Announcement

Collapse
No announcement yet.

MAJOR Security Compromise Issue!

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    MAJOR Security Compromise Issue!

    Since the staff pulled out of Discord recently I felt it necessary to post this here so that they can become aware of this.

    PolyPixel reported on Discord the other day that his account was compromised, and that his payout information was changed. He initially assumed he was the victim of hacking, but today informs us that it was Epic who granted this individual control over his account. According to him, some asked Epic support to change the email address of his account and then proceeded to modify his account details. This is SERIOUS offense as the seller portal of which they were able to gain access to contains our banking, tax and address information.

    And if that isn't troubling enough, my question is how did Epic allow a total stranger to change his email to theirs through support without going through any verification of identity? He was only alerted to it after seeing Epic emails claiming to have completed his requests - when he made none. It cannot be overstated how serious this is, to allow someone access to sensitive personal information like this. On a somewhat related note, just the other day it was reported that the May Day sale email didn't BCC the recipient list, and apparently everyone who received the email had their address revealed. I personally didn't see this on my end, but several others have confirmed it on theirs.

    Something needs to be done to protect user accounts better than they are right now, especially seller accounts as they contain very sensitive information. This is completely unacceptable.

    Here are screengrabs of the discord conversations for reference:

    Click image for larger version

Name:	Pic1.png
Views:	1
Size:	188.3 KB
ID:	1219921

    Click image for larger version

Name:	Pic2.jpg
Views:	1
Size:	218.4 KB
ID:	1219922

    [MENTION=49]Adam Davis[/MENTION];

    [MENTION=29169]Smarkoff[/MENTION]

    [MENTION=14973]Chance Ivey[/MENTION];

    Simulacrum Game | Play The Alpha | Caldera Entertainment | Twitter | ArtStation

    #2
    This is definitely troubling. I can also confirm that the emails of those in the May Flash sale were revealed.

    Another thing, TWO-FACTOR AUTHENTICATION. Why is part of my livelihood only able to be protected by a password? Especially with the security breach the forums had not too long ago?
    Marketplace Assets

    Advanced Mobile Input: Marketplace Page | Support Thread ――― Easy Input Remapping: Marketplace Page | Support Thread
    Multiplayer Blueprint Chat System: Marketplace Page | Support Thread ――― Closing Credits System: Marketplace Page | Support Thread
    Minesweeper Template: Marketplace Page | Support Thread ――― Maze Creator: Marketplace Page | Support Thread

    Comment


      #3
      This is not good, there should be a better verification process in place.
      Assets: Military Ammunition (Released)
      Plugins: BlueManBPFunctionLibrary C++ plugin (Free), Blue Man Vehicle AI Plugin (Released), Air Resistance C++ Plugin (WIP), Blue Man Vehicle Physics Plugin (Marketplace)
      Projects: Giants Of Destruction

      Comment


        #4


        just.. wow.

        Comment


          #5
          Posting a link in the moderation forum to bring this to attention quickly.

          I agree that two-step verification should be added as a priority if possible, it's far too easy to brute force into an email account these days.
          Last edited by TheJamsh; 05-09-2017, 04:22 AM.

          Comment


            #6
            Originally posted by TheJamsh View Post
            Posting a link in the moderation forum to bring this to attention quickly.

            I agree that two-step verification should be added as a priority if possible, it's far too easy to brute force into an email account these days.
            Thanks. Two step verification can help with logging in, but there also needs to be something done when dealing with support via email. This gentleman's email wasn't hacked, this was an error with person to person contact that could have been avoided if some basic measures were taken to verify the identity of the individual claiming to be PolyPixel. Whether it's security questions, text/phone verification, etc.

            Simulacrum Game | Play The Alpha | Caldera Entertainment | Twitter | ArtStation

            Comment


              #7
              Originally posted by TheJamsh View Post
              Posting a link in the moderation forum to bring this to attention quickly. I agree that two-step verification should be added as a priority if possible, it's far too easy to brute force into an email account these days.
              Originally posted by Jamendxman3 View Post
              Another thing, TWO-FACTOR AUTHENTICATION. Why is part of my livelihood only able to be protected by a password? Especially with the security breach the forums had not too long ago?
              2-factor is getting easier to side-step too / just another attack vector. Some type of 3rd factor is needed etc!
              Also, account impersonation / reset has always been a huge industry problem / still even affects mega corps!

              Originally posted by SE_JonF View Post
              On a somewhat related note, just the other day it was reported that the May Day sale email didn't BCC the recipient list, and apparently everyone who received the email had their address revealed.
              Related to that: one of the less-smart things about Unreal-Slack imo, was that everyone's email was visible.
              WTF???.... When the switch-over to Discord happened, does anyone know if this was ever addressed etc....
              BTW: The Roadmap showed discontent with Epic interacting less. So why this: 'staff pulled out of Discord'?

              Comment


                #8
                Hey all, multiple teams at Epic investigating this, will keep you informed with our findings as we get em!
                Let's Connect [Twitter]

                Comment


                  #9
                  Originally posted by SE_JonF View Post
                  Thanks. Two step verification can help with logging in, but there also needs to be something done when dealing with support via email. This gentleman's email wasn't hacked, this was an error with person to person contact that could have been avoided if some basic measures were taken to verify the identity of the individual claiming to be PolyPixel. Whether it's security questions, text/phone verification, etc.
                  I'm unsure that this is the case at this point, but we'll let everyone know what we find out ASAP.
                  Let's Connect [Twitter]

                  Comment


                    #10
                    Originally posted by franktech View Post
                    Related to that: one of the less-smart things about Unreal-Slack imo, was that everyone's email was visible.
                    WTF???.... When the switch-over to Discord happened, does anyone know if this was ever addressed etc....
                    BTW: The Roadmap showed discontent with Epic interacting less. So why this: 'staff pulled out of Discord'?
                    Both Unrealslackers and the Discord channel are community run by an excellent member of our community. While we have spent time in there in the past (and some of us still chat with devs there ), it's not an official channel for support and provided inconsistent experiences with the Epic team and Marketplace vendors.
                    Let's Connect [Twitter]

                    Comment


                      #11
                      Why not use tokens for sellers?
                      Like the blizzard authentication token? What sucks more, getting robbed, or, being the company at fault for someone being robbed?
                      Founder and CEO of Angry Penguin Studio, LLC
                      Dallas, TX USA
                      https://www.facebook.com/AngryPenguinStudios

                      Comment


                        #12
                        Originally posted by Jamendxman3 View Post
                        This is definitely troubling. I can also confirm that the emails of those in the May Flash sale were revealed.

                        Another thing, TWO-FACTOR AUTHENTICATION. Why is part of my livelihood only able to be protected by a password? Especially with the security breach the forums had not too long ago?
                        Two factor is the way.
                        VFX Artist
                        Portfolio: Here

                        Comment


                          #13
                          Originally posted by Chance Ivey View Post
                          I'm unsure that this is the case at this point, but we'll let everyone know what we find out ASAP.
                          <_< like epic would publicly mention someone just changed someones email/login/etc.
                          stocks would plummet.

                          Comment


                            #14
                            Its highly disturbing that someone working for Epic would just go along with such a request. Of course, as Luos alluded to, we will never get the full truth from Epic, so it is very important we all keep close eyes on our accounts and take steps to protect ourselves.

                            Check out my discord -> https://discord.gg/kQdVwJ3

                            Follow us on twitter to get updates on new products and special offers -> https://twitter.com/BlackFangTech

                            Black Fang Technologies' products -> https://www.unrealengine.com/marketp...20Technologies

                            Comment


                              #15
                              A few updates here:

                              Scope
                              We believe we've tracked this down to a group responsible for collecting and sharing millions of credentials from other sites and is using that information to gain access to email accounts and other logins when the same username/password is used. Epic accounts have not broadly been compromised, and only a handful people that have been affected at this time.

                              PolyPixel
                              I stand corrected here. Our accounts team received a request from the email associated with the account and made the change. From what we can gather, that email account was compromised and was able to send that message to us to make the change. We're investigating what we can do to better verify account-holder's information when these sorts of things are requested, however, no solution is bulletproof when the information is compromised elsewhere and presented to us in a virtual manner. We are, however, looking into what we can do!

                              Steps We're Taking
                              Multi-factor authentication is something on our roadmap for logins and is on target to come online sometime this year. Keep an eye out for more updates regarding this.

                              Good Practices For Securing Accounts
                              We encourage everyone to build unique passwords for each site that you use in the event that data is breached and shared. Also, it's a great idea to add MFA to any email account associated with other logins in order to mitigate vulnerability.

                              Of course, as Luos alluded to, we will never get the full truth from Epic
                              We treat situations regarding information and hacking extremely seriously and strive to remain as transparent as possible as we unwrap a situation. This has been the case and will continue to be the case

                              Investigation continues!
                              Let's Connect [Twitter]

                              Comment

                              Working...
                              X