Cyber-Attackers Are Making Phony Epic Games Accounts With Other People's EmailsApr 13, 2019
For months, an unspecified number of users trying to register an account with Epic Games have found that their e-mail addresses were somehow already linked to accounts. Today, Epic Games told Kotaku that the culprit is an ongoing cyber attack and that the company is working to delete those accounts, though they would not say how many people were affected.
"I recently went to create an Epic Games account," a tipster named Ed wrote in an e-mail last week. "And I found that I already had an account. I never made an account." Ed went on to detail how an account using his e-mail address was registered in Thailand. It was the same e-mail he had used on his Xbox account. After going online, Ed noticed that dozens of other users had complained of this on the Epic Games forums and on Reddit. It had happened to one of his friends, too. In a screenshot Ed shared, his friend's username appeared as tNpPldH7g--total nonsense.
Epic Games notes in an "account linking" FAQ that an e-mail address can only be associated with one Epic account. On the Epic Games forum, one concerned parent wrote last June that their son wanted to link his PlayStation Network account to his Epic Games account so he can play Fortnite on his PS4, however, when they tried, they received the error message "Failed to link account. Already associated with a different account." Commenters with the same problem went on to note that that they had difficulty receiving a straight answer from Epic about what was going on.
Over e-mail today, Epic Games explained. "We recently discovered an ongoing attack which is creating Epic accounts using known email addresses via a botnet spanning over 500,000 machines," a spokesperson said. "We are in the process of deleting those accounts and are adding further verification steps to account creation."
It's not clear why these cyber-attackers would want to create Epic accounts based on other people's email addresses. Kotaku reached out to two former Fortnite account hackers to ask why somebody would create Epic accounts in this way. Neither could explain.
Today, news broke on Reddit that some details for about 600 Epic Games accounts were leaked online as plain text. When Kotaku asked whether Epic Games' account linking issue was associated with this leak, a spokesperson pointed us to Epic's response to the initial Reddit thread, from an Epic engineer: "The account system powering Epic Games store and Fortnite have not been compromised. Specific individual accounts have been compromised as a result of numerous automated attempts by hackers to try to log in to Epic Games accounts using email/password combinations leaked through security breaches on other web sites." The incidents do not appear to be linked.