Davey Winder

, 500,000 Activision Gamer Accounts May Be Affected By Credential Stuffing
Possible credential stuffing attack could have affected 500,000 Activision gamer accounts © 2018 BLOOMBERG FINANCE LP

According to reports, more than 500,000 Activision accounts may have been hacked with login data being compromised. The eSports site Dexerto has reported that a data breach occurred on Sunday, September 20. The credentials to access these accounts are, Dexerto said, being leaked publicly, and account details changed to prevent easy recovery by the rightful owners. Activision accounts are mostly used by players of the hugely popular Call of Duty franchise.

“This is a substantial breach,” Martin Jartelius, CSO at Outpost24, said, “in parts, the clean-up will be a large undertaking for Activision, we can only hope backups allow restoring original contact data, resetting access and managing the users who still cannot regain access which should be a smaller group.”

Several eSports and gaming accounts on Twitter have also reported the suspected breach. The first was @Okami, founder of Respawnable, who tweeted, “It’s legit,” adding that players should change their account passwords immediately.

Changing your password, if you still have access to your account, is vital, as is changing passwords at any other site or service where you use the same password. This should be to something long and strong, the use of a password manager will help you here.

This kind of mass account takeover is often associated with credential stuffing attacks where shared passwords from other compromises are used. It’s too early to say that is the cause here, however, and we will likely have to await for Activision to add some clarity.

In the meantime, I would normally recommend that you should also activate two-factor authentication (2FA) if you hadn’t before. However, it appears that this isn’t an option on Activision accounts.

“This breach is yet the latest instance that confirms how important it is to set up two-factor or, better, multifactor authentication (MFA),” Chad Anderson, a senior security researcher at DomainTools, said, “it is unfortunate that Activision didn’t set up this extra security measure, as it would have prevented bad actors from being able to access users’ accounts, effectively making the leaked credentials useless to cybercriminals.”

“Many games require accounts to be created to play online,” Javvad Malik, a security awareness advocate at KnowBe4, said, and for many players, this is such a trivial affair that “not much thought is given to security.” Which is, of course, why they are, as Malik noted, an appealing target for anyone “looking to compromise large numbers of accounts quickly.”

Dean Ferrando, a lead systems engineer (EMEA) at Tripwire, added that such breached accounts provide “a goldmine for malicious actors intending to plan further attacks – be it phishing or otherwise.”

This remains a developing story. I have reached out to Activision but have not had an official statement as of yet. If that changes, I will update this article as soon as is possible.