Millions of Fortnite Users Were Vulnerable to Hacking, Researchers Say

Epic Games confirmed that it had patched the bug

A bug in the game’s log-in system allowed attackers to gain access to unsuspecting users’ accounts if they clicked a phishing link sent in a message on the platform. Epic Games

Millions of players of the hit online game Fortnite may have been vulnerable to a security breach that gave hackers access into user accounts, security researchers said on Wednesday.

A bug in the game’s log-in system allowed attackers to gain access to unsuspecting users’ accounts if they clicked a phishing link sent in a message on the platform, researchers for the information security company Check Point Research said this week. If players clicked the link, attackers would have been able to access account log-in credentials, which could then be used to gain access to user accounts.

In a detailed post and accompanying video explaining the vulnerability, researchers for the Tel Aviv-based security company said the bug would have allowed bad actors to do anything that a logged-in player might be able to do, like chat with other players, purchase virtual in-game currency using saved credit card information or view the personal information of the account holder.

Epic Games, the company that develops the battle royale game that’s become an obsession for millions of kids, teens and adults, confirmed that it had patched the bug.

“We were made aware of the vulnerabilities and they were soon addressed,” a spokesperson for Epic Games said in an emailed statement. “We thank Check Point for bringing this to our attention. As always, we encourage players to protect their accounts by not reusing passwords and using strong passwords, and not sharing account information with others.”

According to Check Point, researchers were first made aware of a possible vulnerability on the Fortnite platform in the fall of 2018. After confirming the existence of the bug, researchers reached out to Epic Games in mid-November to tell them about the vulnerability. Epic Games didn’t directly report back to Check Point, but the researchers said they believe the bug was patched sometime in December.

Fortnite—which Adweek named to its annual Hot List for its unprecedented success—is one of the most popular game franchises in video game history, with about 80 million monthly players and more than 200 registered accounts. Researchers said they had no proof that the vulnerability had been exploited, and an Epic Games spokesperson declined to provide more information. It’s unclear exactly how many accounts, if any, were accessed by hackers.

Eran Vaknin, a security expert at Check Point, said users should watch out for warning signs like no longer being able to access their account, account information changing without their knowledge or unusual credit card transactions from the game.

“Fortnite players who have an account should implement a two-factor authentication mechanism to secure [their accounts] from account takeover vulnerabilities,” Vaknin continued.

Vaknin also recommended Epic Games implement updated security protocols “and perform full application testing from time to time” to proactively catch vulnerabilities before they could be exploited.

This isn’t the first time that Fortnite players were vulnerable to hacking. Kotaku reported in March 2018 that a few dozen players of the game said that hackers had gotten into their accounts and made fraudulent charges. Epic Games issued refunds for players and rolled out two-factor authentication for account holders.

The vulnerability is just the latest example of a security bug that could have compromised U.S. consumers’ personal information. Within the last year, companies from Facebook to Marriot have reported data breaches and vulnerabilities. On Thursday, a security researcher found that a massive cache of more than 770 million email addresses and passwords was uploaded to a hacker forum in December, constituting one of the largest single collections of stolen information to date.

@kelseymsutton Kelsey Sutton is the streaming editor at Adweek, where she covers the business of streaming television.