Activision, the company behind the successful Call of Duty franchise, has denied reports that hackers have breached over half a million Call of Duty accounts with their owners locked out and said it’s not accurate.
On September 20, there have been reports of a massive hack that affected hundreds of thousands of Activision accounts that was traced to a Twitter account which is now suspended. The tweet said that the hack was even worse than the 2011 PlayStation 3 hack.
However, in an official statement made by Activision’s support team on Twitter, the company said that this was not the case. The post states that the reports saying that Call of Duty accounts have been hacked are not accurate. They also revealed that they are investigating all privacy concerns raised by their community and suggest that they take the necessary precautions to safeguard their accounts.
— Activision Support (@ATVIAssist) September 22, 2020
Activision also said that players will receive emails if big changes are made on their Call of Duty accounts. Players who did not make these particular changes will have to follow the procedure outlined by the company.
Nonetheless, with login information for various accounts reportedly being leaked and a lot of players complaining that their accounts are inaccessible, it is certain that some type of breach has occurred such as a credential stuffing attack.
Credential stuffing attacks are a form of hack which utilizes stolen information from one account in order to gain access to the owner’s other accounts where the same password has been set. This kind of hacks is easy to work for cybercriminals since there’s a lack of strict protective measures from the service provider and stopping them will depend on the victim’s security hygiene.
Entertainment and media account services are considered to be vulnerable to this kind of cyber-attack and are valuable to hackers especially now that there is an increase in the resilience on internet services thanks to the ongoing coronavirus pandemic. Credential stuffing attacks are common to affect Disney+, Netflix, Amazon Prime users to name a few.
According to Edgescan’s product architect David Kennefick, Call of Duty’s case looks like the developers failed to enforce strict measures that will aid its players to stop credential stuffing attempts.
“In general, it is best practice to enable MFA [multi-factor authentication] where possible, especially on accounts where there is valuable information available. This option doesn’t seem to be available on Activision.com, and there are also a few questionable password policies, including limits of 20 characters and disallowed special characters.”
Kennefick also added that using password managers will lessen the restrictions on the complexity of a password and suggested that Activision needs to consider removing these limitations to promote better password management.
OneLogin’s senior director of trust and security Niamh Muldoon also gave her comments regarding the issue Activision is facing.
“Given the profile of Call of Duty end-users, predominantly young male adults who may not be security conscious and/or aware, Activision now has a great opportunity to consider rolling out access control training and awareness through its platform as well as implement strong access control into its platform.”
Despite all of this, the tweet Activision posted didn’t say that the cyberattack did not occur. Rather, the company only mentioned that the breach claims are not precise. Perhaps a similar situation could have taken place but on a smaller scale than the one mentioned in the rumor.