Full Report
Gaming publishing giant Electronic Art (EA games) has lost 780 GB of sensitive gaming data in a recent data breach.
Analysis Summary
# Incident Report: EA Games Sensitive Data Theft via Slack Session Hijacking
## Executive Summary
Electronic Arts (EA Games) suffered a significant data breach resulting in the exfiltration of approximately 780 GB of sensitive data, including source code for the Frostbite engine and an SDK. The initial compromise leveraged stolen employee cookies to hijack a Slack session, followed by a successful social engineering attack against the IT department to bypass MFA. The stolen data is currently being sold on the dark web for an estimated \$28 million, posing a high risk for the creation of sophisticated gaming cheats.
## Incident Details
- Discovery Date: Not explicitly stated, but occurred prior to the data being posted for sale (June 2021 context).
- Incident Date: Prior to June 15, 2021 (date of article publication).
- Affected Organization: Electronic Arts (EA Games)
- Sector: Gaming / Video Game Development
- Geography: Headquarters in Redwood City, California (USA)
## Timeline of Events
### Initial Access
- Date/Time: Unknown precise time.
- Vector: Compromised employee credentials/session cookies.
- Details: Attackers reportedly purchased stolen employee cookies linked to EA's Slack channel for \$10.
### Lateral Movement
- Date/Time: Immediately following initial access and successful MFA bypass.
- Details: Upon gaining access via Slack, attackers impersonated a compromised employee who claimed to have lost their phone. They successfully convinced an IT representative to assist with multifactor authentication bypass, allowing them to access the corporate network and ultimately obtain the sensitive data.
### Data Exfiltration/Impact
- Date/Time: Post-MFA bypass.
- Details: Approximately 780 GB of sensitive data was stolen, including source codes for multiple EA games built on the Frostbite engine, Software Development Kits (SDKs), and property gaming frameworks.
### Detection & Response
- Date/Time: Detection occurred when the stolen data was posted for sale on a dark web forum.
- Details: Response actions are not detailed beyond the public acknowledgement/reporting of the breach.
## Attack Methodology
- Initial Access: Stolen session cookies leading to Slack access.
- Persistence: Not explicitly detailed, but required sustained access to perform bulk data exfiltration.
- Privilege Escalation: Successful social engineering of the IT helpdesk to bypass Multi-Factor Authentication ($\text{MFA}$).
- Defense Evasion: Exploiting IT procedures for MFA reset/assistance.
- Credential Access: Acquisition of session cookies on the black market.
- Discovery: Not explicitly detailed, but likely involved reconnaissance of the internal network post-login.
- Lateral Movement: Gaining access from the compromised Slack session to broader corporate network resources containing the source code repositories.
- Collection: Gathering 780 GB of sensitive development assets.
- Exfiltration: Data was posted on a dark web forum for sale.
- Impact: Potential for creation of malicious gaming cheats using Frostbite engine/FIFA 21 source code.
## Impact Assessment
- Financial: Data marketed for \$28 million on the dark web. Potential downstream financial impact from exploit development.
- Data Breach: 780 GB of sensitive data, including source code for the Frostbite engine, SDKs, and property gaming frameworks.
- Operational: Unspecified operational disruption, but the theft of core engine source code is highly significant.
- Reputational: Damage to the reputation of the gaming giant, Electronic Arts.
## Indicators of Compromise
- Network indicators: (None explicitly provided in a defanged format)
- File indicators: Stolen Source Code artifacts (Frostbite, FIFA 21).
- Behavioral indicators: Successful social engineering of IT staff resulting in unauthorized MFA reset/bypass.
## Response Actions
- Containment: Not detailed.
- Eradication: Not detailed.
- Recovery: Not detailed beyond the public statement that EA Games asserted users should not suffer privacy breaches.
## Lessons Learned
- The security posture around third-party services (like Slack) using cookies is critical, as compromised cookies can lead directly to initial access.
- The process for IT support to assist users with MFA resets or logins must be highly scrutinized, as this was the critical pivot point for lateral movement.
- Source code repositories represent an extremely high-value target for threat actors targeting the gaming industry due to the potential for creating lucrative cheating tools.
## Recommendations
- Immediately review and significantly tighten the process for MFA reset and device recovery, requiring multi-level verification outside of the primary communication channel being compromised.
- Implement stricter controls (e.g., Zero Trust architecture) to limit access based on the initial point of entry (Slack session), preventing immediate pivot to core development resources.
- Enhance security monitoring around the use of session cookies and suspicious login attempts originating from previously known compromised credentials.