The Impact of Data Breaches in Game Development26 Nov 2019
The following is a guest article by Olivia Scott, a cybersecurity enthusiast at VPNpro.com.
Playing games may be stressful, but it shouldn’t have negative consequences on lives in the real world. However, there is evidence that gaming hasn’t been able to avoid the wave of cybercrime plaguing every digital industry nowadays.
From the Zynga data breach to Fortnite phishing, multiple scandals have shone a light on security issues in the gaming industry. This article will try to get to grips with what these attacks mean for developers and gamers alike – and how we can respond before the situation becomes critical.
Understanding the 2019 Zynga Data Breach
For over a decade, Zynga could point to “Words With Friends” as a major success story. After all, the Scrabble-style mobile game had attracted over 200 million users worldwide. Cleverly exploiting the propensity of social media users to show off their vocabularies, and easy to pick up and play, Words With Friends was a hit with Facebook, tablet, iOS, and even Kindle Fire users.
The game’s popularity helped to drive Zynga revenues into the stratosphere, reaching $306 million in the second quarter of 2019, and it added a sequel to the mix in 2017, helping to foster even more interest.
But had Zynga reached too far, too soon? In a cautionary tale that all mobile game developers should know, Zynga’s fortunes took an unfortunate turn in September 2019, when news surfaced of a data breach associated with Words With Friends.
Apparently, the Gnosticplayers hacking collective had managed to break through Zynga’s security, allowing them to steal details on over 200 million user accounts. As the Pakistani group reported, it had been able to harvest user names, email addresses, real names, phone numbers, Facebook IDs, hashed SHA1 passwords, and any requested password reset tokens.
Admittedly, since then, Zynga has tried to be proactive in their response – a commendable approach often lacking in other industries.
Is Zynga a One-Off Problem that Won’t Happen Again?
The question for other games developers may be: “was Zynga unique, and should we worry about our own defenses?” As we’ll see, this is the wrong question to ask, and there’s no lack of evidence that Zynga is far from alone in leaving openings for cybercriminals.
Earlier in 2019, researchers at Kaspersky uncovered another can of worms for game developers to worry about. According to their findings, hackers had been able to implant malware into Microsoft Visual Studio tools that many developers rely on.
When developers used these compromised versions of Visual Studio, malicious code would be included within their games, regardless of whether they were digitally signed or not. This kind of “upstream” malware attack short circuits standard authentication processes, compromising games during the development phase, and a number of developers have been affected.
We know that Infestation by Electronics Extreme was successfully targeted, along with Zepetto’s PointBlank, but researchers see these cases as the “tip of the iceberg.”
Then there are known flaws in massive titles like Fortnite. In some cases, phishers have used obsolete Epic Games webpages as the basis for attacks, giving them access to user accounts, and even their webcams.
In truth, the threats to gaming developers and the gamers they serve are multiple, diverse, and very hard to counteract. And at the same time, they aren’t always taken as seriously as they should be.
How Can Developers Tighten Their Security Systems?
This leads us back to the question of whether developers should tighten their defenses. With so many hackers increasingly seeing developers as suitable targets, it seems irrefutable that companies should take action promptly to protect their code and user databases.
But how can developers minimize the risk of a catastrophic data breach? Well, there’s a lot developers can do on the ground.
With upstream or supply chain attacks, the problem is different. In that case, developers need to lock down their malware detection systems, update their software regularly, and pay attention to updates from security experts when supply chain attacks are detected.
The Fortnite attacks exposed another weakness that developers have to think about – tidying up their online assets to ensure that it is as hard as possible to pose as legitimate operators when launching phishing attacks. If Epic Games had been more professional in deleting obsolete pages, the task of the attackers could have been far tougher.
However, there’s a larger truth here that needs to be considered. These attacks on gaming developers are to be expected given the general cybersecurity climate.
With that in mind, developers will have to reassess their cybersecurity practices on a root and branch basis. Otherwise, attacks will continue, upstream, downstream, or in the middle of a Fortnite battle. And when that happens, it could be game over for companies who haven’t found a solution.
IGDA recently met with a group of women from...
5 Oct 2021
Greetings, IGDA and other members of the game industry,...
4 Oct 2021
On the 27th of September, the IGDA held our...
IGDA29 Sep 2021