Full Report
Gaming publishing giant Electronic Art (EA games) has lost 780 GB of sensitive gaming data in a recent data breach.
Analysis Summary
# Incident Report: EA Games Source Code Data Breach
## Executive Summary
Gaming publisher Electronic Arts (EA Games) suffered a significant data breach resulting in the exfiltration of 780 GB of sensitive data, including source codes for the Frostbite engine and FIFA 21. The attack was achieved through social engineering targeting the IT department after purchasing compromised employee session cookies for Slack. The stolen data is currently being offered for sale on the dark web for $28 million, posing severe risk due to the potential for widespread game cheating development.
## Incident Details
- Discovery Date: Not explicitly stated, but assumed shortly after exfiltration/dark web posting.
- Incident Date: Referencing the article date of June 15, 2021, the breach occurred prior to this publication.
- Affected Organization: Electronic Arts (EA Games)
- Sector: Gaming/Video Game Publishing
- Geography: Headquarters in Redwood City, California (USA)
## Timeline of Events
### Initial Access
- Date/Time: Undetermined, prior to June 15, 2021.
- Vector: Compromised Employee Credentials/Session Cookies used for Slack access.
- Details: Attackers purchased stolen session cookies associated with an EA Slack channel user for $10. They exploited these cookies to log in as the compromised employee.
### Lateral Movement
- Date/Time: Immediately following initial access.
- Vector: Social Engineering via Slack.
- Details: The attacker, impersonating the legitimate employee, contacted the IT department via Slack, falsely claiming they lost their phone and needed assistance with Multi-Factor Authentication (MFA) to log into the corporate network. The IT representative inadvertently granted the attacker further access.
### Data Exfiltration/Impact
- Date/Time: Post-MFA bypass (timing unknown).
- Data Stolen: 780 GB of sensitive data, including source codes for the Frostbite engine and FIFA 21, Software Development Kits (SDKs), and property gaming frameworks.
- Impact: Data posted for sale on a dark web forum for $28 million. Potential for the creation of sophisticated game cheats.
### Detection & Response
- Detection: Attackers publicly posted evidence of the stolen data on the dark web.
- Response Actions: EA acknowledged the breach (implied by EA's statement regarding user privacy) and likely initiated internal investigation and containment, though specific actions are not detailed in the source.
## Attack Methodology
- Initial Access: Compromised Session Cookies (via purchase on the dark web) leading to Slack access.
- Persistence: Gaining the ability to bypass MFA on the corporate network via social engineering provided a mechanism for sustained access.
- Privilege Escalation: Social engineering of the IT department to disable or grant access around MFA controls.
- Defense Evasion: Use of valid, albeit stolen, session data to appear as a legitimate user; successful circumvention of MFA controls.
- Credential Access: Not directly involved in credential theft, but leveraged pre-stolen session state (cookies).
- Discovery: Unknown, but likely used network access gained post-MFA bypass to locate and access source code repositories.
- Lateral Movement: Successful manipulation of IT services suggests internal network traversal occurred after MFA circumvention.
- Collection: Gathering 780 GB of sensitive engineering and development files (source code, SDKs).
- Exfiltration: Transfer of 780 GB of data off the network (method unknown).
- Impact: Sale of proprietary intellectual property on the black market.
## Impact Assessment
- Financial: Data listed for sale at $28 million. Potential massive costs associated with remediation, intellectual property protection, future litigation, and loss of competitive advantage.
- Data Breach: 780 GB of sensitive data including proprietary source code (Frostbite engine, FIFA 21), SDKs, and frameworks.
- Operational: While EA stated user privacy was not directly compromised, the loss of core intellectual property severely impacts development integrity and security.
- Reputational: Significant public relations damage due to the scale of the loss and the high-profile nature of the company.
## Indicators of Compromise
*Note: IOCs are limited as the article focuses on methodology.*
- Network indicators: Communication with known dark web forums (specific IPs/URLs not provided, defang all links: hxxps://darkwebforum.com/sale).
- File indicators: Presence of the Frostbite engine source code or FIFA 21 source code files outside secure environments.
- Behavioral indicators: Unusual IT service desk traffic requesting MFA resets/bypasses; suspicious network connections originating from the compromised Slack identity post-MFA bypass.
## Response Actions
- Containment measures: Implied containment of the exploited systems and likely immediate invalidation of all active session tokens, particularly those accessed via Slack. Resetting credentials for the compromised user and rolling back MFA configurations.
- Eradication steps: Not detailed, but would include thorough scanning to ensure no backdoors or persistence mechanisms were established outside the breached data scope.
- Recovery actions: Not detailed, but would involve securing the build/development environments where the source code resides and potentially code auditing.
## Lessons Learned
- Session management and token security are critical, as stolen session cookies bypass traditional username/password authentication.
- Social engineering remains a highly effective external attack vector, especially when targeting help desk personnel who are trained to be helpful.
- Reliance on standard MFA processes (like phone-based resets) can be exploited if the initial account takeover (via cookie theft) is successful.
## Recommendations
- Implement stricter verification protocols for IT support staff when dealing with MFA resets or account recovery requests originating from internal channels like Slack.
- Harden session management policies (e.g., implement shorter session timeouts for sensitive applications like Slack connections).
- Immediately move to phishing-resistant MFA solutions (hardware tokens) for critical infrastructure and development environments, reducing reliance on phone/SMS factors exploited through social engineering.
- Enhance employee security training specifically addressing threats involving the purchase and use of stolen session cookies.