EA’s Source: It’s in the Game (and in Hackers’ Hands)

Electronic Arts got hacked and its source code stolen. Hackers took hundreds of gigabytes of game source code and tools—including internals of FIFA 21 and Battlefield.

But it’s not a ransomware thing, EA confirms. At least not in the conventional sense of criminals encrypting all the data in the hope of a fat payday.

So what is it? In today’s SB Blogwatch, we push a secret button sequence to find out.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: It’s in the game.

Or, Go Outside for a Walk

What’s the craic? Joseph Cox reports—“Hackers Steal Wealth of Data from Game Giant”:

780 GB of data
Hackers have broken into gaming giant Electronic Arts, the publisher of Battlefield, FIFA, and The Sims, and stole a wealth of game source code and related internal tools. [They] said they have taken the source code for FIFA 21, as well as code for its matchmaking server. The hackers also said they have obtained source code and tools for the Frostbite engine, which powers a number of EA games including Battlefield.

The hackers say they have 780 GB of data, and are advertising it for sale in various underground hacking forum posts. … An EA spokesperson [said], “We are investigating a recent incident of intrusion into our network where a limited amount of game source code and related tools were stolen. … We have no reason to believe there is any risk to player privacy.”

Sounds like yet another ransomware event. Cecilia D’Anastasio says no—“Hackers Stole a Ton of EA Data”:

Used for evil
EA has confirmed [to me] that it did not involve ransomware. … While ransomware has been the dominant theme of recent high-profile hacks, video game source code is a big-money commodity in and of itself, especially for cheat-makers.

Source code is an attractive target for hackers because it describes exactly how the sausage is made—why pushing this button disables that trap, or exactly where on an opponent’s head your bullet must land for optimal damage. … Popular cheats are often designed by injecting bits of the original game source code into another piece of software.

Not all leaked source code is used for evil. … Another use for this source code is modding. Designing tools and fan-made content is easier when fans don’t have to reverse-engineer games’ code.

So it’s extortion? jhodge is troubled by this unwelcome development:

Troubling and unwelcome
The transition from ransomware (we’ve got your data — pay up if you want it back) to extortionware (we have your really sensitive data — pay up or we publish) is a troubling and unwelcome development. At least “traditional” ransomsware could be combated with good DR practices.

What do the crims want? Corey Quinn—@QuinnyPig—grunts thuswise:

Bitcoin
The hackers are offering their data back for 10 bitcoin for the first 20 GB, then a smaller amount for each additional file.

Okay but aside from the actual breach, where’s the security angle? MIBMA’s interested to know more, really:

Serious security implications
I’m really interested to know more about the actual effect this will have on EA. Because other than the problems with potential cheats and bots, there’s not much anyone can do. No one will use closed source engine for developing a game. … Maybe the only other problem … is if there are many exploits that can lead to serious security implications.

And it’s partly EA’s fault—or so suso says: [You’re fired—Ed.]

Exploits galore
Another good reason not to run games that require you to run them as [Admin], because eventually their code may be compromised and exploits galore over the network. Currently, there are a handful of games that require you to run (not just install) them as [Admin].

Good job there was no personal data stolen. EA will be worried about that, thinks mikecee:

Much more sensitive
I don’t think EA will be too bothered about the actual game-related source code and data — it’s not like any of their legitimate rivals can really use it. It’s serious poison. And any company that operates in a country where EA can’t enforce copyright … can already make crappy knockoff games.

However, personal data relating to employees, customers, or (worse) emails indicating things like anti-competitive behaviour … plus data that would help further attacks … is much more sensitive. That’s what they’ll really be *****ing themselves about.

But what could EA have done better? The incredible incrudible lives in the real world:

Just not worth it
Ultimately, there is no protection against this. … Realistically, what are you going to do to protect against this?

Your developers/artists are going to use Windows machines, they’re going to need access to the source code and access to the internet. Add in a 0-day and that’s all the the ingredients to allow for exfiltration of data.

Of course you can make your employees’ lives worse by siloing them off, enforcing all sorts of security policies and so on. It’s just not worth it.

Meanwhile, Callum Jones—@callumj—snarks it up:

Overpriced
Now you too can learn how to make subpar games with overpriced micro-transactions.

And Finally:

Old MacDonald gets Rickrolled

Previously in And Finally


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Image sauce: @jeshoots (via Unsplash)

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 590 posts and counting.See all posts by richi