MAJOR Security Compromise Issue!

Since the staff pulled out of Discord recently I felt it necessary to post this here so that they can become aware of this.

reported on Discord the other day that his account was compromised, and that his payout information was changed. He initially assumed he was the victim of hacking, but today informs us that it was Epic who granted this individual control over his account. According to him, some asked Epic support to change the email address of his account and then proceeded to modify his account details. This is SERIOUS offense as the seller portal of which they were able to gain access to contains our banking, tax and address information.

And if that isn’t troubling enough, my question is how did Epic allow a total stranger to change his email to theirs through support without going through any verification of identity? He was only alerted to it after seeing Epic emails claiming to have completed his requests - when he made none. It cannot be overstated how serious this is, to allow someone access to sensitive personal information like this. On a somewhat related note, just the other day it was reported that the May Day sale email didn’t BCC the recipient list, and apparently everyone who received the email had their address revealed. I personally didn’t see this on my end, but several others have confirmed it on theirs.

Something needs to be done to protect user accounts better than they are right now, especially seller accounts as they contain very sensitive information. This is completely unacceptable.

Here are screengrabs of the discord conversations for reference:

[MENTION=49] [/MENTION];

@

[MENTION=14973][/MENTION];

This is definitely troubling. I can also confirm that the emails of those in the May Flash sale were revealed.

Another thing, TWO-FACTOR AUTHENTICATION. Why is part of my livelihood only able to be protected by a password? Especially with the security breach the forums had not too long ago?

This is not good, there should be a better verification process in place.

just… wow.

Posting a link in the moderation forum to bring this to attention quickly.

I agree that two-step verification should be added as a priority if possible, it’s far too easy to brute force into an email account these days.

[=;706421]
Posting a link in the moderation forum to bring this to attention quickly.

I agree that two-step verification should be added as a priority if possible, it’s far too easy to brute force into an email account these days.
[/]

Thanks. Two step verification can help with logging in, but there also needs to be something done when dealing with support via email. This gentleman’s email wasn’t hacked, this was an error with person to person contact that could have been avoided if some basic measures were taken to verify the identity of the individual claiming to be . Whether it’s security questions, text/phone verification, etc.

Hey all, multiple teams at Epic investigating this, will keep you informed with our findings as we get em!

[=SE_JonF;706428]
Thanks. Two step verification can help with logging in, but there also needs to be something done when dealing with support via email. This gentleman’s email wasn’t hacked, this was an error with person to person contact that could have been avoided if some basic measures were taken to verify the identity of the individual claiming to be . Whether it’s security questions, text/phone verification, etc.
[/]

I’m unsure that this is the case at this point, but we’ll let everyone know what we find out ASAP.

[=;706451]

Related to that: one of the less-smart things about Unreal-Slack imo, was that everyone’s email was visible.
WTF???.. When the switch-over to Discord happened, does anyone know if this was ever addressed etc…
BTW: The Roadmap showed discontent with Epic interacting less. So why this: ‘staff pulled out of Discord’?
[/]

Both Unrealslackers and the Discord channel are community run by an excellent member of our community. While we have spent time in there in the past (and some of us still chat with devs there :slight_smile: ), it’s not an official channel for support and provided inconsistent experiences with the Epic team and Marketplace vendors.

Why not use tokens for sellers?
Like the blizzard authentication token? What sucks more, getting robbed, or, being the company at fault for someone being robbed?

[=;706354]
This is definitely troubling. I can also confirm that the emails of those in the May Flash sale were revealed.

Another thing, TWO-FACTOR AUTHENTICATION. Why is part of my livelihood only able to be protected by a password? Especially with the security breach the forums had not too long ago?
[/]

Two factor is the way.

[=;706571]
I’m unsure that this is the case at this point, but we’ll let everyone know what we find out ASAP.
[/]

<_< like epic would publicly mention someone just changed someones email/login/etc.
stocks would plummet.

Its highly disturbing that someone working for Epic would just go along with such a request. Of course, as alluded to, we will never get the full truth from Epic, so it is very important we all keep close eyes on our accounts and take steps to protect ourselves.

A few updates here:

Scope
We believe we’ve tracked this down to a group responsible for collecting and sharing millions of credentials from other sites and is using that information to gain access to email accounts and other logins when the same username/password is used. Epic accounts have not broadly been compromised, and only a handful people that have been affected at this time.


I stand corrected here. Our accounts team received a request from the email associated with the account and made the change. From what we can gather, that email account was compromised and was able to send that message to us to make the change. We’re investigating what we can do to better verify account-holder’s information when these sorts of things are requested, however, no solution is bulletproof when the information is compromised elsewhere and presented to us in a virtual manner. We are, however, looking into what we can do!

**Steps We’re Taking
**Multi-factor authentication is something on our roadmap for logins and is on target to come online sometime this year. Keep an eye out for more updates regarding this.

**Good Practices For Securing Accounts
**We encourage everyone to build unique passwords for each site that you use in the event that data is breached and shared. Also, it’s a great idea to add MFA to any email account associated with other logins in order to mitigate vulnerability.

[]
Of course, as alluded to, we will never get the full truth from Epic
[/]

We treat situations regarding information and hacking extremely seriously and strive to remain as transparent as possible as we unwrap a situation. This has been the case and will continue to be the case :slight_smile:

Investigation continues!

Hi guys,

Just wanted to mention that this happened to me as well and I am not a Marketplace seller. My account was compromised early Saturday morning and Epic was quick to act, restoring my account by Monday morning. If you have any doubts I recommend you change your password immediately and (if you want to be extra careful), delete your saved CC number for now, just in case.

The folks that accessed my account purchased several assets with my card and then changed the email associated with this account. This was solved quickly by contacting the Epic help email (help@epicgames.com)

I do want to commend the support team for getting this fixed ASAP and hope we can get two-factor authentication soon :slight_smile:

[]
Good Practices For Securing Accounts
[/]

perhaps in the future also send an additional email/phone-call/dm/pm to users asking for password/account changes until two/three/multi-step auth. is created.
Yes these things can happen, and knowing Murphy things WILL happen.

thing is, Kotaku, twitter, and even facebook (just to name a few) had quite a few mentions about unity being hacked… if anything this should have been brought up during one of the weekly meets so people can keep an extra eye on things.
This just adds to the overall


imho.

Now, im not saying this out of spite… but to point out some common sense.
I mean, it was posted on the forums:

OURMINE Hacks unity forum ... they might be coming here!! - Community & Industry Discussion - Epic Developer Community Forums!!
and no admin around to say “we are aware of this and are doing anything in our power yada yada”

I’d almost wanna bet some money that epic/lumberjack might be targeted next (well… if they arent being targeted this moment)

Hey, I thought I could chime in. Since its my post and security breach that caused all this concern.

I have 2 accounts. One using my support email, and another using gmail. The gmail was just my personal one i used to log into the launcher, the support is my seller account with all the important stuff.

Sunday morning at 5:13 I got 2 emails chains from both each separately saying this message:

(EDIT)Paraphrasing to avoid Epics emails, I was told it was a no no. ‘They just said my request for email change was completed’.

This apparently was in response to an original message of just:
***(EDIT)Paraphrasing to avoid Epics emails, ***I was told it was a no no. ‘Just a case number sent to them’

Both email chains were identical, with the same case#. And one came minutes after the other. And soon after both of accounts emails were switched, 2 new accounts were made using my support and gmail.

And in both email chains, the message seems to be just ‘sent’ to my support and gmail. I checked my gmail and my hosting emails sent, nothing was sent from my emails as far as I can tell. And if it was, the only thing they messed with was just the Epic account? They could have done a LOT more harm if they had those emails, than just switching my paypal over. So I dont know what exactly happened on Epics side, but I dont think it was my email being compromised and making the request. I could be wrong, if so, id like to see the emails sent to Epic to confirm thats the case, and then id have a new bag of issues to deal with. haha

The issue was quickly resolved. One purchase was made on the account(and refunded). They switched over my paypal. Epic froze everything. Remedied the situation. And im very grateful to the team at how fast they responded. I do agree, whatever mess led to this, could have been avoided with a bit more stringent security policy. I am always in favor of more preventative measures than reactionary ones.

I never meant to throw Epic or anyone under the bus with my post, I just saw some scary stuff going down with OurMine on my account, and knew they hacked into the Unity servers only a week or two ago. So I just wanted to alert everyone of my unfortunate situation and maybe catch the issue early if it was indeed a bigger issue. Which is wasnt.

[=PolyPixel3D;706819]
So I dont know what exactly happened on Epics side, but I dont think it was my email being compromised and making the request. I could be wrong, if so, id like to see the emails sent to Epic to confirm thats the case, and then id have a new bag of issues to deal with. haha

[/]

It’s insanely easy to spoof email from addresses, and the various systems that exist to detect this are not universal and are more often geared towards preventing spam and phishing attempts than for customer support security.

A quick look at the email headers should give strong clues about whether the email was actually sent by one of your email account servers or was a simple fake. I hope Epic support you in getting the answer to this.

[=PolyPixel3D;706819]
Hey, I thought I could chime in. Since its my post and security breach that caused all this concern.

I have 2 accounts. One using my support email, and another using gmail. The gmail was just my personal one i used to log into the launcher, the support is my seller account with all the important stuff.

Sunday morning at 5:13 I got 2 emails chains from both each separately saying this message:

*MagicWolf replied:
*Hello ,
Thanks for contacting Epic Games Player Support. Your email address has been updated per your request. Please don’t hesitate to contact us again if you run into any problems or questions.

This apparently was in response to an original message of just:
*
Original message
** ** wrote:

*case number #670365

Both email chains were identical, with the same case#. And one came minutes after the other. And soon after both of accounts emails were switched, 2 new accounts were made using my support and gmail.

And in both email chains, the message seems to be just ‘sent’ to my support and gmail. I checked my gmail and my hosting emails sent, nothing was sent from my emails as far as I can tell. And if it was, the only thing they messed with was just the Epic account? They could have done a LOT more harm if they had those emails, than just switching my paypal over. So I dont know what exactly happened on Epics side, but I dont think it was my email being compromised and making the request. I could be wrong, if so, id like to see the emails sent to Epic to confirm thats the case, and then id have a new bag of issues to deal with. haha

The issue was quickly resolved. One purchase was made on the account(and refunded). They switched over my paypal. Epic froze everything. Remedied the situation. And im very grateful to the team at how fast they responded. I do agree, whatever mess led to this, could have been avoided with a bit more stringent security policy. I am always in favor of more preventative measures than reactionary ones.

I never meant to throw Epic or anyone under the bus with my post, I just saw some scary stuff going down with OurMine on my account, and knew they hacked into the Unity servers only a week or two ago. So I just wanted to alert everyone of my unfortunate situation and maybe catch the issue early if it was indeed a bigger issue. Which is wasnt.
[/]

For reasons you outline here, I also don’t buy into the whole “they hacked your email” argument. Chiefly because the modus operandi in that situation is not only to change the passwords of the email (which apparently didn’t happen?), but as you said to do far more damage than just changing details on one account associated with that email. I understand that Epic doesn’t want to admit any culpability in this given how Sony was recently taken to the bank in a class action lawsuit over their negligence in protecting user information. Like you I’m not looking to throw Epic under the bus over this, but the safety of sensitive information needs to be of paramount importance - far and above their concerns for possible litigious blow back which is what these comments smell of.** Just put securities in place so this doesn’t happen again, this needs to be prioritized - not coming later in the year. ** Also this had nothing to do with logins, I’m not sure why we keep going back to that. A process needs to be put in place [MENTION=14973][/MENTION]; for Epic Support to be able to verify a person’s identity when they are requesting changes be made to an account they aren’t clearly linked to.

As for verifying their claims that the email came from your account, you should ask that they present you with evidence of that to review. I’m assuming you checked your sent folder given you were absolutely sure it didn’t come from you, but you can also contact the support line of your email host and get them to present you with a copy of every email you sent during the time period - or better yet get Epic to provide you with the dates/times that it was allegedly sent from your account. (This is assuming people will suggest you were hacked, and then the sent emails were deleted. Your email host will be able to provide you with them if that is the case.)
@SteveElbows also raises a point about the possibility spoofing the address. Every trail needs to be followed in order to properly ascertain what the precise cause was so that sufficient measures can be taken to prevent it from happening again.

I think the speculation around this issue has got a bit out of hand and doesn’t help, although I do understand a lot of it stems from general, unrelated discontent with the marketplace systems. Anyway, it seems to me this particular issue, as it stands with the information we have, really just boils down to this:

[=;706700]
Our accounts team received a request from the email associated with the account and made the change.
[/]

In what world is just checking to see if an email address matches sufficient authentication for making changes to account financial information? You have a secure section of your website where these changes can be made (whether the security there could be improved is a separate issue), so why would you even consider making these kind of changes in response to an email?