Epic games, developer of Fortnite, has become the target of a class-action lawsuit due to security breaches of Epic Games accounts.
Earlier this year, a Fornite bug exposed personal user information for millions of players through an exploit in some of Epic's subdomains. At the time, Epic acknowledged the breach, and patched it out of Fortnite. It’s worth noting this is different from the Epic Store account issues in April which came from phishing scams.
However, according to the lawsuit, which over 100 folks have already jumped onto, Epic didn’t do a good enough job of informing the individual users about the security breaches in their accounts. Any users whose personal information may have leaked still don’t know for sure if they should worry.
The security breach happened in January, and due to Fortnite's prominence on mobile devices, the breach went a bit further than simply giving out user information. Check Point Research did an entire write up on the incident, and broke down how the hackers could get access to the data.
According to the site, the game featured multiple vulnerabilities at the time of the breach. Not only could someone login to an account and access user information, they could also potentially make in-game purchases through the account and even eavesdrop on player’s in-game conversations and background home conversations. This creates multiple layers of opportunity for nefarious sorts to obtain sensitive information about Fortnite players, many of whom are young teens.
Epic responded quickly to these issues back in January. Check Point Research informed the company of the breach before they published the breakdown of how it worked. But once the breach got patched, it ended there. Epic made a public statement about the vulnerability, but didn’t take any noticeable measures to figure out who the breach included and to notify them about having a possibly compromised account.
These kinds of vulnerabilities happen often in the games industry. Developers don't always have the time and the tools it takes to test the infrastructure of their account systems. Even if they do, these kinds of holes can be difficult to track down and patch. If the developers can’t uncover these things consistently before they happen, it stands to reason they should have a responsibility to keep their customers informed. Especially with an install-base as large as Fortnite's.
The lawsuit, filed by Franklin D. Azar & Associates, has just gotten going. Neither Epic nor the firm have made any official comments.
Fortnite is out now in early access for Android, iOS, PC, PS4, Switch, and Xbox One.
Sources: Polygon, Check Point Research