A proposed class action outlines allegations that Epic Games is responsible for a “catastrophic” cybersecurity vulnerability reportedly affecting its Fortnite video game.
The lawsuit, filed on February 15 and removed from Illinois circuit to district court on April 8, says that Epic Games, around or before November 2018, became aware of a cybersecurity vulnerability in Fortnite that allowed unauthorized third parties to hijack players’ accounts and access credit card details and other personally identifiable information. Bad actors were allegedly able to access Fortnite players’ identifiable information through what the case calls “security token jacking,” which was only possible due to Epic Games’ apparent failure to have in place rudimentary security measures:
“The Vulnerability existed because Defendant failed to implement a basic precautionary technical measure that would have prevented unauthorized third-parties the ability to retrieve and reuse the ‘security tokens’ associated with Plaintiff’s and other user’s accounts. Once armed with the security token for a given account, a hacker is able to access and utilize every feature of such account, including the ability to make purchases of Defendant’s Vbucks currency using the account Payment Information.
Such security-token-jacking schemes are increasingly common, and any reasonably-robust cybersecurity and information technology regime must account for the ultimate disposition, including reusability, of security tokens. Defendant has failed in this regard.”
Once in possession of a player’s payment data, the case says, a cybercriminal can then make in-game purchases of Fortnite’s “Vbucks” in-game currency, which can then be sold on the secondary black market. As the 34-page suit tells it, “Vbucks” currency is particularly lucrative for cybercriminals.
Moreover, the alleged cybersecurity vulnerability allows unauthorized individuals to secretly listen in on conversations between Fortnite players, including between those who are minors. For its part, Epic Games, the lawsuit says, failed to implement basic security measures—as well as remedy the issue in a timely fashion—that could have prevented, or at least mitigated, the damage of the security vulnerability.