EA knew about Critical Vulnerabilities before the Attack

Researcher provided PoC exploit for the attack, Electronic Arts confirmed but did not fix the vulnerability.

The data leak revealed by the American video game publisher Electronic Arts this month could be much more serious than previously thought. This is not about the scale of the incident, but about the fact that a company can easily ignore the security threats that it knows about and not prevent cyberattacks.

Hope you all remember that a few weeks ago on hacker forums messages appear about the theft from Electronic Arts of about 780 GB of source code, proprietary frameworks, development tools (SDK) and engines. All stolen data, including access to FIFA 21 servers, FIFA 22 API keys and some SDKs for Microsoft Xbox and Sony, have been put up for sale.

The company began its investigation of the incident, and the leak itself was limited to only a small amount of source code and related tools. The data of the players were not affected, and "there is no reason to think that the privacy of the players is in any way threatened," Electronic Arts assured. Nevertheless, according to information security experts, the incident could and should have been prevented.

Ori Engelberg, the co-founder of the Israeli information security company Cyberpion, told ZDNet that he and his colleagues warned the video game manufacturer about several security problems (in particular, incorrect DNS settings that allowed attackers to gain control over domains) last year. In December 2020, Cyberpion provided Electronic Arts with a PoC exploit for the attack, the video game manufacturer confirmed its receipt and promised to contact information security companies in case of any questions, but did not do so. Vulnerabilities were also left unpatched.

Engelberg said that attackers can send users emails on behalf of Electronic Arts by using the stolen domains and ask them for account information or other sensitive data. The company already faced backlash last week after it emerged that a chain of vulnerabilities could have allowed attackers to gain access to personal information and take control of player accounts.