in Newswire Published on May 3, 2019

Class Action Removed to IL District Court Chides Epic Games Over Alleged ‘Fortnite’ Cybersecurity Vulnerabilities

by Corrado Rizzi

View Comments

Krohm v. Epic Games, Inc.

Filed: April 8, 2019 § 5:19-cv-00173

Read Complaint

Fortnite developer Epic Games faces a proposed class action filed over a cybersecurity vulnerability that exposed players' personal and payment card information.

Defendant(s)

Epic Games, Inc.

Law(s)

State(s)

Illinois

Categories

Privacy Data Breach

A proposed class action outlines allegations that Epic Games is responsible for a “catastrophic” cybersecurity vulnerability reportedly affecting its Fortnite video game.

The lawsuit, filed on February 15 and removed from Illinois circuit to district court on April 8, says that Epic Games, around or before November 2018, became aware of a cybersecurity vulnerability in Fortnite that allowed unauthorized third parties to hijack players’ accounts and access credit card details and other personally identifiable information. Bad actors were allegedly able to access Fortnite players’ identifiable information through what the case calls “security token jacking,” which was only possible due to Epic Games’ apparent failure to have in place rudimentary security measures:

“The Vulnerability existed because Defendant failed to implement a basic precautionary technical measure that would have prevented unauthorized third-parties the ability to retrieve and reuse the ‘security tokens’ associated with Plaintiff’s and other user’s accounts. Once armed with the security token for a given account, a hacker is able to access and utilize every feature of such account, including the ability to make purchases of Defendant’s Vbucks currency using the account Payment Information.
Such security-token-jacking schemes are increasingly common, and any reasonably-robust cybersecurity and information technology regime must account for the ultimate disposition, including reusability, of security tokens. Defendant has failed in this regard.” 

Once in possession of a player’s payment data, the case says, a cybercriminal can then make in-game purchases of Fortnite’s “Vbucks” in-game currency, which can then be sold on the secondary black market. As the 34-page suit tells it, “Vbucks” currency is particularly lucrative for cybercriminals. 

Moreover, the alleged cybersecurity vulnerability allows unauthorized individuals to secretly listen in on conversations between Fortnite players, including between those who are minors. For its part, Epic Games, the lawsuit says, failed to implement basic security measures—as well as remedy the issue in a timely fashion—that could have prevented, or at least mitigated, the damage of the security vulnerability.

Case Spotlight

Hair Relaxer Lawsuits

Women who developed ovarian or uterine cancer after using hair relaxers such as Dark & Lovely and Motions may now have an opportunity to take legal action.

Read more here: Hair Relaxer Cancer Lawsuits

ClassAction.org Newsletter

Stay Current

Sign Up For
Our Newsletter

New cases and investigations, settlement deadlines, and news straight to your inbox.

This browser does not support PDFs. Please download the PDF to view it: Download PDF.
Open Document
Last Updated on May 3, 2019 — 2:07 PM

Corrado Rizzi

corrado@classaction.org

Corrado Rizzi is the Senior Managing Editor of ClassAction.org.

About ClassAction.org

ClassAction.org is a group of online professionals (designers, developers and writers) with years of experience in the legal industry.

Learn More

Before commenting, please review our comment policy.