Top 5 Privacy & Tech Scandals in Gaming

The gaming industry has brought in revenues of almost $138 billion in 2018, and it’s projected to reach $152.1 billion in 2019. And you know what that means – cybercriminals also want a piece of the proverbial pie. Most of these scandals are relatively recent, so here’s what happened:

1. Zynga Breach, September 2019

Say what you will about mobile gaming, but there’s no denying that it’s a huge market right now. One of the bigger players, Zynga (yeah, the Farmville people), just experienced a data breach that exposed over 218 million peoples’ data across iOS and Android.

The main users affected by the breach were players of “Words with Friends” who signed up and installed it before the 3rd of September. Though Gnosticplayers (the hacker involved in the breach) presumably accessed over 7 million users’ clear-text passwords for a couple of other Zynga games: “Draw Something” and “OMGPOP,” the latter of which is now discontinued.

In any case, this is what data Gnosticplayers managed to steal, according to The Hacker News:

  • Names
  • Email addresses
  • Login IDs
  • Hashed, salted with SHA1 passwords
  • Password reset tokens (if ever requested)
  • Phone numbers (if provided)
  • Facebook IDs (if connected)
  • Zynga account IDs

You may have heard of Gnosticplayers from the fact that he’s exposed almost one billion accounts so far, from such services as MyFitnessPal, GfyCat, MyHeritage and Dubsmash, among others. Statistically, you were probably affected too – so don’t forget to switch up your passwords every once in a while.

2. Epic Games/ Fortnite, Late 2018 – 2019

Epic Games haven’t had a great year, at least in some aspects. For one, they’ve continuously drawn the ire of people for their aggressive exclusivity deal-making, especially in the case of games backed on Kickstarter (see the Shenmue III controversy).

Then, there were the accusations of having Chinese-backed spyware in their software, due to Chinese conglomerate Tencent owning 40% of Epic Games. The accusations were dismissed by CEO Tim Sweeney in the same Reddit thread that sparked the discussion, backed by a technical explanation from Epic’s VP of Engineering, Daniel Vogel.

Vogel admits that their software created “an encrypted local copy of [the user’s] localconfig.vdf Steam file” without their permission. For reference, the data contained in the file included users’ complete Steam gaming history and friends list.

Of course, some users claimed the copy wasn’t encrypted at all (or at the very least the encryption method used was weak). Others mentioned that their code bypassed a Steam API that allows third-parties access to (some of) this information.

But the real story here is the flaw in a login system that could have affected millions of Fortnite players’ accounts. And perhaps the origins of public distrust in Epic Games’ privacy and security standards (aside from the fair share of Tencent-owned company stock).

The vulnerability, according to Check Point Research, would allow hackers full control over the victims’ account. You can find the full technical details of the attack method right here. Epic Games now face a class-action lawsuit for this data breach.

3. Magic: the Gathering, November 2019

Wizards of the Coast (WotC) were dealt a huge blow when UK cybersecurity firm Fidus Information Security found that one of their database backups was left exposed since at least September. What made it worse is that it was stored unencrypted on an Amazon Web Services storage bucket, with no password in place.

This means the following info was leaked with little to no protection:

  • Player names and usernames of 452,634 users
  • Email addresses (including 470 from WotC staff)
  • Hashed and salted user passwords
  • Date and time of account creation

A WotC spokesperson stated they have no reason to believe the data was accessed by any malicious third-parties, though TechCrunch did mention they received no proof of this claim.

4. Xbox Caught Spying… Again, August 2019

Concerns about potential Xbox One audio spying through the included Kinect weren’t surprising, considering Microsoft’s track record with Windows 10 alone. Oh, and the fact that the NSA was already spying on people with the previous Kinect through Xbox Live – years ago.

After widespread media coverage, Google, Apple, and Facebook stopped using human contractors to transcribe audio captured from their services. Amazon would offer users the choice to opt out. Following a report from Vice, Microsoft updated its privacy policy to say that humans may listen in on recordings from their products to improve their machine learning capabilities.

They also created a special page in their Privacy settings where users can delete those audio recordings. The tech giant later updated Vice on the issue, saying that they no longer review Xbox audio.

5. Hacker Disconnects Users from PSN, Late 2018

For all the gloom and doom regarding data breaches and spying, there are some cases in which you can at least find some humor. Like this one, where a teenage hacker going by the name “SpangeBaab” would disconnect users from the PSN for “disrespecting him.”

Because they were using the peer-to-peer voice chat system, all he needed to do was:

This one is more of an on-going problem with DoS attacks (on more systems than just PSN) that isn’t likely to be fixed due to the massive expenses involved. Thankfully, you still have options to protect yourself from suspicious disconnects during online matches.

The main solution is using a Virtual Private Network (VPN) that replaces your real IP with the one from the server you’re connecting to. Hackers trying to DoS you will instead be attacking the VPN server itself, which already has protections in place for such cases. A VPN when you’re gaming is exactly what you need to prevent these kinds of attacks from happening and ruining your relaxation time.