One of the most common subject of complaints about the Epic Games Store is account security, raging from reasonable concerns over hacked Fortnite accounts to conspiracy theory nonsense about Tim Sweeney conducting espionage on behalf of the Chinese government. Perhaps to assuage some of those fears, Epic has posted a new Account Security bulletin "on the present and future of security features and practices we use to protect your account," that also contains a few tips on how to keep your account secure.
Most of the advice is well-established stuff: The update says the account system used in Fortnite, the Epic Games Store, and the Unreal Engine has never been compromised, for instance, but individual accounts have been hacked through leaks from other sites, so be sure to use a unique password for every account (at least those you care about). Also ensure that multi-factor authentication is enabled: Epic currently supports email and app-based MFA, and SMS-based authentication is on the way.
Email verification for new accounts is coming "in the near future," and yes, it seems a little strange to me too that the feature wasn't implemented long ago. Its importance is highlighted by a recent botnet attack in which known email addresses were used to create millions of inactive, and invalid, Epic accounts. Epic is currently working to remove those accounts, and in the meantime if you register for the platform and find that an account attached to your address already exists, you can claim it via the password reset option. Until the automatic system is in place, you can manually verify your Epic account email address here.
Epic said it monitors for email address and password combinations that have "publicly leaked from other sources," and automatically locks accounts when they're used to log in. It has also begun comparing new passwords with Have I Been Pwned to ensure that people aren't using well-known passwords to secure their accounts.
"Epic’s account system detects many forms of account compromises, and we’re working to add new forms of detection. If your email address is verified and we detect that your account has been compromised, we lock the account to prevent further access and immediately begin the email password-reset process," the update says. "Throughout 2019, we will be adding additional detection methods to identify attacks and prevent them from succeeding."
Sweeney took to Twitter last week to debunk conspiracy theories about spyware in the Epic Games Store client and the company's connections to the Chinese government.