Origin Accounts Hacked – Maybe Change Your Password

By John Walker on November 14th, 2012 at 1:00 pm.

Who knew this crappy photoshop would come in handy again?

Uh-oh. Eurogamer are reporting that a number of people have woken up this morning to find that their EA Origin account has been hacked. Receiving emails telling them that changes have successfully been made, recipients are not too delighted since they never asked for any. And then of course getting control of their accounts back again is a great big palava. It’s even happened to one of Eurogamer’s own.

Rather than the phishing scam it might at first appear to be, these really are successfully changed account notifications. Which means someone has got hold of both a username and password of an account holder, and been able to circumnavigate the security that prevents an outsider being able to change such details. Because, as is mostly the norm, there isn’t any. I’ve just loaded my own Origin account, and when logged in all I need to do to change the password is know the old one. That done, the original account holder is locked out. Fairly standard, obviously.

And because your Origin account details are the same as those for your EA profile, with the same info you can log into profile.ea.com and change the email address too. The only security check to do that is, obviously, to enter the same password again. Doing this sends an email to your previously registered address, but contains absolutely no information about what it’s been changed to. So once someone’s been in and changed the details, you’ve no way of knowing what they’ve changed both your email address nor password to. They’ve got complete control of your account, and with that can even change your Origin ID.

Using this account to then buy games isn’t immediately possible, however. While Origin stores credit card information, it doesn’t store the three digit CSS code, making it have a practical application for the first time ever. And many banks now have that added layer of security requiring yet another password. So it’s unlikely they’ll be able to go on any sprees, and your card number is obscured other than the last four digits. However, what IS on full display is your home address.

A thread on NeoGAF reveals that this has been happening to a lot of people, over the last few days, and also that EA has not been too impressive in responding. However, one person reports a clever trick for at least finding out some of the email address of the person who’s nicked your account – resetting your EA account using a linked account, such as Xbox Live, rewards you with a message saying that an email has been dispatched, and to which domain. Then logging on to the associated XBL account, and downloading EA Sports’ app, the full email address was revealed.

EA assures Eurogamer that they are “escalating the matter”, but more details have yet to appear. So really the larger concern here is: how were email addresses and passwords of multiple accounts obtained? While very many online games and stores are getting hacked of late, passwords tend to be pretty well protected, and people are usually notified to change them after such an attack. Hopefully EA will be back with some answers soon. Meanwhile, it seems prudent to go change your Origin/EA account password now, just in case.

, , .


Sponsored links by Taboola
  1. phelix says:

    Thanks for the notification, changed my pass immediately.

  2. Thomas says:

    I think we should sue EA because they being hacked means they’re forcing SWTOR Authenticators on us for no reason.

    • Hmm-Hmm. says:

      Aha.. haha.. ha.

    • Premium User Badge

      DeVadder says:

      Or something as simple as Steam Guard asking for email-confirmation of everything.
      Unless people have the same password on their email, but who would do that! Right?

      • diamondmx says:

        Stupid people who, frankly, deserve to get their shit hacked.
        At the very, very least – have a different password for your email than for everything else, since your email is pretty much the gateway to changing passwords and security details everywhere else.

      • JohnnyMaverik says:

        Yea… who would do that… O.o

  3. lordcooper says:

    Bloody EA.

    • Stochastic says:

      Grab your pitchforks everyone and meet by the front gate of Castle Shotgun!

      • diebroken says:

        > pickup pitchfork

        “Kieron must be summoned first.”

        • Phantoon says:

          > summon Kieron

          “No one has seen him in a thousand years! We’re pretty sure he no longer exists.”

          • brulleks says:

            “You have not prepared that spell.”

            (“For decades”).

      • Megakoresh says:

        *GRABS PITCHFORK WITH GREAT ENTHUSIASM* Alright! When do we start slaughtering EA?!

  4. djbriandamage says:

    Chances are, as usual, that a less secure service than EA’s was compromised but people didn’t have the forethought to use different logon credentials on different sites. If you don’t use unique passwords all your accounts are as secure as the weakest link in the chain.

    If this describes you, and your Origin account has been compromised, the time has come for you to change ALL your passwords RIGHT NOW.

    • KikiJiki says:

      However that doesn’t change the fact that EA’s policies on account access and changes of details are not secure at all.

      • djbriandamage says:

        Very true. Even if EA didn’t get their databases compromised they could still be liable due to this oversight.

    • kalirion says:

      No, chances are that EA’s Origin is the less secure service – otherwise why is it Origin accounts that are suddenly being compromised in large numbers, and not Yahoo or Gamefaqs accounts or whatnot?

      Or perhaps a less secure forum account of an Origin developer was compromised, and the same password was used to then gain access to Origin itself?

  5. HisMastersVoice says:

    Done, though I’m not sure if my lone copy of BF3 was really worth stealing anyway.

    • Bostec says:

      I have Battlefield 3 too. They can have it.

      • Wut The Melon says:

        And I thought my comment was going to be original… I don’t think I’ll bother, either.

    • Roz says:

      Yep, pre ordering the game to find out I had to use origin, I’ve not even started up BF3. If someone can find out my password, they can have it.

      • frightlever says:

        Tell me your password! Now!

        (what? I read about this. It’s called social engineering.)

        • x1501 says:

          Give me your e-mail and I’ll send it to you. Better yet, give me your name and address so I can mail it to you securely.

    • Premium User Badge

      Carra says:

      I was wondering if I have actually have any games on Origin. And yeah, my account has BF3.

      No sweat here.

  6. Premium User Badge

    Stellar Duck says:

    The worst fucking thing about this is that they use the same password for bloody well everything. Battlelog, Bioware Social, ToR are the ones that I use. Ugh.

    Also, with the spider web of sign in pages I can barely remember where I go to change it. Bah!

    • MiKHEILL says:

      It’s “origin.com/account” for your origin pass.

      • Premium User Badge

        Stellar Duck says:

        Thanks. I figured it out. But I think my point is valid enough. A compromised Origin password is a huge problem in regards to all the other online stuff with EA.

      • Roz says:

        Thank you, didn’t want to download origin to change my password. <3

    • Rick Lane says:

      Here’s a useful little article on creating unique yet memorable passwords. http://www.split-screen.net/blog/how-to-make-a-password

      • Premium User Badge

        Stellar Duck says:

        Well, I use LastPass to generate my passwords so it’s not a huge deal to make a new one. I’m more annoyed that it’s the same password for every EA service.

        Add to that that the password in question can only be 16 characters and it really get’s stupid.

        • reggiep says:

          Are you also annoyed that all Google services use a Google Account, all Microsoft services use a Live account and all Apple services use the name-of-the-week account?

          • Premium User Badge

            Stellar Duck says:

            Yep! I am.

            But at least Google has long passwords allowed, 2-step sign in, one time keys and what not. EA does not. They have 16 characters and that’s it.

            And I don’t use Apple or MS accounts but if I did it would annoy me there as well.

            Hell, even Facebook has 2-step verification these days.

          • LionsPhil says:

            Thought of the day: have you ever let TF2 or SpaceChem or Frozen Synapse or such upload a video to your YourTube account?

            Congratulations, you just handed it the credentials to your e-mail as well, and you did so without the usual certificate checking UI of your browser.

            Single account systems are horrible, horrible, horrible for security. But great for large data-mining companies!

          • Premium User Badge

            Stellar Duck says:

            @LionsPhil: No, to all of those. For the precise reason you mention.

            But the thing is: to access Google account you need physical access to my computer or failing that, my phone or the sheet of one time keys I’ve printed out. Granted, if people break in to my house and sign on to my email, I’m screwed.

            Steam also has 2-step verification if I try to use another device than my computer. Is it perfect? No. Is it better than a single 16 character string to protect all my EA stuff? I’d say so.

          • Saiko Kila says:

            The thing with Google services (merging accounts) persuaded me to stop using most of them. Before that I had different accounts for different services (mail, YT, and so on) and used them without problems. Now they keep (or are trying to) me logged to the previous service when I want to use another one. Additionally there are some problems with logging out.

            So I simply delete cookies with “google”, “youtube” and similar, and it logs me out. This is so cumbersome, that I’m naturally less inclined to use their services (more than one), and in turn it makes me less dependent on them, which is only to my good. So I’m actually slightly glad.

            As for EA, I had such an unpleasant history of using their accounts, including botched merging of different systems (it’s still possible to have more than one account with the same, single email which doubles as a login name…) that I also feel I’m less likely to buy and use their games/services in future. Which, again, would be great for my overall well-being and will make me more good than harm.

            Even in a bad situation there are positives to be found.

        • Gotem says:

          not only teh 16 character limit, but the anoyying thing that poeple still think than a password with a number on it is more secure than one witouth it.. when most of the time is the contrary, it reduces possibilities.

      • SighmanSays says:

        (Maybe) Obligatory XKCD link: http://xkcd.com/936/

        I’m not entirely sure if it’s accurate, since it seems to me like the ultrasimplistic method this strip espouses could still be dictionary attacked, but I think the point stands: longer is better than more complicated, and it doesn’t need to be completely bonkers.

        • HothMonster says:

          It is accurate. Longer is better. A dictionary attack just attempts every word in a list not every combination of every word in a list. If you trying random combinations you will just use the symbols allowed in the password.

          Of course if the option is between 16 characters all lower case letters or 16 characters using a combination of numbers, symbols upper and lower case the latter will be more secure. But 40 lowercase letters is more secure than 8 bits of gibberish.

          Here’s a cool site about password security and it has a little field where you can see how long your password would take to brute force.


          • HothMonster says:

            Sure 170K is the number of dictionary entries, but each entry can have multiple tenses. Staple is an entry but it could also be staples, stapled, stapling, ect. So if you really wanted to use every word in the english language its going to be several degrees more than 170,000.

            But yes, a dictionary attack is usually just a list of common passwords and/or common words. You could set a dictionary to combine the entries. But trying “P@55wOrdPasswordpassword” as someones password would be a waste of time. No one is going to spend 4 months trying silly and highly unlikely passwords. If they are that dedicated they are just going to try and brute force it and hope they get lucky. If you used 4 words all lower case chances are if you got hacked it would be by someone running every combination of lower case characters not someone who was combining words from a list that happened to include all 4 of your words.

            The point and truth to the comic is that length is more important than complexity. People feel they are not going to remember 16 random characters so they choose 8 random characters but a simple 16 character phrase they can remember would be safer. That is what he was trying to express. If you can remember, or use an app to help your remember, a random 16 bit password that’s great. But if you options are “qw78″ or “moreisbetter” than more is better. Of course even better would be “moreisbetter^9″ or “moreisbett3~”

            I guess the take home lesson is use the longest password the system allows and as complex as you can easily remember.

            Most systems as you say do require more than just lower case and have a smaller character limit. In this case use a simple phrase with a symbol and number at the end, begging or middle that is as long as possible. If the system has a 16 character limit with all character types required “thelimitiS16$$$$” would be easy to remember and about as secure as the system allows.

        • Faxmachinen says:

          It is accurate.

          I use combinations of several words for any password I have to remember. The exception is my master password, which is a chosen combination of fictional words created by feeding a random piece of text through a Markov chain based on a cryptographically secure PRNG.

          I didn’t actually do the math on whether it’s more secure though, I just thought it was cool.

  7. Caiman says:

    Fortunately I don’t have an Origin account. I suspect I’m not alone.

    • Baines says:

      If you have an EA game, then you probably have an EA account. If you have an EA account, then you have an Origin account.

      I’ve never used Origin, never bought anything from it or installed Origin itself. I’ve never messed with EA’s own page or forums or whatever they might have that would require registering.

      But I’ve bought Alice: Madness Returns through Steam, and that required I make an EA account to be allowed to play it. So I have an Origin account.

      • fov says:

        @Baines – good point about the EA accounts being linked to Origin accounts. Your post reminded me that I recently registered a Sims game on my PS3. Didn’t write down the credentials for the account I was forced to create, because I wasn’t planning to use it for anything. I found the confirmation email for the account but couldn’t remember the password and it wasn’t stored in my browser (probably because I completed the registration on my PS3). When I hit the rest password link, I received an email telling me that I can only reset my EA account password from within the Origin client. Which I’ve of course never downloaded, and don’t particularly want to. A lovely runaround…

  8. Premium User Badge

    BubuIIC says:

    I already change my origin password on a monthly basis. That is every time I want to log into my account and notice that it does again not recognise the olden password… or I always fail to write down the correct password. That might also be an option.

  9. jussipe says:

    This means my copy of Dragon Age 2 may be gone forever with my account.

    Thanks hackers. Thackers.

  10. x1501 says:

    My first reaction:

    My second reaction, of course, is the all-too-usual mixture of annoyance, anger, and compulsion to find a way to stop this madness before it is too late:

  11. Muddy Water says:

    Yeah, this happened to me. I sent them an email to EA about it yesterday. Still awaiting a response.

  12. Mario Figueiredo says:

    Gamming account passwords are like…

  13. xearonsklavesky says:

    Logged on to my EA account and tried changing the password, it keeps giving out an error. Tried different browsers still the same. I feel so secured.

    • Premium User Badge

      Bluerps says:

      That happend to me too. Fortunately, it worked after a couple of tries (I varied my new password a little between tries, maybe that has something to do with it).

  14. Premium User Badge

    Makariel says:

    I can’t even remember how often I changed passwords for various accounts in the last year.

  15. pupsikaso says:

    My bet is on that the people getting hacked on Origin now are the same ones that were hacked on sony, valve, blizzard, etc, and yet were still using the same login/password combo.

  16. JohnH says:

    If they want my ToR account and my copy of Dragon Age 2 they can bloody well have them!

  17. JoeGuy says:

    I thought you need to use an email notification link just to change your password info. Since when is that not standard?

    I’m surprised they don’t have the Steam protection that forces you to click an email link if you try to log in from a new IP address.

    • Roz says:

      As long as you know the current password, you can instantly change the email, password, name etc.

      \EA LOGIC\

    • frightlever says:

      Clicking email links is a bad idea so Steam, last I checked, actually asks you to enter a code from the email they sent you if you want to log in with a different computer.

      • JoeGuy says:

        I haven’t had to do that in a while, but yeah, isn’t at least one layer of protection involving your email or IP protection that Steam had pretty standard with MMo game launchers and other stuff. Seems way to simple a system to have been ever in place.

  18. Cytrom says:


  19. Vorphalack says:

    Another case in point of EA copying Activision ¬ ¬

  20. DMStern says:

    Whenever someone asks why I’m so negative about Origin and all the other me-too services as opposed to Steam, it’s because I know they’ll have learned nothing and will be doing all the mistakes Valve had to learn the hard way.

  21. Premium User Badge

    sonofsanta says:

    FFS. Again. At least LastPass means everything is a different string of garbage now.

    I was already annoyed at Origin after I had to waste an hour faffing around convincing Origin to install ME3 off the bloody disc in the drive, they’re not helping themselves here.

    Also: CVV code. CSS code makes the web purdy.

  22. Allenomura says:

    Would changing your password do any good. Maybe, this could be a herd exploit. Word goes out that there has been a limited attack reported, but hacker knows an exploit with the service to where the ones they didn’t get (from commonly recognised gathering/engineering) before go and change their passes, and they’re collected in the process. I’d want assurance now that EA itself isn’t the emanation point, but then again, my faith in Origin service is minimal at best.

  23. p34ce says:

    So here’s what worries me about this: I’ve just changed my password, and noticed that the length is limited to about 20 characters or something.

    This is very, very worrying, because there is no reason for any login system to limit the length of passwords. This might indicate that they are using some sort of amateur, substandard cryptographic approach.

    Here’s hoping it was just some sort of arbitrary design decision on the part of the GUI designers.

    • Koozer says:

      I always assumed length limits on what you can enter as a password was a control against people creating stupidly long strings and clogging up their database. Usable character limits? Just plain stupidity and/or laziness.

    • HothMonster says:

      A 16 character password combining upper case, lower case, numbers and symbols (95 characters) has 44,480,886,725,444,405,624,219,204,517,120 possible results. At 1000 guesses a second it would take 14.14 million trillion centuries to try all combinations.

      I really don’t know if there is any kind of performance or security issue that makes 16 such a common limit but it is pretty standard.

      • Faxmachinen says:

        Indeed, but it’s still rather dumb and completely unnecessary. Trying to fit a memorable/non-garbage password (e.g. four random words) into sixteen characters drastically reduces the number of possibilities. Even a garbled string of only letters reduces it by more than four orders of magnitude, or nine if your shift key is broken.

  24. jalf says:

    While very many online games and stores are getting hacked of late, passwords tend to be pretty well protected, and people are usually notified to change them after such an attack

    I’m sorry, which parallel universe are you living in? Half of the recent hacks have resulted in either plaintext passwords being relvealed, or unsalted hashes which can be bruteforced.
    Sure, we could be generous and *assume* that most of the hacks that are *known* were reported and that people were notified to change them.
    But that leaves two obvious gaps: how many hacks were *not* discovered? How many times did hackers just grab the account information undetected? And second, how many people do you think failed to change their password after being notified? Hackers know *plenty* of passwords that are still valid and in use.

    The problem is that you really depend on the weakest link. If just one of the games you play, or the stores you use, gets hacked and if that hack allowed the hackers to determine your plaintext password, then it doesn’t matter if your password was safe the 15 other times your account information was leaked due to a hack.

    Really, if you use the same password across several/most services, *and* you didn’t change it five minutes ago, then thousands of hackers are able to log in to your accounts pretty much at will. They have so much username/password information at their disposal by now that it’s just a matter of picking a target from the list. You’re on the list, and all that’s keeping you “safe” is the fact that so are tens or hundreds of thousands of others, so they might not pick on you specifically.

    Whenever someone asks why I’m so negative about Origin and all the other me-too services as opposed to Steam, it’s because I know they’ll have learned nothing and will be doing all the mistakes Valve had to learn the hard way.

    You mean when Steam screws up with your security, it’s ok, because “now they’ve learned from it”, but when others screw up with your security, they’re fool because they “hadn’t already learned from Valve”? How does that make any sense? Can’t we at least treat all of them equally?

    Would changing your password do any good. Maybe, this could be a herd exploit. Word goes out that there has been a limited attack reported, but hacker knows an exploit with the service to where the ones they didn’t get (from commonly recognised gathering/engineering) before go and change their passes, and they’re collected in the process. I’d want assurance now that EA itself isn’t the emanation point, but then again, my faith in Origin service is minimal at best.

    If a hacker had that kind of control over Origin, then they wouldn’t need you to change your password in the first place. So no, it is not a clever ruse. Just… change your password. To something unique that you don’t use on other sites.

    • GSGregory says:

      No origin is stupid for not using steam and many other services as an example of what security features to implement. If you have many templates and examples of what happens and what solves it you are a fool for not following it.

      • Premium User Badge

        Keymonk says:

        Indeed. Learning from the mistakes of others is a good skill to have.

      • fish99 says:

        Agree 100%. EA don’t live in a vacuum, they know about Steam Guard and have had plenty of time to implement a similar feature.

        TBH all companies that hold sensitive/valuable information should have performed a complete overhaul of their security the moment Sony were hacked. They all had their warning and most of them seemed to have ignored it.

        • Roz says:

          They didn’t even need to have something like steam guard, they just need an email conformation instead of just being able to instantly change everything linked to your account, which is pretty standard…everywhere.

        • jalf says:

          Yup, absolutely. My point is just that Valve and Steam has had more than a few security blunders too.

          From their forum getting hacked, to broken and easily exploitable “password reset” functionality to the broken and exploitable steam:// protocol and a handful of others.

          Of course EA should’ve learned from Valve. And from Sony. And from those dozens and dozens of other “services” which were hacked over the last year or two.

          But all of those companies failed too. I’m simply pointing out that it seems absurd to explicitly say that you’re particularly negative towards Origin for their blunders, *as opposed to* Steam, whose blunders you apparently just forgive and forget.

          There is no excuse for *any* of these countless hacks that have happened over the last couple of years. Unlike so many others, Origin does not appear to have been hacked, but their account recovery functionality is clearly and inexcusably broken. But once again, I don’t see how this is worse than all the hacks that put our passwords in the hands of hackers in the first place.

          I don’t see why this is a reason to be negative towards Origin “as opposed to” anything else. It’s a reason to be negative towards Origin *as well as* all the other companies whose security has been flaky. And that includes Steam.

    • DMStern says:

      You mean when Steam screws up with your security, it’s ok, because “now they’ve learned from it”, but when others screw up with your security, they’re fool because they “hadn’t already learned from Valve”?

      That’s not what I said.

      • jalf says:

        So what *did* you say?

        You said that you were negative towards Origin *as opposed to Steam* because of things like this.

        And yet, Steam is guilty of “things like this” too. So why are you less negative towards them?

        You are saying that Valve *had* to learn their lessons the hard way, whereas others should simply had learned from Valve.

        But… why didn’t Valve learn from, say, Sony? Or from Blizzard? Or, heck, from a “security 101″ textbook? Why did they have to learn “the hard way”?

        Sounds to me like you were saying exactly what I said you were saying. ;)

  25. Desmolas says:

    Hehe, i use a very throwaway password that i am always going to remember for sites i dont care about. Yes, Its the same for them all (even Origin, which i havent bought anything on). The password to my life, my Gmail password, is a totally unique mix of 20 upper/lowercase, numbers and special characters though. Theres a hint for you.

    But, Its about time all the companies that have anything to do with money and digital goods use something akin to SteamGuard though. A password and email address just doesnt cut it these days.

    • nearly says:

      I remember reading a comic that said mixes of upper/lowercase numbers and special characters are basically an asinine idea for passwords. they’re A) harder for you to to remember and B) easier and more likely for a computer to guess than a string of grammatically correct text.

      unless your hint is meant to imply that your password is “is a totally unique mix of 20 upper/lowercase, numbers and special characters though.” you should probably change it now.

      • Premium User Badge

        Stijn says:

        Origin limits your password length though and disallows some characters (like spaces). So using a passphrase is not possible unless it’s fairly short, in which case often it’s easier to crack than a string of the same length, but with random characters.

        The comic you’re referring to: http://xkcd.com/936/

        • The Random One says:

          Which, unless I know even less about passwords than I think, is wrong. correcthorsebatterystaple may be 44 bits of entropy if a script is guessing characters, but only four if it’s guessing dictionary words.

          • Phantoon says:

            Yeah, exactly. Dictionary attacks are more common than a lot of people realize, and you’d be screwed to have used a password like that.

            Of course, Munroe is usually wrong about a lot of the things he talks about.

          • KevinLew says:

            Your logic is incorrect because you’re assuming it’s only four digits of data, which it’s not. It’s four dictionary words. This means each “bit” is any common word in the dictionary. Even if you narrow down the word selection to the most common words in English, you’d still end up with about a 5,000 word dictionary, then that’s still 5,000^4 combinations of passwords. If you do the math, that’s even worse for hackers, because it’ll take over a thousand years before it can guess your password.

          • Premium User Badge

            Durkonkell says:

            But there are around 250,000 words in the Oxford English Dictionary! Even if you only use common words, there are a lot more of those than there are letters. Wouldn’t it take millions of attempts to crack any given four-word password, assuming it isn’t aardvarkaardvarkaardvarkaardvark?

            I’m not a cryptographer and so you should probably assume that I don’t know what I’m talking about, but surely a four word passphrase is more secure than a 8 character jumble of numbers and letters? (Obviously if you’re going to have a 20 character password, a random combination of letters, numbers and symbols would be best but just try remembering it).

            EDIT: Ninja’d etc.

          • MattM says:

            The possiblities should be 100000^4=1×10^20 assuming 100000 common words. I don’t know if that’s enough.

            Double Ninja’d!!

          • HothMonster says:

            That isn’t how dictionary attacks work. A dictionary attack is just trying every word from a list (“dictionary”) as the password. It doesn’t then try every combination of words in it’s list. Doing that gets you back to square one.

            You either have say 8 random characters that can be any of 95 [upper case+lower case+numbers+33 symbols] symbols or (assuming you know it 4 words in your dictionary and not 3 or 5) 4 random entries that can be any of 10s of thousands of symbols (equating a dictionary entry to a symbol).

            Because assuming your list(“dictionary”) is comprehensive enough to contain the words correct, horse, battery and staple, it’s gonna be a pretty big dictionary. At least tens of thousands of entries. [The Second Edition of the 20-volume Oxford English Dictionary contains full entries for 171,476 words in current use, and 47,156 obsolete words. You also have to add common variations to your dictionary e.g. P@55w0rd].

            It would be stupid to try every combination of a list of 50,000 words when you don’t even know that a combination of those words will work vs trying every combination of 95 characters knowing one of those combinations has to work.

            A dictionary attack is just a list of words stupid people commonly use for their password. It tries each list entry and moves on to the next account.

            edit: I see this has been handled between my hitting reply and actually getting around to writing my comment, so triple ninja’d

            Check this out if your interested in password security https://www.grc.com/haystack.htm

          • jalf says:

            unless I know even less about passwords than I think, is wrong. correcthorsebatterystaple may be 44 bits of entropy if a script is guessing characters, but only four if it’s guessing dictionary words.

            Well, I guess you know even less about passwords than you think, then. ;)

            It is about 44 bits of entropy because there are about 2^44 possible combinations of 4 common dictionary words.

            Four bits of entropy = 2^4 combinations = 16 possible combinations.

            Picking a single letter from the alphabet and using that as your password provides more than four bits of entropy. ;)

      • Desmolas says:

        Man, guess i have to rethink my password strategy.

      • Premium User Badge

        darkChozo says:

        A point of clarification; a string made up of real words is actually less secure than an equally long random password by definition; the former is a subset of the latter, after all. However, using real words does allow for a longer password that you can actually remember, due to that whole human beings being good at language thing.

        Also, security-wise, it’d probably be more secure to use three words (or better yet, 5) than four at this point, just because I’d imagine some enterprising individual has written an attack specific to XKCD readers who think they’re clever. One of those strange cases where security through obscurity works.

        • Hahaha says:

          Get one of the password key apps or do it the old fashioned way

          What’s the attack time on

  26. mrd says:

    They obviously have real problems because I got ‘hacked’ a while ago. No idea how because my password is… extremely complex and it happened while I was not even home. I got an email about password reset to my email address while I was away with the usual “if you did not request this please ignore” and then about 3 days later “your email address was successfully changed” and account gone.

    Frankly unbelievable that their system is so pathetically hole-filled.

  27. Ovno says:

    Ahhggg why do I have to obey your stupid rules on passwords EA???

    I suspect you have been or are about to get hacked, so I want to use a nice non secure password I don’t care about, but that I remember….

    Can I though, no it has to be 8-16 character long and contain at least one number and one capital letter!!!

    BUGGER OFF if I want to use a crap password for your crappy download service then you should let me or even if I want to use a long one without letter an numbers which would be much more secure than say ‘A1b2c3d4′ and much more memorable….

    • Allenomura says:

      That ticked me off, too. I had a nice replacement ready. Punched it in and error message. Altered, same. etc, etc…EA should NEVER have launched Origin. Not even started with it, and certainly not made its use mandatory with the implementation being the way it is. Then they sought to bunch a whole load of services, that were hardly related, under the umbrella login. cost cutting.

  28. mrmalodor says:

    No worries, I only have BF3 on that account anyway. They can have it.

  29. Slomoshun says:

    I don’t even care..there’s nothing on that program I’ll ever play again.

  30. xellfish says:

    Just went to Origin to try and change my password, but seems like their HTTPS domain uses an unverified certificate.. Very reassuring. How thoroughly did EA get hacked exactly?

  31. Elevory says:

    These proprietary gaming clients need to stop. Steam is light years ahead of the competition; use that, or hell, don’t force extra software on paying customers whatsoever. EA… what a fucking joke.

  32. Mattressi says:

    What does “escalating the matter” mean? It sounds like EA are the perpetrators of the hacking and now they are going to further escalate the attacks on their own system.

  33. stimpack says:

    I want a refund on all of my free games!

  34. p34ce says:


    One of my EA accounts (an old one) was hacked. First, there was a password reset notification (not a ‘click the link…’ type one, just a notification).

    Then, the next email was a verification email, in Russian, with a link in it. From the looks of things it wasn’t used – the hacker had logged in from a Russian locale and probably hit the verification link before changing the email address.

    The third and final email was an email address change notification. Unfortunately, they don’t include the new address in the email.

    I contacted Origin by phone, got a nice Irish agent on the line, who was able to go through old purchase history and confirm I was the legitimate owner.

    I asked for the email address the hacker had used, but the agent couldn’t give it to me. Unfortunate.

    Anyway, the whole thing was fixed in about 8 minutes.

    • Shaneus says:

      Yeah, slightly different occurrence to me (the OP of the GAF thread). I only received a single notification that my email address had changed. Not even a confirmation or request.

  35. El_Emmental says:

    EA should have added its own “OriginGuard” security system months ago… what were they thinking ? That hackers would sit and do nothing ?!

    Especially since they’re EA, one of the top5 most hated video game publisher company for the last 10 years (for good or bad reasons – doesn’t change a thing to the fact they’re hated), they should have expected it.

    Is it that hard for EA to implement:

    1) An email check to confirm password/email changes.
    2) An optional mobile text/voice message option for an email changes (if you can’t access your email address anymore – only available if you entered the number before).
    3) A “Customer Support” system allowing people to change the email address by providing the same credit card information that were used for one of the last 5-10 purchases, for a $1 secured purchase (proving that you also have the CSC number), listed as “ORIGIN ACCOUNT RESET – POSSIBLE HIJACK – VERIFY YOUR ACCOUNT” on the transaction, with 1 week delay (with the account suspended) on suspicious cases.

  36. Stormtamer says:

    Hacked myself afew weeks ago, changed my account to Russian, including my Old Republic account, which was quite worrying considering i have an authenticator to log on, but not to access my account details.

  37. dsi1 says:

    Why does anyone want Origin accounts!?

    • trjp says:

      What a massively, massively stupid question.

      a – because some games require them
      b – because cheap games can be sourced from Origin
      c – why shouldn’t they have them?

  38. SuperNashwanPower says:


  39. Bob says:

    Thanks for the heads up. I didn’t get notified but still changed my password. Once again I heard it here first, just one of the many reasons I love RPS.

  40. trjp says:

    This could be interesting…

    If you play Shift2: Unleashed and change your Origin password, your game becomes unplayable online (because Shift2 has no ability to ask you for a new password – it just fails to connect with the old one).

    That could run and run and run

    If a hacker gets into my account tho, could they tell me my password because I’ve had to change it so many fucking times now I’ve no idea what it is anyway…

  41. trjp says:

    Oh – and – a lot of people believe that the fundamental security flaw which keeps leading to XBOX Live accounts being compromised comes from within EA and not within Microsoft themselves.

    Obviously we can’t know but a lot of people think there’s a hole somewhere which is exploited by people for the FIFA scam and it may well relate to EA’s “integration” into XBL.

    It’s just possible we might actually get them to check they locked the door at least?

  42. Solidstate89 says:

    I’ve only got two games tied to Origin as it is and my password is also already fairly complex – but it never hurts to be certain. Thanks for the news, RPS. Off to go change my password. Again.

    Thank god for Lastpass.

  43. hsduoisdfbn says:


    +++ http://fur.ly/92gq ++++++++++

    Best online store

    Best quality, Best reputation , Best services

    —**** NHL Jersey Woman $ 40 —**** NFL Jersey $ 35

    —**** NBA Jersey $ 34 —**** MLB Jersey $ 35

    —**** Jordan Six Ring_m $ 36 —**** Air Yeezy_m $ 45

    —**** T-Shirt_m $ 25 —**** Jacket_m $ 36

    —**** Hoody_m $ 50 —**** Manicure Set $ 20

    —**** handbag $ 37 —**** ugg boot $ 43 —****

    —**** sunglass $ 16 —**** bult $ 17 —****

    +++ http://fur.ly/92gq ++++++++++

  44. Shaneus says:

    As the guy who created the thread at NeoGAF, there’s a few things I’d like to clarify/clear up/theorise about:

    1. The password was not a password I used at all for other sites. My theory is that the email, however, was, and that was at least one part of the equation (I guess).
    2. I honestly don’t think my password was compromised at all. Reading the EA forums, there were a few issues with people not being able to reset their accounts because the DOB for the account was different to the one of the original account owner. I never encountered this (there’s no DOB at all listed on mine) but it leads me to another theory: that access to the account was more likely obtained via social engineering and not brute-forcing of passwords (either obtained from similar accounts from other sites or from dictionary hacks).
    3. This is the first time I’ve experienced having an account hacked/hijacked, having survived (I guess, somewhat miraculously) both PSN and XBL, as well as any others that may have occurred.

    If I had to offer any advice to anyone, I’d strongly suggest linking as many accounts as possible to your Origin one, such as PSN, XBL and Facebook. As I posted in the original NeoGAF thread, there was another victim who experienced this before me, who was able to access his hijacked account because his FB was still linked to it (and I don’t believe you can unlink any accounts once they’ve been setup).
    That, and maybe have a different email account registered specifically for each online service, possibly one that may be harder to guess.

    Edit: Have read through the comments. In case I didn’t mention it above clearly enough, I don’t think the problem was with compromised passwords, but with loopholes that can be used to change details via other means (ie. over the phone, via an online helpdesk/chat feature). In this instance, changing your password won’t do jack. You’d probably have a better chance changing your email address so at least if they get access to it, they won’t be able to search for other online services that have the same email account registered to it and use the details in your Origin account as answers to security questions (or something like that) to “prove” you’re the account holder.

  45. JohnnyMaverik says:

    “EA assures Eurogamer that they are “escalating the matter””

    Wait what… EA are making it happen more O.o

    Those bastards -_-

    *shakes fist*

  46. dragonslayer says:

    my account got hacked 2 times the first on nov. 5, 2012 i CALLED EA number found in the disc case- they can do NOTHING for you online— this is what i did after i got the account back—–

    1- made sure all antivirus progs were updated and scanned—CLEAN scans w/ MSE,symantec (corporate) adv sys care6, and malwarebytes.

    2- changed associated email password– showed it was as strong a password possible

    3- origin account settings were reset on the PHONE by an EA account specialist, security questions put in place, and a lock preventing anyone who did not have birthday,email&password, security questions from accessing account.

    after all this- 2 DAYS LATER- the account was hacked again–
    this is NOT a user problem- EA is being hacked at the account server- there is no other way possible for the hackers to do what they are doing.
    i dont know if linking other accounts to the origin account is a good idea- they can change everything about your origin account- this 2nd time they got my account, they actually deleted (i think) my origin account all together.
    i have shown all i did on my end to secure my origin account, if you have any suggestions- i would gladly like to hear them!!