EA Acknowledges Breach; Says Game Source Code StolenAttackers Put 750GB of Gaming and Company Data Up for Sale
Electronic Arts has acknowledged that a threat actor has breached the gaming giant, and the attacker has posted a huge swath of gaming and corporate data for sale on the publicly accessible leak site RaidForums.
"We are investigating a recent incident of intrusion into our network where a limited amount of game source code and related tools were stolen," Electronic Arts says in a statement to Information Security Media Group.
The RaidForums advertisement was posted on June 6 by a member named "Leakbook," according to a link sent to Information Security Media Group. The ad offers 780GB of data that includes EA's FIFA 21 matchmaking server, FIFA 22 API keys, and some software development kit - SDK - tools, source code and debugging tools for FrostBite (the engine that powers several EA games), the frameworks and SDKs for many proprietary EA games, Xbox and Sony's private SDK and API key.
"You have the full capability of exploiting all EA services," the ad promises to any prospective buyers.
The attacker has taken out similar advertisements on various darknet marketplaces, reports Bleeping Computer.
The company did not say how the attackers gained access to the data or if the attackers gave EA an opportunity to pay a ransom to stop the content from being made public.
"No player data was accessed, and we have no reason to believe there is any risk to player privacy. Following the incident, we've already made security improvements and do not expect an impact on our games or our business," EA says. "We are actively working with law enforcement officials and other experts as part of this ongoing criminal investigation."
The company claims 450 million registered players worldwide and posted net revenue of $5.5 billion for 2020.
Saryu Nayyar, CEO of Gurucul, notes that EA could be in deep trouble if hackers did exfiltrate this type of data. She says if the company's IP and game source code is bought and made public, there is no way to tell how EA will ultimately be affected by the breach.
Selling exfiltrated data is the latest go-to move in the malicious actor's toolbox, but in most cases, the attacker makes the data public only after the victim refuses to pay a ransom.
The Babuk ransomware gang posted 250 GB of data purportedly taken from the Washington, D.C. Metropolitan Police Department during an April attack after the police refused to pay.
In the past few weeks, two large corporations paid millions to ransomware attackers to help not only get their systems back online, but to halt the spread of any information that may have been removed.