EA Games’ huge game theft, which saw source code for FIFA 21 and other key titles stolen, hinged on a $10 cookie and some disturbingly simple social engineering, according to the hackers responsible. Electronic Arts confirmed it had been the victim of the cybercrime earlier this week, with around 780GB of data – including game code and more – yanked from its servers.
The loss of the source code for one of its highest-profile titles would be bad enough, but the hackers also made off with copies of EA’s matchmaking code for FIFA 21, along with source code and tools for Frostbite, and various frameworks and SDKs. EA has said that it does not believe customer data was impacted, however.
“No player data was accessed, and we have no reason to believe there is any risk to player privacy,” EA said in a statement. “Following the incident, we’ve already made security improvements and do not expect an impact on our games or our business.”
However the exact mechanism for just how the hackers managed to access the data has been revealed, and it’s ominously simple. In an interview with Motherboard, a representative says that the whole thing hinged on acquiring a stolen cookie that was being sold online. That cost all of $10.
Cookies are one of the most commonplace convenience features of the internet and web services, responsible for saving login data and sessions. With them, you can avoid having to enter your authentication credentials every time you visit the same webpage, for instance, and they can also be used to record a log of visits. However what few may realize is that there’s also a marketplace for stolen cookies online, sold for nefarious purposes.
In this case, with the EA cookie, the hackers were able to access the game company’s Slack. That’s the internal messaging platform EA uses for its various teams to collaborate and, vitally, to communicate with divisions like IT Support.
“Once inside the chat we messaged a IT Support members we explain to them we lost our phone at a party last night,” the hackers’ representative explains. That led to the support team issuing two authentication tokens with which access to the EA corporate network was possible. Beyond that, it was a matter of accessing the various source code servers and making copies of what they found.
EA confirmed the mechanism by which the hack had run, and has said it is working with law enforcement in the aftermath of the exploit.
It’s a reminder that, while two-factor authentication and other advanced security may present significant obstacles to hackers, humans often remain the most readily-exploited element of the overall system. EA certainly isn’t the only company to discover this in an embarrassingly public way, with many high-profile hacks resulting from the perpetrators managing to convince employees that their requests are innocuous or genuine.