Epic: Your account security design is atrociously bad

In the past few hours, there have been over 70 attempts at spoofing the two-factor authentication for my account.

In my effort to change my account password, to stop this, I have been faced with what is one of the most anti-user account security systems I can recall, which is possibly even more of a risk to Epic account holders than a hacking effort is - because the Epic system is designed to expose a legitimate user as much as possible, while giving them little to no recourse to do anything about a hack, or to retrieve their account if it is stolen.

First, I’ll start with one of the most absurd issues with the Epic account security system: Why do you broadcast the email address that the 2-factor authentification code is sent to? That’s incredibly stupid. Now one of my email addresses is known to some lame fail-hacker somewhere in the world.

Why not censor part of the email, like other sites do?: liv*******@****.com

That would protect the user’s privacy and security, and frustrate any further hacking efforts against other accounts - while accomplishing the goal of informing the account holder of where to get their 2FA information.

Now, even after a person has their 2FA information, how can a person log into their own account to change the password to prevent someone who’s trying to hack it from getting into it, when it takes about a half hour or longer for the two-factor authentification code to be sent to the person’s email, and there’s somebody constantly trying to brute-force the 2FA, using the current password each time, and resetting what the 2FA is with each log-in attempt? Again, stupid design.

After a certain number of log-in attempts, like 5, an account should be locked, and only unlockable from an email that is sent to the person that the account belongs to. Or, no new log-ins should be possible for a set number of hours, while the last 2FA password sent to the account email may still be used - giving the person who own the account time to use it to log into their account without the 2FA code constantly changing. Each 2FA code should have a working duration of at least 5 minutes after it’s RECEIVED.

Next with the Epic account security system: Oh, and did I say it takes over a half hour to receive the 2FA code? My mistake - it’s been over 1.5 hours now, and I haven’t yet received a single 2FA code from the location I’m in - but I’ve received over 60 from locations in Russia, which weren’t generated by my own request for a 2FA code. By the way, I changed my Epic account password over 10 minutes ago, and I’m still receiving 2FA codes in my email. Also, I still haven’t received a single 2FA code from my actual location.

Now, the next glaring with the Epic anti-user account system: When all efforts by a person to log-in to their account fails, or if a person’s account is hijacked and its password changed, how is the person supposed to contact Epic support for assistance in retrieving their account? All Epic support options require being signed into a person’s account. Therefore, if a person is locked out of their account, they’re also locked out of support contact options to get help with their account. Like previous aspects of Epic’s account system design, this part defies all logic. And Epic cannot even be contacted from their Facebook page, or elsewhere that I’ve seen (and I searched).

So, the requirement for people to get support from Epic regarding their account security is that they don’t require support from Epic regarding their account security in the first place.

Create a support contact form on the Epic Games main website that allows a person to fill out and submit the form using just an email address for the return contact. Better yet, have an online chat support system that people can use WITHOUT needing them to be logged into their account to use it.

And another amateur with Epic’s account so-called security system: How is it that your account so-called security system does not identify a hacking effort when there are dozens of account log-in attempts, with each being from a unique IP address? Shouldn’t any sensible system recognize, after maybe 3 - 4 log-in attempts within 30 minutes, each with a different IP address, that somebody is trying to hack the account, using IP-address spoofing?

Here are the IP addresses that have been used to request a 2FA code for my account in the last few hours (only one of them is not from Russia, and is instead from France):

37.18.42.16 in Russia.
146.185.202.20 in St Petersburg, Russia.
185.13.33.118 in Russia.
185.101.69.94 in Russia.
91.243.91.52 in St Petersburg, Russia.
37.230.212.76 in Russia.
95.181.217.34 in Russia.
178.57.65.162 in Russia.
185.223.164.34 in Moscow, Russia.
5.101.218.50 in Rostov-on-Don, Russia.
185.223.164.150 in Moscow, Russia.
5.8.37.6 in St Petersburg, Russia.
185.101.68.144 in Russia.
95.181.217.221 in Russia.
37.18.42.43 in Russia.
141.101.201.45 in Russia.
95.181.183.107 in Russia.
5.188.217.38 in St Petersburg, Russia.
37.9.41.147 in St Petersburg, Russia.
79.133.107.133 in Russia.
185.13.33.176 in Russia.
146.185.202.99 in St Petersburg, Russia.
46.161.63.254 in Nizhniy Novgorod, Russia.
5.62.155.129 in Russia.
5.62.152.151 in Russia.
5.8.37.6 in St Petersburg, Russia.
185.223.160.126 in Moscow, Russia.
178.57.65.194 in Russia.
185.223.160.83 in Moscow, Russia.
5.62.157.107 in Paris, France.
185.89.101.134 in Moscow, Russia.
185.13.33.126 in Russia.
185.89.101.25 in Moscow, Russia.
46.161.63.135 in Nizhniy Novgorod, Russia.
91.243.93.48 in St Petersburg, Russia.
91.243.91.38 in St Petersburg, Russia.
146.185.202.118 in St Petersburg, Russia.
146.185.202.104 in St Petersburg, Russia.
193.93.195.89 in St Petersburg, Russia.
193.93.195.22 in St Petersburg, Russia.
193.93.193.15 in St Petersburg, Russia.
146.185.202.118 in St Petersburg, Russia.
46.161.62.183 in St Petersburg, Russia.
185.101.69.201 in Russia.
185.223.160.231 in Moscow, Russia.
5.8.37.19 in St Petersburg, Russia.
5.62.154.162 in Kaluga, Russia.
37.18.42.48 in Russia.
79.110.31.43 in Moscow, Russia.
5.62.155.103 in Russia.
193.93.194.145 in St Petersburg, Russia.
5.62.152.107 in Russia.
185.101.71.79 in Russia.
178.159.97.79 in Moscow, Russia.
37.230.212.195 in Russia.
91.243.90.160 in Kaluga, Russia.
178.57.67.130 in Russia.
37.230.212.14 in Russia.
91.204.15.97 in Moscow, Russia.
193.93.194.123 in St Petersburg, Russia.
37.9.40.129 in St Petersburg, Russia.
185.14.194.182 in Moscow, Russia.
79.133.106.157 in Russia.
193.93.195.110 in St Petersburg, Russia.
5.188.217.20 in St Petersburg, Russia.
185.101.69.141 in Russia.
193.93.193.248 in St Petersburg, Russia.
79.133.106.86 in Russia.
79.133.106.11 in Russia.
95.181.217.107 in Russia.
37.230.213.184 in Russia.
5.62.155.175 in Russia.

My account should have been locked down, rather than allowing this many number of unique IPs to be signing into my account within a short period of time.

Obviously, Epic’s account security system NEEDS a major revision - and Epic account holders need it to happen to know that their Epic account is adequately secure.

And to add to the unfortunate state of Epic’s account security system, when I changed my password, I received an email from Epic saying:

"Hi ---------!

You have successfully changed your Epic Games account password. If you did not make this request, please [EMAIL=“accounts@unrealengine.com”]contact us immediately.

Kind Regards,
Your Friends at Epic"

When I clicked the ‘contact us’ link to inform Epic of the difficulties I had just encountered and sent an email, I immediately received an automated email from Epic Help [EMAIL=“help+noreply@epicgames.com”]help+noreply@epicgames.com, saying:

“Thank you for your email. This email address is not monitored. For support, please visit http://help.epicgames.com.”

And the page where the help.epicgames.com link leads to requires account sign-in to make any support request. So, astonishingly, Epic’s help system for an with an account is actually a perpetual loop of futile re-direction!

And adding to the situation, if a person is able to sign into their account, the Epic Account help option only links to the person’s profile settings, rather than to a form to contact Epic for help with their account.

It seems clear that Epic do not want anybody to contact them, because there indeed is no way to contact them! So, what is a person expected to do if their Epic account is hacked and stolen? As it is, it appears that they can do nothing but create an alt account, and then maybe post about their on the forums.

See Epic account compromised - Feedback for Unreal Engine team - Unreal Engine Forums

Just wanted to chip in here.

I was recently locked out of my account due to too many bad password attempts from someone else trying to access my account and have lost my account to a “hacker” already once before (several months ago). Luckily I learned my lesson way back when, and now use a different password for every account I have. (A lot of people still don’t which is 99% of the reason they still lose their accounts).

However - the 2FA system in place right now is frankly, a joke - and it took a short eternity to even implement in the first place.

I accept that the success of Fortnite is something Epic wasn’t prepared for, and I accept that they are a games company and not a security company - but it’s been several months now, and it seems somewhat irresponsible to not take these issues more seriously or at least be more transparent with what’s being done to resolve it. I understand that dealing with this kind of thing is a sensitive topic, but the only response we ever really get is “our engineers are looking into it”. (See the thread linked above for an example of it).

Several users have had actual money go missing from their bank accounts - that is SERIOUS and messes with peoples real lives. What happens when somebodies rent money goes missing from their account due to poor security? I recently removed all payment information from my account, and I’m holding off on releasing marketplace content until I feel the system is secure enough to re-add my payment details. Incidentally, to set up as a marketplace seller, my account now stores sensitive information about my business too (such as Tax Reg Number) - which I can’t remove without jumping through hoops.

A couple of weeks ago, it took over 24 hours to get a 2FA sign-in code sent to my e-mail address, which I needed to install the engine at an on-site contract (i.e, a legitimate use of my account at another location - exactly what 2FA is designed for). As a result, I wasn’t able to install the engine at all using my own account and couldn’t even access anything else. Thankfully someone on-site had their own account on that machine - but if they hadn’t, I’d have been out of a job that day.

I’m a self-admitted Epic / Unreal fanboy - but even I can’t look past the sheer number of people losing their accounts recently. Social media is rammed full of folks trying to understand why they keep losing access to their accounts. Serious action needs to be taken before this gets out of control, or we at least need to know that’s what’s happening.

Imma just leave this here: https://twitter.com/Luos_83/status/977851446900215808
and agree with OP/Jamsh.
Not so much with RareSumo though.

Wait, so let me get this straight. Now that I’ve turned on 2fa someone can just endlessly probe my account with infinite login attempts until they get the right password since the lockout was removed? That’s great!

Have since deleted that tweet I’m afraid. Tend to use twitter as a ranting platform then go back through it once my day is back to normal

I’ll quote this and post here for the rest of the readers.

If you want an account deleted, contact Epic Account Support. We are forum moderators, not Epic Staff. Regardless of how frustrating this is (we all feel it) - stick to the Code of Conduct and remain polite and professional. Cursing will get you nowhere fast and the thread will be locked.

I know, but it contained at least one other person who was dealing with weird-login-by-other issues.

I apologize that you all have experienced issues with your Epic accounts. As you’re aware, with the massive influx of users to Fortnite, we’ve seen an increase in attempts by hackers to gain access to Epic accounts. Our team is rapidly implementing changes to our security systems to protect and secure your data while improving your experience in the event that your account is targeted. For the sake of security, we can’t disclose all of that information, but please know that we are progressing on mitigating attacks.

We encourage all folks to enable 2FA. This a a HUGE step in securing your account. The delayed emails you experienced this weekend were due to an with our email provider, which prevented you from receiving active codes. That has been resolved and the team is investigating offline MFA options to help get you back into your account in the event that the online options are failing.

Accounts that do not have MFA enabled will be locked after a number of failed login attempts, since these accounts are less protected. However, resetting your password will enable you to access your account again in the event of a lockout.

We could obscure the email address when sending the code. Keep in mind, though, that the hacker would already have your email address if they’re able to view the 2FA message.

Our customer support infrastructure is undergoing a significant overhaul, and we are working to have better resources in place for you very soon. I’ll update this post as soon as we have an improved support loop for Epic accounts.

Lastly, please check out this post on all the steps you can take to make sure your account is as secure as possible.

^s’wat I’m talking about. Thanks for the info Amanda!

I get “Your account has been locked.” emails all the time due to someone trying to brute force my account. It’s gotten to the point where I just smile and ignore it now. It’s ridiculous.

In my case, it seems to me that they had my username, Delicieuxz, and somehow had the password, but didn’t have access to my email (which uses a different password) - otherwise, they would have been able to successfully enter the 2FA code and take over my account. Since they kept trying, I’m guessing they were attempting to brute-force the 2FA code, while having no access to my email to see what it is.

And the hacker would likely not have known my email address at all, if not for the Epic log-in page saying along the lines of: A 2FA code has been sent to [EMAIL=“exampleemail@email.com”]exampleemail@email.com - which it does following each username and password log-in, without obscuring any of the letters. It definitely will give account holders more security of their 2FA-protected Epic accounts, and of their email accounts, to obscure enough of the email address that only the person who own that address will know which it is.

I’m glad that Epic is working on putting together a much better account security and recovery system, though.

Next week it will be 2 months. I tried changing my e-mail through customer support, but I was told to wait and very soon we could change our e-mailaddresses. All my accounts use different passwords and I want to retire my old e-mailaddress due to phishing and spam-mails. My Epic account is the only one left that uses the old e-mailaddress I wish to retire.

When will we be able to change our e-mailaddresses, either ourselves or through customer service.

Glad to have come here to report a similar and already seeing a dialog about it. I tried enabling 2FA on my account, but when I attempted to log in from another computer, I never received the 2FA email, which left me unable to login. I tried again for several days in a row without ever getting a verification code sent to me. I ended up having to go back to a computer I was already logged in on and disabling 2FA to get access. How can we use 2FA if we can’t reliably expect Epic to send 2FA codes?

I wrote up a detailed explanation to Unreal about how they could solve these problems, but they just don’t care. Personally though, I am more concerned about the fact that their system is stupidly easy to exploit to shut down an entire studio. All you need is a login bot that repeatedly tries to login to a set of accounts. So once you get a list of emails, you spam failed login attempts to lock their accounts. That’s an old trick from the early 90’s that’s usually used to get people to reuse old passwords eventually, but it can be used as a sort of denial of service attack.

Considering how frequently my account is locked I am fairly certain that bots are already in use, but I’m smarter about my passwords than most so the only real problem I get is that I get spammed by Unreal and there’s no way to make them shut up.

Both the login bot and the of compromised accounts would be easy to solve if they took one of my many suggestions. For example, suppose that if/when an account is locked an IP address that you used to login successfully last is allowed to have continued access. Logically, if the attacker had the correct password they wouldn’t know to lock it anyway so clearly the last successful login can be assumed to be from a valid user. In this case, it reduces the vulnerability to a login bot - and completely eliminates it for companies with a static IP address. It would be even better if they allowed the last, say, 3 IP addresses to remain active or to let the user manually set a white list.

From there, if the user could manually set their account to only allow access from certain geographical locations, it would prevent hacking attempts from outside that geographic area. The attacker shouldn’t get anything more than the normal failed login attempt. This, of course, doesn’t eliminate the possibility of someone in my geographic area from compromising my account or from someone spoofing their IP, but generally speaking if implemented correctly the attacker wouldn’t really know which geographic ranges would be correct. To further protect the account, it could be set to prevent you from blocking out your current geographic range and could be set to prevent that from being changed for X days. So if I set my location, I could say not to let anyone touch it for a year - not even me - so if my account is ever compromised regardless they can’t lock me out.

Lacking any of those fixes, how about lifting the login requirement to create projects and use purchased assets? It’s great that I can use already created projects while locked out, but this always on DRM clearly isn’t working.

Then again, I highly doubt Unreal will do anything whatsoever unless and until one of the larger studios that use Unreal are shut down by a malicious attacker abusing their vulnerabilities and then they get sued, which is even worse IMHO - it represents a callous disregard for real security.

…

Now, in regards to Fortnight, what idiot thought it was a good idea to integrate a game with a development engine? Developer accounts should be totally separate. It’s so bad, that most of the contact emails for Epic are now unmonitored and the few that are tend to focus on fortnight and when I contact about development issues the first responses are always about fortnight. There is no freaking way I will EVER play that game at this point, regardless of it’s merits, because doing so will probably make it even harder to be taken seriously. Why couldn’t you guys just develop a separate client for that game? With a separate account system?

What if someone uses a different IP in every log in?

Hey Epic, if possible can you add an option to use Google Authenticator for Android/iPhone for 2FA? It produces a seeded random set of 6 numbers generated from a unique code for each users account as an authentication code which changes (expires) every 30 seconds. I use it for about a dozen other websites with 2FA, it works really well, and would be nice to have an option to use it instead of email for 2FA on Epic accounts.

My account was hacked here and on twitter shortly afterwards a few months ago during the time I was away and I too was receiving emails similar to the OP. Thankfully no harm was done, but it could have been a nightmare cleaning up the mess on the forums if they realized I was a moderator. My email now shows up as Pwnd on this site, which is annoying but I’m not getting much spam so I don’t know whether to stop using it completely or not. Since then I have been going OCD overkill on security both here and all my other accounts, changing long passwords monthly and never reusing a password for any other sites. It’s a pain but worth it in the long run.

I would like to change my email address attached to this account though, so I will be sending a request from the support request page to fix that. If anyone else is having account issues use that link to report it to Epic Support. It says Fortnite, but it’s for UE4 support too, just select “PC/Mac” from the Fortnite Game Platform combo-box, select a random Game Mode, and then use “Account Security” option for Game.