Fortnite has ROBBED my UE4 Developer Account! You next?

You might want to detach any and ALL payment systems you have from your Unreal Engine 4 account, if there’s even the slightest chance your user name and password are floating around online.

Just today my Epic account was charged $99.99 for the game Fortnite, which I have never installed or played in any fashion. My Epic account was linked to PayPal and PayPal told me that because I authorized them, it’s up to Epic to fix the problem.

I only got an Epic account to use the UE4 engine! Although I guess it’s common knowledge online, I never heard of theft utilizing Fortnite. I was actually under the impression the game was still locked down to Beta, so I didn’t even think the game was out yet! But APPARENTLY it’s not online out, but the biggest online game in the world, with the additional nefarious title of being the least secure game in the world for hackers. Apparently it’s super easy to make transactions without reentering your PayPal information. There’s no account Pin, like Oculus uses, for instance. Once they are logged in, they can clean out any bank or PayPal account link to your Epic account. And these codes, or whatever V-Bucks are, are apparently easy to transfer to other accounts. So all I have is a $99.99 bill and absolutely nothing to show from it. It’s the end of the month, I had to pilfer my saving just to stop my bank account from over-drafting!

If you do get robbed, I found a forum posted form that was made exclusively for this growing theft problem. You’ll need to fill out this, as Epic has NO OTHER MEANS OF CONTACT, regarding this scam. From the forum posts referencing this form, I couldn’t find a single post mentioning Epic giving a refund, so even this might not work…

http://fortnitehelp.epicgames.com/customer/en/portal/articles/2313879-how-do-i-request-a-refund-

There’s no other way to reach the company directly. Epic’s phone number dumps to voice mail with no options regarding billing. I did a little poking around tonight and found a multitude of stories including this one from Kotaku, made over 6 weeks ago discussing how bad things have gotten:

Until today, I had no reason to doubt Epic’s integrity. It smacks of a company who’s turning a blind eye to a theft issue they are profiting from. It’s very loathsome for a company I would normally expect so much from. Epic is NOT protecting it’s UE4 developer accounts! You’re money could be in danger. Lock down your passwords, and if you have the option, NEVER allow Epic full access to your PayPal or Credit Cards. They are not protecting them. They didn’t protect me, they won’t protect YOU!

Why? Why? Why do people have:
1 - active payment methods when they don’t need them?
2 - active credit cards associated with their paypal account when not necessary?
3 - same passwords everywhere?

This is the Internet. Always assume two things: someone is always watching you and everyone is out there to get you.

Great, first victim blamer. Do you feel better about yourself? Superior? You sure showed me. You’re #1! Let me get you a gold sticker…

It’s FREAK’N EPIC! It’s not a fly-by-night company. It’s not some little speck on the internet, it’s the maker of professional tools for large and small businesses! Million dollar companies use these tools daily! And they’re also EXTREMELY irresponsible with user information! This is unacceptable for a company who’s name should carry the weight of some integrity.

I had NO IDEA that my Unreal Engine account even linked to this silly game Fortnite, much less that it could draw money at any time with ZERO safeguards. Not only can purchases be made, but then the stolen materials can be laundered and transferred instantly! It’s a theft engine! And Epic has known about it for almost 2 months now! This isn’t a hack that happened yesterday, it’s been going on since late February, from what I’ve read today. We have NOT been warned at all! There was one small mention in a forum post in March mentioning it, and nothing else. I received NO E-mails about it, and they’ve done NOTHING to fix the issue. Forgive me if I didn’t don the tinfoil hat and see villains at every turn. I THOUGHT Epic was a modestly responsible multi-million dollar tech company full of geniuses, and not a series of old ladies hiding cash under their mattress.

I think I read somewhere that victim get the money refunded. I do not have the url handy though.

If you really left your paypal open for fast paying… Then it was 100% your fault.
Maybe Epic lost your user details but that is a common thing on the internet.

You are disturbed that you lost that much money ok, but you can get it back.
If what you are said is actually true at all then you should look at yourself very close and ask yourself: How did they not only get my epic password but also my paypal one…
Yee you left it open wich was naive.

Alot of people will say the exact same as me and the poster above you.

They didn’t get my PayPal password! They didn’t HAVE to have my PayPal password. Once they were in Epic account, all transactions were instantly authorized. Do you understand now? Should I put it into smaller words for you? There is no PIN number, no relogging into PayPal to finish the transaction (like Steam does), once they are into your Epic account, they can clean out your bank instantly. There has been NO 2-Factor Authentication added, despite this issue existing for months now. They never even sent out a mass E-mail to notify users of the problem. This is gross negligence!

I have changed my PayPal password several times since I setup my Epic account, but that didn’t matter since they were already authorized. They have a lasting connection to your account and NO security once people are in. Epic has become, effectively, YOUR BANK. And they are the worst bank on the planet, apparently.

Even if you haven’t a drop of human compassion, you should at least have the self preservation to drop the fanboy trolling and realize that your Epic password is the ONLY THING stopping a hacker from robbing your bank blind. Epic doesn’t check ANYTHING. Once the hackers get into your Epic account, they own YOU.

A company is not excused of a breach, simply because it happens often.

Well i meant that more the way you said it, i dont think its ok at all just that we cannot just trust anyone. Its gonna happen and we need to be aware even if it isnt our main job as user. Ofc epic needs to handle these situations, lots or problems here!

There quite a few sites to check for compromised accounts and emails. So, please, check them out and be smart in the future:

And please @, stop being so defensive. You might think I was blaming you, but I was only putting info out there for others to see and act accordingly (which they won’t … they never do).

Try emailing accounts@unrealengine.com

One of the issues right now Epic needs to fix is to have it require login authorization to make a paypal purchase rather than allowing purchases without verification after the first purchase, that’s one of the several things Epic needs to do.

I understand this is a sensitive topic, and Epic is working extremely hard to implement safeguards to ensure account security. However, some of that safeguarding requires your involvement. Make sure you have MFA enabled on your account, use a unique password for your Epic Games account, ensure you update your password on a regular basis etc. I would encourage you to take a look at this post from early April discussing account security. Protecting Your Epic Account - Announcements - Epic Developer Community Forums

While I recognize this is a sensitive topic, I also recognize that the temperature of this conversation is rising quite rapidly so please try to remain civil.

Can you DM me your account email address? I will have our CS team take a look at it for you!

Thanks!

I’m not sure what a “DM” is, but I “PM” (Private Messaged) your user name. Is that the same thing? Please let me know! Thanks!

This has happened quite a few times before with users and random purchases on the marketplace. It’s always a good idea to remove payment information when you’re finished making a purchase. While it may be more cumbersome having to enter it in every time, it’s undoubtedly safer than keeping it stored.

Things like Unreal Studio subscriptions will make that difficult though.

I got my refund today from Epic. Thank god! I’m still not sure what to do about UE4 though. If I ever need resources, I’m going to have to find a one-time-only way of paying them. Maybe get a pre-paid card with the exact amount. I can’t trust them with my PayPal or Bank card anymore.