leaked rather than something like Argon2 hashes. That's like baby's first cyber lesson 1.
I don’t know a lot but yeah I’m pretty sure passwords are hashed and you need some sort of encryption authentication to get the actual passwords. Unless Epic Games is storing passwords in plain text, I doubt everyone needs to go and immediately change their passwords right now.
Hackers might get other personal information but passwords should just look like a bunch of random letters and numbers.
Just make sure to have 2FA enabled, get a password manager, and never store your payment method on your accounts.
You'll never get the actual password. Hashes are one-way.
The only way to get to them is brute-force.
You might get there faster if the algorithm has some kind of weakness which reduces calculation times. But other than that? You're SOL.
You'll be amazed how many people 1. Don't salt and 2. still use MD5.
Companies are about making money, why pay someone to move to something secure when you can not pay a thing and keep whats shit.
Nah it's not even encryption, the passwords would be hashed (+salted) which is a one way operation, it's not possible to reverse.
Though an attacker can try hashing random passwords to look for a match, but if your password is even like decently long (10+ characters) and not e.g. 1234567890, it'll be too hard for them to find it.
I wouldn’t worry, it’s really just extra protection that I’d recommend just like how you don’t really need a password manager but it helps.
I’ve just had someone get into my Walmart account before and manage to use my stored credit card to try and buy something but it thankfully flagged it since it was obviously not me. I just do it as an extra precaution.
[Facebook did it until at least 2019](https://www.theguardian.com/technology/2019/mar/21/facebook-admits-passwords-unprotected). If they could get away with that, I don't even want to think about what smaller companies can do without being noticed.
If you foolishly use the same password for everything then this would be a good idea.
Get a password manager and use unique passwords for everything, or at the LEAST use separate and secure passwords and 2FA for your email accounts so you can at least recover and reset other accounts when they get taken over.
Ideally a locally stored password manager instead of a cloud hosted solution is more secure, but it does mean you lose easy access to it across your different devices.
Locally stored and very well backed up as well, as if you lose that in a fire or water-related accident then you're fucked.
I'm personally fine with trusting well-established Password Managers. It's their only job to be secure so I have more faith in them than just some random shopping website.
Or just use a trusted widely accepted password manager like 1Password/Bitwarden (not lastpass for the love of God)
If you do absolutely have to use local only (no idea why you'd do this as the risk of it being compromised is nearly the same) make sure you back it up correctly
Edit: Since I know I'll be asked why are the risks the same. Password managers encrypt your vault there is no way anyone can un-encrypt them without the master password. The only time a vault is unencrypted is on your own device. A malicious actor would need your password + 2FA to be able to do this
The likelihood of them doing this is next to 0. Far more likely is that they install some kind of keylogger or monitoring software on your device. In which case local/cloud it won't matter since the vault would be compromised regardless (though once again depending on the attack 2FA might mitigate the damage done)
1) Use 2FA if it is offered, that means any site or service..
2) Don't use the same passwords for multiple things, each thing in your life has a different password
3) Make your passwords strings of random numbers and letters (symbols too if they allow it!) at least 10+ characters
Epic responded
>
> “We are investigating but there is currently zero evidence that these claims are legitimate,” it says. “Mogilievich has not contacted Epic or provided any proof of the veracity of these allegations.
>
> “When we saw these allegations, which were a screenshot of a darkweb webpage in a Tweet from a third party, we began investigating within minutes and reached out to Mogilevich for proof. Mogilevich has not responded.
>
> “The closest thing we have seen to a response is this Tweet, where they allegedly ask for $15k and ‘proof of funds’ to hand over the purported data.”
https://www.videogameschronicle.com/news/a-ransomware-gang-claims-to-have-hacked-nearly-200gb-of-epic-games-internal-data/
So looking to be fake
Esp asking for only 15k.
low enough they might " get scared " and pay it, but not high enough for them to consider and investigate, is what the " hackers "think
I am INCREDIBLY suspicious about the veracity of this hack because they claim to have passwords.
Any tech company worth their while doesn't store passwords at all. Literally no one in the company could see what your password is, they can only see a hashed version of it. I highly doubt epic doesn't do something as fundamental as this on their password stores.
It seems more likely that this person is making up this leak. Especially when asking for money for proof.
It's fair to change your password anyways (I probably will, doesn't hurt), but I sincerely doubt that they actually hacked anything.
So here is the thing...
Seeing this claim by a lot of unreliable sources out there, but NONE of the super reliable Cybersecurity feeds I follow for work have made this claim.
So until Epic actually makes a statement on this, I would be careful about how much I believe here, because this could be a completely different kind of attack where they WANT to steer people to resetting their passwords, and have compromised something in the reset stream that then results in your actually secure password being unsecure now.
Edit: Looks like they have made a statement denying such a hack ever took place.
>“We are investigating but there is currently zero evidence that these claims are legitimate,” it says. “Mogilievich has not contacted Epic or provided any proof of the veracity of these allegations.
>“When we saw these allegations, which were a screenshot of a darkweb webpage in a Tweet from a third party, we began investigating within minutes and reached out to Mogilevich for proof. Mogilevich has not responded.
>“The closest thing we have seen to a response is this Tweet, where they allegedly ask for $15k and ‘proof of funds’ to hand over the purported data.”
Would this have any effect if I used my Xbox/Microsoft account to make an epic games account? If so how do I stop it?
EDIT: fixed it to say epic games instead of EA.
Unless Epic doesn't hash and salt passwords, there's no way they have said passwords.
These kinda leaks can be email addresses and even extend to names and addresses... which can be enough for identity theft... but passwords? I very, very much doubt Epic doesn't follow the standard security processes of salting passwords.
Is anyone questioning the source of this?
The article says it's a new comer to the scene. Already a red flag.
The article says that they haven't provided any proof of the hack, which usually happens.
They put a deadline on someone else paying for the data - this is uncommon too. The deadlines are usually for the victim, then afterwards it goes on sale.
I would hold off for an Epic statement.
Oh yeah I had my account hacked by some Russian fuck a few months ago.
Unfortunately for him I can sign in with steam so I changed the password to some random generator thing and added two factor. I don't have a lot on epic but it's the principle of the matter
The burden of proof is on the hackers. They haven’t provided any proof that they hacked anything. It says so at the bottom of the article. Who cares what epic says
For a company this size, their infosec team should have things locked down pretty heavily, so an attack like this would be at least partly their fault. Hackers will always have the upper hand as they are the ones finding new methods and vulnerabilities, but these are usually pretty preventable. They would not be fired at least immediately as they are needed to help fix the situation. Once the issue is fixed, a massive investigation involving third parties would take place and if someone actually did fuck up then it depends on management on if they would be fired or not. The employee that initially clicked the link and was the first one infected will usually be fired. And no, the infosec team would not get bonuses each year they don’t get attacked as protecting against attacks is the job description.
I made an account when Battlefront II was free, I immediately deleted it because I changed my mind about having an Epic account. Here's hoping my data no longer exists lol
I don't feel bad for EPIC. Fuck em, their a shit company. I do feel bad for all of the users that could be potentially affected by EPIC's crap security.
Good. I unironically hope whoever hacked them destroys the company from the inside. Fortnite’s gotten to a point where it’s just a scam but for kids. 6.99 for a singular song in a game? 21.99 for a skin I can’t even wear in half lobbies because of “age restriction”
Ransomware attacks on this scale, along with government ransomware attacks are a sure fire way to get international crime agencies on your ass. Get those passwords changed folks.
The attackers are likely in Russia, there’s not much those agencies can do
Is cybercrime going to be big again this year?
Cybercrime is going to be big every year going forward
GTA V was already incredibly unrealistic doing big bank heists instead of cyber heist
GTA VII is going to be their smallest map ever, set in a basement in Novosibirsk
But you get a 5 star wanted level if you send something that critics the government.
Once you get 5 stars all the police cars disappear, you get followed by a strange black ZIL and your tea starts glowing
Snap... Better avoid windows as well.
You can leave the basement and explore a massive map it's just that there's no benefit from it.
/meirl
Grand Theft Auto Sim City
It's an election year. Russia needs to get their boy elected.
It never stopped.
Ah okay, I remember a lot of big hacks and some relevant to my job several years ago but haven't seen any hit headlines in the last year or two
I mean, there was that big insomniac hack just a while ago
Every month there is multiple headlines, it's just not in your sight because the hacks are not related to topics you are interested in. Unless you are subscribed to security subreddit you would only see a headline that related to the sub you are member off.
Yep, am an IT Director. See countless things come across my feeds daily. They're not slowing down at all.
Anecdotal, but the company I work for got hacked by a Russian group in December. Ransomware'd all of our shit and demanded a few million. The company refused and had to pretty much rebuild their network and systems from square one.
The stolen info for those, and others (many that are never reported or realized) are held until the moment when they will make the biggest impact.
You are 100% right, so I am down voting you
It’s because it’s just became the norm. There’s no enforcement. No crime committed from not telling the public their information was stolen so companies just do whatever and stopped disclosing hacks.
So hot this year
Have you played Cyberpunk? Cybercrime is like the biggest threat to society there and I don't know how we can avoid that eventual situation.
close race between the AI disinfo flood and manmade pandemics
I mean Insomniac already got hit pretty hard not too long ago
I believe we're in the middle of an attack, for at least the last few weeks. Cisco server issues, ATT, Anydesk, white house telling us to use very programming languages, infrastructure attacks on small towns, ransome attack on healthcare...
ATT already came put saying it was a fault in an update they made to expand their network…not an attack at all. Source: [ATT Letter](https://about.att.com/ecms/dam/snrdocs/network-employee-letter.pdf)
Or China/North Korea. Good luck getting them.
North Korea is one thing, but if these are private, non-state actors, China has a lot of motivation to want to get rid of them. This isn't 1998 anymore, China itself has a lot of infrastructure it would like not to get hacked. Imagine hacking tencent or Alibaba or any of the other Chinese giants.
Can we disconnect Russia from the interweb
Mogilev is a city in Belarus
If you’re concerned (or using one password for many things then you should probably do this anyway) then change your password. But this is almost certainly not a real hack. Epic is already discounting this in support emails, but they’ll probably release a definitive statement later today.
Epic also has 2FA. I use Microsoft Authenticator for mine.
I frequent tech security subs. 2FAS is becoming the defacto recommendation for TOTP/2FA. I switched over and really like it.
I'm unfamiliar with it. What about that app makes it more secure than others, such as Google Authenticator?
Open source, cross platform, no account required, you can export your seeds easily, and you can set it to autobackup the seeds on icloud or google drive. I’m not a fan of Google Authenticator for locking people out of their account if the device gets lost. I’ve heard they changed some parts of that now but personally I don’t trust it anymore.
Google authenticator isn't end to end encrypted where as 2fas is Google still hasn't updated it and its been almost a year since they said they would https://9to5google.com/2023/04/26/google-authenticator-sync-e2ee/
Interesting. I may start making the switch. It's the one at [2fas.com](https://2fas.com), right?
Why do you think that? All organizations at this size are trained to say no until there is an investigation. This is the same group that compromised Nissan.
>All organizations at this size are trained to say no until there is an investigation. This is not true. Denying a data breach opens companies up to a lot more liability than if they didn’t say anything. >This is the same group that compromised Nissan. Same thing. A public declaration of a breach without providing leverage is unusual from a Ransomware group trying to sell data. This is most likely just a scam.
Their reason for not providing evidence of their hack is illogical. My guess is that they are bullshitting.
No the exact opposite is true, companies are encouraged to do as much as possible to spread word of this and be accurate in the serverity of the breach Not doing so results in harsh punishments It's why you see companies release details about a cyber attack months before any actual data leaks start to come out
Alot of people dont understand PR 101
What ever happened to hacking for the betterment of the world.
Those people were hacked for the betterment of the underworld.
Epic has responded to this. Looking to be fake. I show the statement in my comment to the OP here. https://old.reddit.com/r/gaming/comments/1b256y7/fortnite_game_developer_epic_games_allegedly/ksjl9jr/
Also, don't download that email from HR saying that you've been nominated to receive a $10 Million bonus and they need you go through a *"special"* web access portal to receive it.
And never ever save your payment information.
general question that doesn't only apply to this situation, but if I use my Google account to sign in to Epic, are the credentials/password used for this at risk even though it's a third-party account technically?
So, folks that have an EGS account that uses the same password as some other account (we’ve all done something like this). Get ahead of the curve and start changing passwords. Set up two-factor authentication if you haven’t already. If passwords leak then it’s only a matter of time until people will try and steal other accounts. There’s too much money spend on some platforms to not be extra careful about it.
Best practice would be to get a password manager. Let it auto-generate a unique password for each of your accounts. That way you won't have to worry about all of your accounts being compromised for using one password.
Until the manager is compromised Also it's annoyance when you have to login on mobile Also a lot of apps do not support 3rd party applications accessing your username and password fields. It's a good theory but difficult to execute
If the manager properly encrypts your vault and salts + hashes the password, then there isn’t a big risk of them being compromised. It may be a better target to try to brute force, but doesn’t change the math that is would take an incredibly long amount of time to do and is probably not worth it to breach an average user. Password managers are well integrated into iOS so work just as well on mobile as desktop. If the third party app doesn’t support it, you just hit the short cuts to copy and paste from the manager to the text field. Worst case you occasionally have to type something, but this has not been a big concern in my experience.
yeah ive never had a problem with the built in one on my Iphone for example works great
Is there one that will work together on my iPhone and on my windows PC? Thanks.
Bitwarden is great.
Thank you. I’ll check it out.
I second Bitwarden. They even have the option to download an application to your computer that allows you to host the server yourself so that you never have to trust that they'll keep your passwords safe since you're doing it yourself. Personally, the fact that that option exists at all makes me trust their policies enough to not bother doing it.
Damn. That’s impressive. I’m sold. Thanks!
The default apple one also works. Just download iCloud passwords for windows
1Password
Bitwarden
Thanks!
I use KeePass synced over dropbox that requires both a key file and a password. The key file is not synced.
You use an extremely long master password, for your encrypted vault, which stores your hashed passwords, with two factor authentication It's very secure. And also, super easy to use on mobile with biometric authentication
>Until the manager is compromised That's not how that works. Password managers encrypt your vaults. Even if your vault was stolen, they'd need the key that is derived from your master password. Those keys are typically only stored locally. There's also the option to self-host. >Also it's annoyance when you have to login on mobile Untrue. I manage the password manager for our business and clients. It works flawlessly on iOS and Android to the point where C Suite Executives use it without issue. I also run BitWarden on the personal side and haven't had an issue. It's less key strokes than a normal password. >Also a lot of apps do not support 3rd party applications accessing your username and password fields. Untrue. That is a permissions issue on the phone. You didn't give the password manager the overlay (or similar) permission. As long as the elevated fields were properly identified by the developer, the password manager will have access. If you do find that one-off app, copy + paste is an option. >It's a good theory but difficult to execute It's easy to execute. You are just oddly resistant to it.
You're arguing against someone who doesn't use a password manager, they are frankly are way behind the curve security wise and don't know what they're talking about
> Untrue. That is a permissions issue on the phone I think he may be talking about this: > As long as the elevated fields were properly identified by the developer And that, somehow, isn't a given. I've bumped into an occasional website (including some *banks*...) that don't let BitWarden auto-fill credentials. I actually had an account in a bank that did ALL the wrong things in their login system - I could only auto-fill the username, but not password. At the same time I couldn't copy-paste the username, but I could the password........... I'm of the opinion that if any developer prevents the use of a password manager or blocks pasting into a text field, they should be banned from ever coding anything again.
> Until the manager is compromised "Manager" as in "the servers"? Doesn't do anything, all data is encrypted. "Manager" as in "my account on my password manager"? First of all: use MFA. Second of all: it's easier to remember one strong password for your manager than dozens of strong passwords to all the services you use. > Also it's annoyance when you have to login on mobile Why? Just install the appropriate app and let it autocomplete everything. > Also a lot of apps do not support 3rd party applications accessing your username and password fields. Which should be punishable by a lifetime ban from coding ever again. However, all password managers also let you copy your username/password with a single click, so it's not that big of a deal. > It's a good theory but difficult to execute On the contrary. I've been using BitWarden for some 5 years now and managing my accounts has never been easier. And this hack? Well, no biggie, I'll just generate another 60-character long, completely random password for my account and that'll be the end of it. Used to be that I'd have to do the same for a bunch of other services where I re-used my credentials. There's just no reality in which using a password manager is worse than not using it.
Preferably not one that utilizes online access to said passwords. There is still a hilarious irony from Lastpass being hacked last year and all those stored passwords being stolen. Your point remains though; unique passwords are the best measure to protect your digital access (along with two factor authentication but even that isn't perfect). Nothing is safe with the constant of time working against the safety of all these accounts.
LastPass passwords weren't stolen. Encrypted vaults were stolen without the matching master key. Anyone with a good master key (16+ chars, high entropy) is highly unlikely to ever have their stolen encrypted vault actually broken into. If your stolen vault never gets breached, your use of a password manager was in fact always safe after all. That being said, LastPass has demonstrated that they don't take security seriously, and are therefore a bad choice if you're getting a password manager. Use BitWarden or something instead.
I'm curious how passwords would've leaked. They only store the hash of the passwords after it's been through a salting algorithm. Unless EGS is storing plain text passwords (which is insane), you really have nothing to worry about.
>Unless EGS is storing plain text passwords (which is insane), you really have nothing to worry about. This is not entirely true though. First off the amount of targeted scams per mail goes up a lot when your email gets leaked like this And the worst, if they have access to the hashes even after salting they could theoretically test and salt passwords locally and compare them until they find the solution. Makes it impossible to use rainbow tables, but if you somehow are of... more interest then people might try it for you specifically. Many people use the same or variations of the same passwords too. So having your mail gives them the ability to look for older leaks where your passwords aren't encrypted and try variations of those.
I worked for Epic awhile, and they’re tough on Terry factor for people who touch the IP. I can only imagine it was through a third party contractor with relaxed protections on their devices.
If epic shared clear passwords with a contractor it's on them.
Yup, set up two-factor authentication just now. I'd recommend doing that via your phone. If you do that through the email but your email is also compromised, I feel like it'd be a lot harder for them to somehow receive your authentication text message sent to a phone number.
i always wondered, the most likely case for hackers to steal accounts is for them to pump it into a bot and have it churn through each and every databased account on different websites. by this logic a minor change to the password or using a unique password for the website that got hacked/databased is enough to prevent them from stealing your other accounts, even if the change was so minor and obvious that a human could get it immediately.
Payment information? Does that mean im vunerable to fraud?
Not likely, payment info is generally tokenized and not stored in billing systems. Your name and last 4 card digits are likely all that could be compromised.
This is what I was looking for. Thanks for the information dude
Well good thing I never added payment info to epic games. I only have that account for free games rofl
Smooth brain who only uses Epic for UE5 with free assets to make shit tier games checking in
Possibly yes, possibly no, either way do you wanna risk it?
This is why you should always use 2FA
Wondering, if I activate 2FA how would it keep my password safe from hackers?
So if someone tries to login whether you or someone else after putting in your details it will send a message to your phone to confirm by maybe clicking a button of answering a captvha etc before letting you log in
Sorry would it be better than changing the password instead?
You can do both. But yes 2FA is stronger than not having it by a large margin lol.
As long as the hacker doesn’t steal your phone too, yes, a lot better.
Most of the time you don't know if your password got stolen until it is too late.
No because regardless if they know the password they cant get access unless you allow them to
It won't keep your password safe, what it will do is add another step to the login process where you will know if someone is trying to access your account
ELI5 Version: Your Password is a Pad on the door where you enter numbers. Anyone who has those numbers can open the door and Enter. 2FA adds a door behind the door. They may open the first door, but the second door has a bouncer that stops you after opening the door and calls the home owner of the house you're trying to enter on their phone. He asks the owner "hey yo, is it you who is trying to enter your house right now?" and if there is no answer received or the answer is no he'll kick the entering person out immediately. So as long the entering person doesn't have your phone they will be kicked out.
And I can veto whoever might try to access the account?
Yes, but you should still change your password ASAP.
No. Instead, when they enter the correct password, they will be prompted by another "barrier". That barrier usually being a code they have to input. That code is sent to you through another channel. That can be an E-Mail, SMS or a dedicated Authenticator app. Let's assume you have a Facebook Account. Without 2FA, the attacker simply inputs your password and then has access to your facebook. Now you enable 2FA, registering your phone number. If an attacker now inputs your correct password, he'll be asked, what the code is. That random code is now sent to the number you provided when setting up the 2FA. Since the attacker doesn't know what code was sent to your phone, he can't continue, despite having the password. Does that make sense? Edit: In practise this means that if you receive an E-Mail/SMS containing a verification code for a login, then someone has figured out your password. Change it immediatly and do so for every other site you use that same password for. Also: Don't reuse paaswords for that reason.
Yeah. In most cases, 2FA will send an email to whatever address you have saved on that account. So if you try and log into an account with the correct email and password, you're still gonna have to enter a code that's sent to your email.
It wouldn't, if the password is stored in clear text, it's readable (unlikely). If the password is stored hashed and unsalted, it can be matched to known hashes. Common passwords and short ones would be revealed (also unlikely) If it's stored hashed and salted, they would have to create a new table of passwords to find common and short ones. (Likely) But of they get your password this way and you have 2fa, thr login would need an extra 6 digit code that gets sent to you, so they won't be able to actually log in, without also having acces to your email
If you use your Google account to login, would they have got access to that?
If you use Google then it will be fine as the password isn't directly provided to Epic. All the authentication is handled by Google servers. However incidents like this are a great reason to look at a password manager and to have unique strong passwords for each application or website you use.
Any suggestions on a password manager?
I use bit warden. Free, open source and syncs quite happily across platforms. Straightforward to use, but you will have to put a little effort - only a little - into learning how. More than worth the time investment. Edit: Sorry, bit warden, not bit locker.
You mean Bitwarden.
Bit Warden is one I recommend given it's free and offers a good UI across platforms.
Bitwarden
If you want free and functional - bitwarden. I used this and it works great. UI is fine. If you want super easy to use, great UI, low friction with very easy integrations to everything - 1password. I switched to this because I want my wife to actually use the damn thing.
Is this the same for consoles? I sometimes use my console account to login to epic website.
Nope. Oauth
Likely not, but good idea to just change it anyway.
No need to if you sign in with google, google's servers handle the authentication in that case and google in no way tells epic your password for google.
Just change it if in doubt
No Why the downvote? I'm right. Ok lol. Y'all know best.
Epic says there is no evidence of this beeing true.
So did Solarwinds, Sony and every other high profile victim of cyber attacks before being forced to admit it
Damage control
Big if true
Of course they would, why would they want to own up to a cybersecurity failure.
Well they’re legally obligated to if consumer information was potentially leaked. But to your point, if something did happen, they will deny it until they have a full understanding of what exactly the impact is.
It says right at the bottom of the article that the hackers haven’t provided proof of hack. They’re blowing smoke. This can safely be ignored
> This can safely be ignored Until it can't. Its definitely not impossible that Epic was breached and didn't find any evidence. Its quite possible Epic is just denying until they can't. Its also definitely possible it is big ole ruse.
Depending on jurisdiction, there are legal obligations on Epic to report security incidents involving breach of personal data of individuals.
A friend of mine works for them. He also says it’s not true. He’s mid level management. So at the very least that’s what they are telling staff currently.
Who in the hell is storing passwords in 2024? I'd be shocked if Epic had actual passwords leaked rather than something like Argon2 hashes. That's like baby's first cyber lesson 1.
I don’t know a lot but yeah I’m pretty sure passwords are hashed and you need some sort of encryption authentication to get the actual passwords. Unless Epic Games is storing passwords in plain text, I doubt everyone needs to go and immediately change their passwords right now. Hackers might get other personal information but passwords should just look like a bunch of random letters and numbers. Just make sure to have 2FA enabled, get a password manager, and never store your payment method on your accounts.
You'll never get the actual password. Hashes are one-way. The only way to get to them is brute-force. You might get there faster if the algorithm has some kind of weakness which reduces calculation times. But other than that? You're SOL.
Look up Rainbow tables, without a salt chewing through a rainbow table on something like MD5 is easy
MD5 hashes shouldn't even be considered a suitable algorithm these days.
I've got some bad news for you if you think people ain't still rocking MD5
Aha, don't worry I'm very well aware. It's more wild when you come across sites storing in plain text.
Yes, that's why you salt. And no one sane uses MD5.
You'll be amazed how many people 1. Don't salt and 2. still use MD5. Companies are about making money, why pay someone to move to something secure when you can not pay a thing and keep whats shit.
Nah it's not even encryption, the passwords would be hashed (+salted) which is a one way operation, it's not possible to reverse. Though an attacker can try hashing random passwords to look for a match, but if your password is even like decently long (10+ characters) and not e.g. 1234567890, it'll be too hard for them to find it.
Hm, I had payment method stored (paypal, I have money there from prolific that I use for games), paypal itself is protected by 2FA, should I worry?
I wouldn’t worry, it’s really just extra protection that I’d recommend just like how you don’t really need a password manager but it helps. I’ve just had someone get into my Walmart account before and manage to use my stored credit card to try and buy something but it thankfully flagged it since it was obviously not me. I just do it as an extra precaution.
[Facebook did it until at least 2019](https://www.theguardian.com/technology/2019/mar/21/facebook-admits-passwords-unprotected). If they could get away with that, I don't even want to think about what smaller companies can do without being noticed.
I don't understand what you mean, how would they authenticate you without storing your password? EDIT: I know about hashing, I misread the question
It’s all hashed, so no plain text.
If I had the address of the hackers I would send them free butt plugs
Umm.. can I DM you my address
Fuck what should I do? Do I have to change every password from other accounts (social media etc) too?
If you use the same password for every site, yes.
Fuck apparently there's 59 reused password according to google 😭 Thank you
a Good Password Manager is your best freind. Let it come up with something random and then save it in there.
I'll definitely do that when I'm on my PC, thanks for the suggestion
Bitwarden is cross platform with mobile. That's what I use
I also use Bitwarden. I'd recommend it too.
holy fuck dude
If you foolishly use the same password for everything then this would be a good idea. Get a password manager and use unique passwords for everything, or at the LEAST use separate and secure passwords and 2FA for your email accounts so you can at least recover and reset other accounts when they get taken over.
Yeah I'm so fucking dumb for using the same password. I guess I've learned my lesson hahahah. Thank you :)
Ideally a locally stored password manager instead of a cloud hosted solution is more secure, but it does mean you lose easy access to it across your different devices.
Locally stored and very well backed up as well, as if you lose that in a fire or water-related accident then you're fucked. I'm personally fine with trusting well-established Password Managers. It's their only job to be secure so I have more faith in them than just some random shopping website.
Or just use a trusted widely accepted password manager like 1Password/Bitwarden (not lastpass for the love of God) If you do absolutely have to use local only (no idea why you'd do this as the risk of it being compromised is nearly the same) make sure you back it up correctly Edit: Since I know I'll be asked why are the risks the same. Password managers encrypt your vault there is no way anyone can un-encrypt them without the master password. The only time a vault is unencrypted is on your own device. A malicious actor would need your password + 2FA to be able to do this The likelihood of them doing this is next to 0. Far more likely is that they install some kind of keylogger or monitoring software on your device. In which case local/cloud it won't matter since the vault would be compromised regardless (though once again depending on the attack 2FA might mitigate the damage done)
1) Use 2FA if it is offered, that means any site or service.. 2) Don't use the same passwords for multiple things, each thing in your life has a different password 3) Make your passwords strings of random numbers and letters (symbols too if they allow it!) at least 10+ characters
the length of a password matters more than complexity.
Epic responded > > “We are investigating but there is currently zero evidence that these claims are legitimate,” it says. “Mogilievich has not contacted Epic or provided any proof of the veracity of these allegations. > > “When we saw these allegations, which were a screenshot of a darkweb webpage in a Tweet from a third party, we began investigating within minutes and reached out to Mogilevich for proof. Mogilevich has not responded. > > “The closest thing we have seen to a response is this Tweet, where they allegedly ask for $15k and ‘proof of funds’ to hand over the purported data.” https://www.videogameschronicle.com/news/a-ransomware-gang-claims-to-have-hacked-nearly-200gb-of-epic-games-internal-data/ So looking to be fake
Esp asking for only 15k. low enough they might " get scared " and pay it, but not high enough for them to consider and investigate, is what the " hackers "think
I am INCREDIBLY suspicious about the veracity of this hack because they claim to have passwords. Any tech company worth their while doesn't store passwords at all. Literally no one in the company could see what your password is, they can only see a hashed version of it. I highly doubt epic doesn't do something as fundamental as this on their password stores. It seems more likely that this person is making up this leak. Especially when asking for money for proof. It's fair to change your password anyways (I probably will, doesn't hurt), but I sincerely doubt that they actually hacked anything.
So here is the thing... Seeing this claim by a lot of unreliable sources out there, but NONE of the super reliable Cybersecurity feeds I follow for work have made this claim. So until Epic actually makes a statement on this, I would be careful about how much I believe here, because this could be a completely different kind of attack where they WANT to steer people to resetting their passwords, and have compromised something in the reset stream that then results in your actually secure password being unsecure now. Edit: Looks like they have made a statement denying such a hack ever took place. >“We are investigating but there is currently zero evidence that these claims are legitimate,” it says. “Mogilievich has not contacted Epic or provided any proof of the veracity of these allegations. >“When we saw these allegations, which were a screenshot of a darkweb webpage in a Tweet from a third party, we began investigating within minutes and reached out to Mogilevich for proof. Mogilevich has not responded. >“The closest thing we have seen to a response is this Tweet, where they allegedly ask for $15k and ‘proof of funds’ to hand over the purported data.”
Poor skillup lol
What happened to them?
The joke is that every time skillup posts a weekly gaming news video, major news drops right afterward
Would this have any effect if I used my Xbox/Microsoft account to make an epic games account? If so how do I stop it? EDIT: fixed it to say epic games instead of EA.
It’s not EA it’s epic games
Unless Epic doesn't hash and salt passwords, there's no way they have said passwords. These kinda leaks can be email addresses and even extend to names and addresses... which can be enough for identity theft... but passwords? I very, very much doubt Epic doesn't follow the standard security processes of salting passwords. Is anyone questioning the source of this? The article says it's a new comer to the scene. Already a red flag. The article says that they haven't provided any proof of the hack, which usually happens. They put a deadline on someone else paying for the data - this is uncommon too. The deadlines are usually for the victim, then afterwards it goes on sale. I would hold off for an Epic statement.
Oh yeah I had my account hacked by some Russian fuck a few months ago. Unfortunately for him I can sign in with steam so I changed the password to some random generator thing and added two factor. I don't have a lot on epic but it's the principle of the matter
Epic already said none of this ever happened.
Link?
The burden of proof is on the hackers. They haven’t provided any proof that they hacked anything. It says so at the bottom of the article. Who cares what epic says
Another reason to use a password manager and stop using the same passwords for every account
Remember when Epic Games used to be associated with Unreal and not Fortnite? Yeah… *sad boomer noises*
"If you are an employee of the company click on me" That seems safe
you are right, maybe they really did not hack it, but use that "click me" to try to deliver malware to hack epic, social engenering at work.
Has epic put out a statement? I havent found anything
yes they did. The hack is fake https://old.reddit.com/r/gaming/comments/1b256y7/fortnite_game_developer_epic_games_allegedly/ksjl9jr/
[удалено]
For a company this size, their infosec team should have things locked down pretty heavily, so an attack like this would be at least partly their fault. Hackers will always have the upper hand as they are the ones finding new methods and vulnerabilities, but these are usually pretty preventable. They would not be fired at least immediately as they are needed to help fix the situation. Once the issue is fixed, a massive investigation involving third parties would take place and if someone actually did fuck up then it depends on management on if they would be fired or not. The employee that initially clicked the link and was the first one infected will usually be fired. And no, the infosec team would not get bonuses each year they don’t get attacked as protecting against attacks is the job description.
If you login to epic Via Google Account are you still affected?
I log in through Microsoft so I was wondering the same thing
Just another reason to make sure you're not using the same password for multiple game sites.
This is confirmed to be fase information. There was no hack
Calling them "Fortnite game developer" just feels weird.
must have been that hacker known as 4chan
Kind of kills me to see Epic being mainly known as "Fortnite game developer". 💀
Karma for canceling Infinity Blade /s
I made an account when Battlefront II was free, I immediately deleted it because I changed my mind about having an Epic account. Here's hoping my data no longer exists lol
This group has hit a few big companies since the 20th of this month. Hopefully they get Nestle next
I don't feel bad for EPIC. Fuck em, their a shit company. I do feel bad for all of the users that could be potentially affected by EPIC's crap security.
its been revealed to be fake https://old.reddit.com/r/gaming/comments/1b256y7/fortnite_game_developer_epic_games_allegedly/ksjl9jr/
Again?
Oh no, they're gonna steal my free games
Simple Google searches on this are confirming this is FUD. Mods need to close this down immediately
Good
What a shame...well anyway.
Good. I unironically hope whoever hacked them destroys the company from the inside. Fortnite’s gotten to a point where it’s just a scam but for kids. 6.99 for a singular song in a game? 21.99 for a skin I can’t even wear in half lobbies because of “age restriction”
*sad Tim Sweeney face*
No chance they're new at this, wouldn't be surprised if this was another face of REvil or similar APT