[=;706918]
I think the speculation around this issue has got a bit out of hand and doesn’t help, although I do understand a lot of it stems from general, unrelated discontent with the marketplace systems. Anyway, it seems to me this particular issue, as it stands with the information we have, really just boils down to this:
In what world is just checking to see if an email address matches sufficient authentication for making changes to account financial information? You have a secure section of your website where these changes can be made (whether the security there could be improved is a separate issue), so why would you even consider making these kind of changes in response to an email?
[/]
Gonna have to disagree with you on this one, especially the notion that our response here is related to general marketplace issues. This is a serious issue about the protection of sensitive data. Epic is claiming that the request came from and that his email account was what was comprimised (which at this point, is speculation on their part), seems to deny this and also claims he made no such request. That’s not speculation at all. *But *if you want to go down that route, I highlighted above all he’d need to to in order to verify that claim. It’s rather easy to verify, and the only one who can is - not Epic. Given that when someone’s email account is compromised the first thing they do is lock the user out, I’m skeptical that was the case. But there’s only one way to know for sure, and that is by contacting the support of his email provider and requesting the alleged sent (and presumably deleted were we to go with this reason) messages. Epic claims the emails came from his account, which means they have date and time stamps. So then it should be no issue matching that up. They can provide him with the relevant dates/times and he can confirm them. I’m not in the interest of finger pointing here, none of us are. We just want to make sure that this doesn’t happen again - and that won’t happen if the actual cause is not addressed. This whole notion that two step verification on UE4 account logins will prevent this doesn’t address the issue of a staff member giving a random person access to a user account without verification.
I get why they are hesitant to admit this if that is indeed the case, but we’re not worried about how it looks from a PR standpoint. We want to know with absolute certainty that our sensitive information is secure, and given what happened and the response I personally am not convinced. Immediately there should be measures put in place to verify ones identity when dealing with staff support on account related issues. That should be a given at this point.
This is obviously a serious issue, but it is probably better if we all refrain from further speculation and debates until the directly involved parties (i.e. Epic and et al) have sorted things out on their end.
Give them the time they need to establish the facts and get back with a detailed report and their plans to prevent this from happening again in the future.
[=;706962]
This is obviously a serious issue, but it is probably better if we all refrain from further speculation and debates until the directly involved parties (i.e. Epic and et al) have sorted things out on their end.
Give them the time they need to establish the facts and get back with a detailed report and their plans to prevent this from happening again in the future.
[/]
Agreed. I actually just noticed they haven’t definitively said this was what happened, but just what they’re assuming based on the data they have at this point. Though in my defense I was only repeating what had said via discord. Hopefully we’ll get more concrete info in the future.
[=SE_JonF;706955]
Gonna have to disagree with you on this one, especially the notion that our response here is related to general marketplace issues. This is a serious issue about the protection of sensitive data. Epic is claiming that the request came from and that his email account was what was comprimised (which at this point, is speculation on their part), seems to deny this and also claims he made no such request.
[/]
Im just going to jump in here because Epic have been compromised acouple of times last year where peoples emails could have been leaked so regardless of how it actually happened its possibly traceable back to Epic either way. Im not saying its all their fault and its possible simply didnt secure their account after August 11th 2016 but I have warned Epic numerous times (after the github fiasco and the ongoing spam issue thats been plaguing their answerhub since Rocket beta) and this still happened, Ive taken precautions by removing my payment details even if I have assurances those details are safe from prying eyes.
I do agree with kamarann, speculating and fueling the fire wont help but I honestly want more from Epic this time than being brushed off with its going to be okay, they did that last time and obviously it did nothing… I even told them that account creation needed looking at but no we are still talking about it! Its inaction like this which makes me feel like Im not taken seriously as a member of the community, I feel like Epic doesnt really care at all as they have had plenty of time to fix this issue and are still spinning their wheels.
I completely understand there might be reasons for delays but its clear if Epic keep delaying and mixing up their priorities its going to hurt their business long term
[=MonsOlympus;707609]
I completely understand there might be reasons for delays but its clear if Epic keep delaying and mixing up their priorities its going to hurt their business long term
[/]
It won’t, and they know it won’t. That’s why they just post platitudes like “We treat situations regarding information and hacking extremely seriously and strive to remain as transparent as possible as we unwrap a situation.”
[=;707613]
It won’t, and they know it won’t. That’s why they just post platitudes like “We treat situations regarding information and hacking extremely seriously and strive to remain as transparent as possible as we unwrap a situation.”
[/]
Well Ive been using UE exclusively for a long time (13yrs give or take) and Ive recently moved over to Unity to test some things, I know their security has been compromised too (before I signed up) but its the mentality of Epic that prompted this decision more than anything else. It flows through every facet of their business and its worrying, it certainly doesnt sound like something you would expect from an independent developer at all
@MonsOlympus - I definitely feel like I’ve seen your name on the old UT forums. I used to lurk there. =P
In regards to the topic, another user has reportedly experienced the same issue as . m.orzelek posted on Discord that he received the same emails, and that his Epic account is now blocked. From the looks of it Epic is aware of the situation. Hopefully they can figure out the exact cause of this and prevent more from happening.
I’ve been getting really weird emails from Epic lately.
I tried to submit an update for Look Alive yesterday, and replied;
“While processing your request, It appears your financial information has not been filled out. please access the Seller Portal (Publisher Portal) and ensure that the Payout Info and Tax Info tabs are filled out so we can proceed .”
Not only does the link there not work, when I checked my info its all filled out, exactly as I had left it. I reply informing him of this, but I only get a generic automated reply, “Thank you for submitting your request.”
I reply again, and this time I don’t even get the automated response.
Not too happy about shenanigans like this going on while everyone is still on edge about security issues.
I, and it appears several others, have just had my account deactivated and an email sent to me telling me that my credentials were compromised. The email said that they discovered that my information was compromised on a 3rd party site unaffiliated with Epic and used to get access to my account. It then lectures us on not sharing passwords between sites. Yet here’s the issue: I NEVER share passwords between sites. All of my login data is unique. So what the actual hell is really going on? Especially since this happened to a few other sellers that I’m aware of. [MENTION=14973][/MENTION]; It’s looking more and more like Epic was hacked again.
[=SE_JonF;708378]
I, and it appears several others, have just had my account deactivated and an email sent to me telling me that my credentials were compromised. The email said that they discovered that my information was compromised on a 3rd party site unaffiliated with Epic and used to get access to my account. It then lectures us on not sharing passwords between sites. Yet here’s the issue: I NEVER share passwords between sites. All of my login data is unique. So what the actual hell is really going on? Especially since this happened to a few other sellers that I’m aware of. [MENTION=14973][/MENTION]; It’s looking more and more like Epic was hacked again.
[/]
[=;706618]
Its highly disturbing that someone working for Epic would just go along with such a request. Of course, as alluded to, we will never get the full truth from Epic, so it is very important we all keep close eyes on our accounts and take steps to protect ourselves.
[/]
Absolutely, assuming that any company is going to look out for your best interests better than you, is folly.
I have a long and absolutely weird password that I couldn’t even memorize or read, and it wasn’t used anywhere else on the internet other than logging in to these forums.
I generate passwords like that for my accounts and I even keep them outside PC on a paper. Not sure what’s really going on.
I’m pretty sure that this is precarious action. Compromised email used with UE4 means possible threat so instead of waiting for problems they just reset passwords for such accounts. I doubt that Epic can compare leaked text/hashed password with your password and send notification only if this matches. If they did that - then it would be a real problem.
However, if email was compromised then using same email for resetting UE4 account password seems… weird to say the least.
[=;708514]
I’m pretty sure that this is precarious action. Compromised email used with UE4 means possible threat so instead of waiting for problems they just reset passwords for such accounts. I doubt that Epic can compare leaked text/hashed password with your password and send notification only if this matches. If they did that - then it would be a real problem.
However, if email was compromised then using same email for resetting UE4 account password seems… weird to say the least.
[/]
My email was never compromised though. And if this was a cautionary move, why only a select few? Other sellers said they never got this. Like @ mentioned my passwords are extremely long and complicated, not to mention totally unique per site.
I guess it’s a question of how they determined which accounts were ‘compromised’. I was not notified of anything, maybe it was a blanket list involved in the Unity breach? I for one have not signed up for anything regarding Unity.
[=;708770]
I guess it’s a question of how they determined which accounts were ‘compromised’. I was not notified of anything, maybe it was a blanket list involved in the Unity breach? I for one have not signed up for anything regarding Unity.
[/]
I have a unity account, but it has a completely different password AND email associated with it.
Hey all, just hopping in to give a short update: Looks like there are two things going on here, one instance pertaining to spoofing and another as outlined above (other leaked credentials being used to access Epic Games accounts). The team is still looking into this, and I’ll provide an update whenever I’ve got concrete info.
Thanks Chance, Im just really happy thats its been sorted out on my end, and it was resolved quickly to where my payments weren’t even delayed. Appreciate that.
Looking forward to getting all of this behind us, and hopefully some more security checks in place. If there’s anything we can do on our end, let us know, wed be more than happy helping out in any way.
I and a few other sellers have personally ruled out leaked credentials being the case. (We used unique login credentials for Epic).
As far as spoofing is concerned, I can’t speak for anyone else but the email address associated with my Epic account is used very selectively and has never been publicized outside of the recent UE4 subscriber leak that just happened the other day with the May sale email. It’s worth noting that this event took place shortly after that leak. This seems more likely the cause given everyone was seemingly affected by this. I look forward to the conclusion on this investigation.
So, I woke up today to someone buying $500 worth of items on the Marketplace using my account. I would HIGHLY suggest you remove any info from your account and change all passwords. @PolyPixel3D they seemed to really like your stuff though, they bought 3 of your packs (don’t hate me if you see those sales refunded).
I’m pretty paranoid about phishing scams and such, so I don’t think this breach was on my end - but I’ll wait and see what the Epic guys find out (I literally sent Chance a PM at 5am this morning so I’m sure they haven’t gotten in yet to check things out).
