Another major video game developer and publisher experienced a cyberattack reportedly resulting in the exfiltration of more than three-fourths of a terabyte of data. The exfiltrated data reportedly includes source code, software development kits and game engines. News reports indicate that the threat actors accessed the system through Slack channels, stolen authentication cookies and (apparently) a well-executed spear phishing attack to secure multifactor authentication tokens. Simultaneously, other recent reports have described malware hiding in gaming platforms through profile images, like malware injection through website favicons.
Meanwhile, esports has become big business and mainstream, with huge amounts of data and significant capital transactions. A League of Legends tournament was featured in the Netflix documentary 7 Days Out, and Sports Illustrated’s July 2021 cover story was about an esports team. Even the Olympics reportedly is considering including esports.
The combination of threat actors looking toward the video game industry and the rise of esports indicates how important it is for the industry and esports platforms and leagues to increase their cybersecurity awareness. As with other technology developments, the risk is ever present to the individual, in their home, to their personal computing devices and to their financial accounts. As presently situated, the industry and esports present attractive targets to cyber threat actors. The following are a few examples of areas that need significant attention.
First, attackers may seek player or subscriber account information. Many games today—from MMORPGs and Web3-based platforms to sports and real-time strategy games, and everything in between—include online play or DLC components. For those, the publisher may be collecting significant amounts of information about the players—information with significant market value to marketers and threat actors, such as payment information, geolocation, crypto addresses, or other personal information valuable for phishing and other social engineering attacks against individuals and their employers. Recent news reports about posting social media profiles to websites for…