I got an email today saying my account was temporarily locked due to multiple failed login attempts.
Here’s the thing though. I use a unique password for this account that is not used any place other than here. I had 2 factor enabled but did NOT get an email with a code sent to my email account. I was still logged in here on the forums when I opened them today.
I don’t remember enabling 2 factor but I must have. Why was no code sent on the very first login attempt?
I am having the same issue, and it is worrisome for a different reason: It represents a vulnerability in the Unreal Engine itself.
I have seen similar posts in other forums (which I am not allowed to respond to, because I am a developer and I don’t game on this account) and the general pattern seems to be that bots are cycling through accounts trying passwords at random hoping they will get in. There are multiple ways to enter passwords, so they probably are not even trying to use two-factor to login (because of course they would not be able to guess that), hence why you wouldn’t get a notification. In short, the account is secure. There’s no way someone could break into your account that way.
The real problem is that it technically means that anyone can shut down any account they like as often as they like simply by knowing the email address associated with the account. One could very easily, for example, program a bot shut down an entire company that uses the Unreal Engine simply by knowing the email addresses that the company uses in association with the Unreal Engine. The boy would just need to make X failed attempts every 2 hours forever and they would no longer be able to proceed with any work. That’s a very VERY serious vulnerability with many possible solutions. I have seen bots do that with older systems and they really don’t want to be subject to that attack.
In order to resolve this issue they should first ensure that if someone has two-step authentication enabled, it doesn’t count a login attempt as an actual attempt if they are not trying to login that way. There is absolutely no reason to lock an account in this circumstance because even if they brute force you and eventually get it right it still would not actually let them into your account.
From there they need to fix the way the accounts are locked. My preferred approach is to use a combination of two approaches: In the first, the account is only locked within a geographic range. If, for example, someone half a world away tried to break into your account or - worse - tried to set a bot to perma ban you - it wouldn’t affect you. By itself that approach isn’t perfect though because a proxy or VPN could circumvent such protections and it wouldn’t otherwise protect you from an attacker in the same region. Still, it’s a useful layer of protection. The second approach is to keep a log of the last X IP addresses that were successfully used to login. In this case, if you successfully logged in at your home and office IP address and your account is locked it will remain unlocked for access attempts from those IP addresses. For an office with a static IP this would by itself be sufficient, but since most people get a new IP address every few days, and most people I know like to work from home, it means that if this approach is used by itself they could still get locked out when their IP address changes. Through a combination of the previous two approaches the system could at least minimize the risks.
Finally, I would change the email they send people that get locked out. The email says: "Feel free to [EMAIL=“accounts@unrealengine.com”]contact us if you need help. " , but if you write an email to that address you get an auto response that says: “Thank you for your email. This email address is not monitored. For support, please visit http://help.epicgames.com.” , but if you go there you will find that there is really no category whatsoever to assist with an account under attack. At most you can fill out a bug report form. Of course, you can’t even do that without being logged in. Since this technically affects my ability to access the marketplace I chose to use that email to contact them again, but overall the way they respond to this attacks is very unprofessional.
There are actually quite a few other protective measures they could take, but they at least did one thing right: They don’t reset the password. Another level of this type of attack is to force users to change their passwords repeatedly because on average a user will eventually use a password used elsewhere, and the attackers usually get your email from other compromised websites which means they usually have variations of the passwords you use to begin with. Of course, two-step verification does away with that concern, but who wants to be stuck changing their password every two hours indefinitely?
Another positive is that while they won’t let you create a new project while you are locked out, you can open existing projects as discussed here: How to use unreal engine 4 offline? - Community & Industry Discussion - Epic Developer Community Forums , but that will only get you so far. (which is another issue entirely), but this of course doesn’t help affected gamers.
I’d really like it if someone in an official capacity could enlighten us as to how they plan to deal with this growing problem, or if they are just going to wait until higher profile developers are permanently locked out of their accounts to do something.
I been getting this a ton as well… I just made a post about it. Ya I JUST got that reply as well…what nonsense… tired of being locked out of my account… I do this for a living, NOT for fun…Cmon Epic…give us proper protection, and support… Don’t be Like Unity…main reason I will be leaving Unity, I been using Unreal since the early days…This is crazy…
Same here, not surprising though, given the history of what has happened with the forums and the marketplace.
Got this a few days ago as well.
Hi,
I am joining the club as well. Ended up being locked out of my account this morning 
same here. reporting the issue just returns “email address not monitored” response.
EDIT: but can login to my account in web browser and UE4 desktop client… how, if I’m locked out? I have just enabled 2-step verification prior to logging in, logged out of desktop client and logged back in with verification email just fine…
You can add me to the list, just had this a couple of minutes ago!
Same. Got this just now, and a few days ago.
I just got the same email myself. This is kinda disappointing but let’s see if there is a response or anything.
same… second time today…
Change your passwords and add 2fa if its not there already. A bit of googling lead me to
got it just now
Someone managed to use my account and buy some V-coins for Fortnite a couple of days ago as well. This seems like a pretty serious issue right now and it is kinda sad to see the lack of response from Epic.
Changing a password wouldn’t do anything. The account is locked due to failed login attempts, meaning that it doesn’t matter what the password is. X failed login attempts by anyone trying to login to your account will soft ban you for two hours. Similarly, it even happens with 2FA because it apparently doesn’t stop someone from trying to login without that.
Well that’s unexpected. I wonder if it’s possible that they only lock down portions of the account?
Did you also get a similar message saying that your account has been locked? There are multiple ways of buying V-Bucks, so it’s possible some areas of your account were locked, but not others. If not, it’s more likely that you used the same password in more than one place and that the password used elsewhere was compromised. If so, my suggestion is to change that password ASAP and enable 2FA. While you are at it, change the password to your email as a precaution. Since you did not authorize the purchase, and since Epic won’t respond, I suggest filing a dispute with your credit card company over the fraudulent charge and DO NOT USE the V-Bucks at all. When filing the dispute, be sure to notate that you tried to contact Epic about the issue and were unsuccessful. Notate as well that the purchased item is still unused on your account and are willing to have that reversed on your account. Otherwise, if you use it and also try to dispute it that will probably get you into trouble.
For reference, here are the contact options available:
Same story here. I have secure passwords and 2FA is enabled, so I am not worried about actually being hacked. The problem is that the bots try again pretty much every two hours, so every time I login I have to create a new password to circumvent the lock-out. It’s getting extremely annoying and I can’t imagine the frustration of some developers right now. Why Epic hasn’t even introduced captcha is beyond me.
did all of that as well. does nothing account LOCKED, making a game right now and when I need to log in, i’m locked out…Disgraceful…no reply from Epic…Your’re looking Like UNITY get your act in gear Epic!!
Well this is extremely insulting. After waiting for 12 days I finally got a response, and it was a canned response from someone who didn’t even read the email. I told them I am a developer, and that I can’t even buy assets because of how frequently my account is getting locked, and I listed off a series of ways that they could close the vulnerability, but this was all they would say:
Ormando wrote:Apr 03, 2018 03:27 PM
To You
Hello Elliander,
Thanks for contacting Epic Games Player Support.
The Epic Games Support structure is changing to better accommodate the growing population of players. Direct Support is centered around account and purchasing issues. For all other issue types, please check the linked resources.
Widespread Service outages and degradations can be monitored on the Epic Games Public Status Page (https://status.epicgames.com/).
Assistance with player-specific issues can be found at the following linked resources:
Bug Report (Fortnite de Epic Games)
Game Progression / Stats for Battle Royale (Fortnite de Epic Games)
Feedback for Battle Royale (Fortnite de Epic Games)
Submitting support tickets for the above-listed issues will slow response time.
Thank you for taking the time to share your feedback with us, and for being part of our Community!. Please do not hesitate to contact us again if you have any further questions or concerns.
Case ID: 2913020
So when I contact them about account support, and wait 12 days, they basically tell me to F#@& off. Why would a platform DESIGNED for development not respond to DEVELOPERS when they are locked out?
At least you got a response. I didn’t even get that much about my account. I have to admit I am disappointed in the way things are being handled.
My account is not getting locked, but my mailbox is been spammed with two-factor singin codes mails, so it seems someone got my password (which i now changed) and try to login to my account.
The IP’s in these mails are always different and from all over the world.
The email used for my epic account cannot be found back on sites like powned, so wondering where they got the login (i have unique password for every site …)