The number of data breaches in the gaming sector is constantly on the rise. While gamers (and the whole gaming industry) aren’t as aware as they should be about the risks of credential abuse, attackers are finding more and more new methods of escaping detection.
The gaming industry has turned out to be an attractive target for cybercriminals. More than 152 million of web application attacks between July 2018 and June 2020 were directed toward the gaming industry, as Akamai reports. The coronavirus pandemic and all the social-distancing lockdown policies have caused increased use of online games, spurring even more cybersecurity incidents in this sector.
One of the most recent examples was the Activision data breach that happened in September 2020, where over 500,000 Activision accounts (mostly used by players of the Call of Duty franchise) have reportedly been hacked. Mobile gaming platforms and companies such as Unity Forum and Epic Games have also been victims of data breaches. What makes the gaming industry particularly vulnerable are substandard authentication security measures and weak password policies for the website users. These two factors make the video game industry an easy target for phishing, credential theft and data breach.
There are two main reasons why gamers are highly targeted. Gamers are active in social communities. They often have disposable income which they spend on their gaming accounts, usually for new upgrades, skins or maps. Gamers are often young and less security-conscious or oblivious. More serious players invest in their online characters, in-game tools, and accessories, which later can be sold in other markets when stolen. The attackers will go for accounts that are connected to financial resources such as credit cards.
The most common type of data breach in the gaming industry is credential stuffing. In this case, the attackers take advantage of users who tend to reuse the same password across different platforms. After a data breach happens and user credentials are exposed, the criminals run an automated process to check if stolen credentials work on other websites, while monitoring for successful logins and obtaining valuable data such as credit card information. The fact that these attacks often bring results is caused by password reuse.
The Online Security Survey from Google unfortunately proves this right:
Phishing attacks are another way criminals target gamers, usually by creating a legitimate-looking website and luring gamers into revealing their credentials, or by random messages, for example, “Add friend”, or asking the recipient to buy or trade some game-related item.
The video game companies ‒ both international giants and smaller firms ‒ are facing problems with keeping their players data secure.Just one data breach incident can alienate customers and ruin the firm’s reputation forever. Even the biggest organizations are vulnerable and need strong security measures. Let’s remember the latest report claiming the massive Xbox data leak in May 2020. Unfortunately, many companies still haven’t introduced the option for two-factor or multi-factor authentication, which could add more layers of security. On the other hand, gamers need to be taught basic cybersecurity practices to safeguard their accounts, such as not using easily guessed passwords and not repeating them on multiple platforms. Still, the fact remains: as long as passwords are the only layer of security ‒ the problem will persist.
A simple and yet very effective way of fighting against phishing and credential theft is using passwordless MFA. Getting rid of passwords not only makes sign-in process more convenient; it also stops brute force attacks and ensures website accounts are safe and secure. In addition, passwordless sign-in can avoid a weighty amount of staffing and costs for user support and management of password databases.