No announcement yet.

Epic: Your account security design is atrociously bad

  • Filter
  • Time
  • Show
Clear All
new posts

    Originally posted by Amanda.Bott View Post
    We encourage all folks to enable 2FA. This a a HUGE step in securing your account. The delayed emails you experienced this weekend were due to an issue with our email provider, which prevented you from receiving active codes. That issue has been resolved and the team is investigating offline MFA options to help get you back into your account in the event that the online options are failing.
    Glad to have come here to report a similar issue and already seeing a dialog about it. I tried enabling 2FA on my account, but when I attempted to log in from another computer, I never received the 2FA email, which left me unable to login. I tried again for several days in a row without ever getting a verification code sent to me. I ended up having to go back to a computer I was already logged in on and disabling 2FA to get access. How can we use 2FA if we can't reliably expect Epic to send 2FA codes?


      I wrote up a detailed explanation to Unreal about how they could solve these problems, but they just don't care. Personally though, I am more concerned about the fact that their system is stupidly easy to exploit to shut down an entire studio. All you need is a login bot that repeatedly tries to login to a set of accounts. So once you get a list of emails, you spam failed login attempts to lock their accounts. That's an old trick from the early 90's that's usually used to get people to reuse old passwords eventually, but it can be used as a sort of denial of service attack.

      Considering how frequently my account is locked I am fairly certain that bots are already in use, but I'm smarter about my passwords than most so the only real problem I get is that I get spammed by Unreal and there's no way to make them shut up.

      Both the login bot issue and the issue of compromised accounts would be easy to solve if they took one of my many suggestions. For example, suppose that if/when an account is locked an IP address that you used to login successfully last is allowed to have continued access. Logically, if the attacker had the correct password they wouldn't know to lock it anyway so clearly the last successful login can be assumed to be from a valid user. In this case, it reduces the vulnerability to a login bot - and completely eliminates it for companies with a static IP address. It would be even better if they allowed the last, say, 3 IP addresses to remain active or to let the user manually set a white list.

      From there, if the user could manually set their account to only allow access from certain geographical locations, it would prevent hacking attempts from outside that geographic area. The attacker shouldn't get anything more than the normal failed login attempt. This, of course, doesn't eliminate the possibility of someone in my geographic area from compromising my account or from someone spoofing their IP, but generally speaking if implemented correctly the attacker wouldn't really know which geographic ranges would be correct. To further protect the account, it could be set to prevent you from blocking out your current geographic range and could be set to prevent that from being changed for X days. So if I set my location, I could say not to let anyone touch it for a year - not even me - so if my account is ever compromised regardless they can't lock me out.

      Lacking any of those fixes, how about lifting the login requirement to create projects and use purchased assets? It's great that I can use already created projects while locked out, but this always on DRM clearly isn't working.

      Then again, I highly doubt Unreal will do anything whatsoever unless and until one of the larger studios that use Unreal are shut down by a malicious attacker abusing their vulnerabilities and then they get sued, which is even worse IMHO - it represents a callous disregard for real security.


      Now, in regards to Fortnight, what idiot thought it was a good idea to integrate a game with a development engine? Developer accounts should be totally separate. It's so bad, that most of the contact emails for Epic are now unmonitored and the few that are tend to focus on fortnight and when I contact about development issues the first responses are always about fortnight. There is no freaking way I will EVER play that game at this point, regardless of it's merits, because doing so will probably make it even harder to be taken seriously. Why couldn't you guys just develop a separate client for that game? With a separate account system?


        What if someone uses a different IP in every log in?
        Last edited by EvilCleric; 06-02-2018, 02:58 AM.
        "I have harnessed the shadows that stride from world to world to sow death and madness."


          Hey Epic, if possible can you add an option to use Google Authenticator for Android/iPhone for 2FA? It produces a seeded random set of 6 numbers generated from a unique code for each users account as an authentication code which changes (expires) every 30 seconds. I use it for about a dozen other websites with 2FA, it works really well, and would be nice to have an option to use it instead of email for 2FA on Epic accounts.

          My account was hacked here and on twitter shortly afterwards a few months ago during the time I was away and I too was receiving emails similar to the OP. Thankfully no harm was done, but it could have been a nightmare cleaning up the mess on the forums if they realized I was a moderator. My email now shows up as Pwnd on this site, which is annoying but I'm not getting much spam so I don't know whether to stop using it completely or not. Since then I have been going OCD overkill on security both here and all my other accounts, changing long passwords monthly and never reusing a password for any other sites. It's a pain but worth it in the long run.

          I would like to change my email address attached to this account though, so I will be sending a request from the support request page to fix that. If anyone else is having account issues use that link to report it to Epic Support. It says Fortnite, but it's for UE4 support too, just select "PC/Mac" from the Fortnite Game Platform combo-box, select a random Game Mode, and then use "Account Security Issue" option for Game Issue.
          Last edited by DotCam; 06-02-2018, 06:41 PM.
          Free Community Ocean & Sky Project || Join us on Discord! || Trello Roadmap