EA confirms FIFA accounts were hijacked because of 'human error'

FIFA 19
(Image credit: Electronic Arts)

Electronic Arts has confirmed reports that a number of "high-profile" FIFA Ultimate Team accounts have been taken over by hackers, who were able to "exploit human error within our customer experience team" in order to bypass two-factor authentication.

The original takeover reports surfaced last week via Eurogamer, which noted that several top FUT traders had reported their accounts had been taken over and stripped of FIFA points and coins. According to the report, the attackers, using gamertags taken from FIFA leaderboards, were able to convince EA support staff that they were in fact the proper owners of the account. The reps then revealed the email addresses attached to the gamertag and reset the passwords on the accounts, enabling the attackers to log into the accounts and strip them.

After investigating the claims, EA has now confirmed that it is responsible for the security failure

"Through our initial investigation we can confirm that a number of accounts have been compromised via phishing techniques," EA wrote. "Utilizing threats and other 'social engineering' methods, individuals acting maliciously were able to exploit human error within our customer experience team and bypass two-factor authentication to gain access to other player accounts."

EA currently estimates that fewer than 50 accounts have been taken over in this fashion, and it is now working to figure out who the proper owners are, and to restore all stolen content. It also promised that steps will be taken to ensure this sort of thing is less likely to happen again in the future.

  • All EA Advisors and individuals who assist with service of EA Accounts are receiving individualized re-training and additional team training, with a specific emphasis on account security practices and the phishing techniques used in this particular instance. 
  • We are implementing additional steps to the account ownership verification process, such as mandatory managerial approval for all email change requests.
  • Our customer experience software will be updated to better identify suspicious activity, flag at-risk accounts, and further limit the potential for human error in the account update process.    

It also warned that these new steps "could impact customer experience wait times"—make them longer, in other words—but added that they are necessary to ensure better account security.

The reaction to the changes amongst FUT fans on Reddit seems generally positive so far: Longer wait times for support requests isn't great, but neither is the idea that some smooth talker can make off with your account credentials if they connect with a sufficiently inattentive support rep. The situation isn't fully resolved yet, though.

"Really happy to see this, this SHOULD prevent future victims from getting hacked," FUT Donkey, whose account was hacked last week, tweeted. "Now my question is what are you gonna do for us who got hacked? I've not heard a single word from EA since I got hacked. Are we ever getting our coins back?"

And there may be repercussions beyond FUT itself: NickRTFM lauded the account security changes on Twitter but added that someone is now using his leaked personal details to apply for credit in his name.

Andy Chalk

Andy has been gaming on PCs from the very beginning, starting as a youngster with text adventures and primitive action games on a cassette-based TRS80. From there he graduated to the glory days of Sierra Online adventures and Microprose sims, ran a local BBS, learned how to build PCs, and developed a longstanding love of RPGs, immersive sims, and shooters. He began writing videogame news in 2007 for The Escapist and somehow managed to avoid getting fired until 2014, when he joined the storied ranks of PC Gamer. He covers all aspects of the industry, from new game announcements and patch notes to legal disputes, Twitch beefs, esports, and Henry Cavill. Lots of Henry Cavill.