Cybercriminals who have hacked EA explain the process on Motherboard: as simple as paying 10 euros for a stolen cookie.
In the early afternoon the news broke: EA had been hacked, and the thieves had taken the source code for FIFA 21 and the Frostbite engine used by many of their games, as well as other content that adds 780 GB of data.
It seems that these cybercriminals are also looking for the limelight, because they have had no problem explaining on Motherboard (via Vice) the process they have followed to hack EA.
And it couldn’t have been easier and cheaper: only $ 10 was spent buying a cookie stolen from Slack. Although it must be recognized that it would not have been possible without some chain security flaws from EA staff.
According to the hackers themselves, the only thing they did was buy some stolen Slack cookies, for which they paid $ 10.
Slack is an application to work in groups and communicate between coworkers, widely used by all types of companies in these times of teleworking.
Slack cookies can store the login access to the channels, so they don’t have to identify you every time, so the hackers entered one of EA’s Slack channels using these cookies, and They posed as an EA employee.
Once inside, they contacted the company’s support team and told them that they had lost their mobile phone at a party, requesting a new multi-factor identification token from them. Thus, they were able to access EA’s corporate network.
Here we find a human fault, since the support team member should have verified the identity of that person or the subject of the lost mobile. But since the hacker was inside Slack identified as an employee and thousands of people work at EA, he surely took it for granted.
Within the corporate network they found a server for developers, and there they created a virtual machine that allowed them to access and steal the FIFA 21 source code, the Frostbite engine, and other content.
Criminals have provided evidence to Motherboard, and EA has corroborated the method.
Among the evidence of the stolen material that the informational website has received, there is material from PlayStation VR and documentation on how to implement artificial intelligence in games.
EA has released a statement explaining that it is investigating the incident, and that Users’ private information has not been compromised.