Electronic Arts has confirmed reports that a number of "high-profile" FIFA Ultimate Team accounts have been taken over by hackers, who were able to "exploit human error within our customer experience team" in order to bypass two-factor authentication.
The original takeover reports surfaced last week via Eurogamer (opens in new tab), which noted that several top FUT traders had reported their accounts had been taken over and stripped of FIFA points and coins. According to the report, the attackers, using gamertags taken from FIFA leaderboards, were able to convince EA support staff that they were in fact the proper owners of the account. The reps then revealed the email addresses attached to the gamertag and reset the passwords on the accounts, enabling the attackers to log into the accounts and strip them.
Just got hacked boys, finally people can stop blaming me for the hacks xDI plan to take legal action, they gave my account to a random person via the live chat, a clear breach of data protection lawsWas a fun ride, see u guys in 23 I guess❤️January 5, 2022
This hacking thing has really pissed me off. I did a good comparison on stream todayIts like ive locked all my work tools to do my job in my work van. Only for the van company to go ahead and hand the keys to a random person on the street without informing meFumingJanuary 2, 2022
After investigating the claims, EA has now confirmed that it is responsible for the security failure (opens in new tab).
"Through our initial investigation we can confirm that a number of accounts have been compromised via phishing techniques," EA wrote. "Utilizing threats and other 'social engineering' methods, individuals acting maliciously were able to exploit human error within our customer experience team and bypass two-factor authentication to gain access to other player accounts."
EA currently estimates that fewer than 50 accounts have been taken over in this fashion, and it is now working to figure out who the proper owners are, and to restore all stolen content. It also promised that steps will be taken to ensure this sort of thing is less likely to happen again in the future.
- All EA Advisors and individuals who assist with service of EA Accounts are receiving individualized re-training and additional team training, with a specific emphasis on account security practices and the phishing techniques used in this particular instance.
- We are implementing additional steps to the account ownership verification process, such as mandatory managerial approval for all email change requests.
- Our customer experience software will be updated to better identify suspicious activity, flag at-risk accounts, and further limit the potential for human error in the account update process.
It also warned that these new steps "could impact customer experience wait times"—make them longer, in other words—but added that they are necessary to ensure better account security.
The reaction to the changes amongst FUT fans on Reddit (opens in new tab) seems generally positive so far: Longer wait times for support requests isn't great, but neither is the idea that some smooth talker can make off with your account credentials if they connect with a sufficiently inattentive support rep. The situation isn't fully resolved yet, though.
"Really happy to see this, this SHOULD prevent future victims from getting hacked," FUT Donkey, whose account was hacked last week, tweeted (opens in new tab). "Now my question is what are you gonna do for us who got hacked? I've not heard a single word from EA since I got hacked. Are we ever getting our coins back?"
And there may be repercussions beyond FUT itself: NickRTFM lauded the account security changes on Twitter but added that someone is now using his leaked personal details to apply for credit in his name.
pic.twitter.com/ALgTrmviceJanuary 11, 2022