Epic Games finds itself facing a proposed class action lawsuit over a sizeable data breach during which the information of approximately 200 million Fortnite players was reportedly exposed.
Filed in North Carolina district court, the case revolves around Epic’s January 16, 2019 announcement that Fortnite players’ personally identifiable information had been involved in a security breach. To date, the lawsuit says, Epic Games has not directly informed or notified Fortnite players that their account information may have been compromised in the breach, nor has the game developer disclosed the time frame in which the hack reportedly took place or how many accounts may have been compromised.
Epic Games became aware of the incident when cybersecurity firm Check Point Software Technologies uncovered vulnerabilities in Fortnite’s web infrastructure and informed the company in November 2018, according to the complaint. The lawsuit says Fortnite’s vulnerabilities stemmed from the game’s single sign-on setup, which allows users to log into multiple services with one third-party account. Once logged in with a third-party account, players, the suit says, can access their Fortnite account by requesting that the third-party account, such as Epic Games, Xbox or Google, send an “access token” to Fortnite.
The complaint charges that the breach resulted from Epic Games’ failure to maintain adequate security measures, and argues Fortnite players have been ascertainably injured in that their credit and/or debit card information linked to their game accounts was stolen “as a result of the defendant’s failures.”
“Hackers used this information to purchase in-game Fortnite currency without the permission of account holders, including Plaintiff,” the suit says.
According to the complaint, some stolen Fortnite accounts, once loaded up with in-game currency, were sold on third-party websites and the dark web.
The suit looks to cover a proposed class of all individuals in the United States who registered for Epic Games accounts and whose personally identifiable information was “accessed, compromised, or stolen” from Epic Games in the data breach. The case similarly looks to cover a Missouri-only class of individuals with Epic Games accounts and whose information was accessed, compromised or stolen during the data breach.