Possible credential stuffing attack could have affected 500,000 Activision gamer accounts
According to reports, more than 500,000 Activision accounts may have been hacked with login data compromised. The eSports site Dexerto has reported that a data breach occurred on Sunday, September 20. The credentials to access these accounts are, Dexerto said, being leaked publicly, and account details changed to prevent easy recovery by the rightful owners. Activision accounts are mostly used by players of the hugely popular Call of Duty franchise. Several eSports and gaming accounts on Twitter have also reported the suspected breach. The first was @Okami, founder of Respawnable, who tweeted, "It's legit," adding that players should change their account passwords immediately.
However, an Activision spokesperson issued the following statement on September 22:
"Activision Call of Duty accounts have not been compromised. Reports suggesting otherwise are not accurate. We investigate all privacy concerns. As always we recommend that players take precautions to protect their accounts at all times. Please visit our player support page for further information, including a helpful set of tips and step-by-step instructions."
Those instructions can be found here.
The advice offered by Activision is comprehensive, but missing my normal recommendation that you should also activate two-factor authentication (2FA) to protect an account. The reason being that it appears this isn't an option on Activision accounts.
"Many games require accounts to be created to play online," Javvad Malik, a security awareness advocate at KnowBe4, said, and for many players, this is such a trivial affair that "not much thought is given to security." Which is, of course, why they are, as Malik noted, an appealing target for anyone "looking to compromise large numbers of accounts quickly."
Dean Ferrando, a lead systems engineer (EMEA) at Tripwire, added that such breached accounts provide "a goldmine for malicious actors intending to plan further attacks – be it phishing or otherwise."
While Activision has poured cold water on the suggestion that there is any mass account hacking campaign happening, gamers continue to contact me to say their accounts have, indeed, been hacked. This is, most likely, as a result of credential stuffing involving the use of compromised passwords from other services where the same credentials have also been used. Don't reuse passwords across sites and services, install a password manager and ensure strong and unique passwords for every account.
— Updated September 22 with statement from Activision
