Uh-oh. Eurogamer are reporting that a number of people have woken up this morning to find that their EA Origin account has been hacked. Receiving emails telling them that changes have successfully been made, recipients are not too delighted since they never asked for any. And then of course getting control of their accounts back again is a great big palava. It’s even happened to one of Eurogamer’s own.
Rather than the phishing scam it might at first appear to be, these really are successfully changed account notifications. Which means someone has got hold of both a username and password of an account holder, and been able to circumnavigate the security that prevents an outsider being able to change such details. Because, as is mostly the norm, there isn’t any. I’ve just loaded my own Origin account, and when logged in all I need to do to change the password is know the old one. That done, the original account holder is locked out. Fairly standard, obviously.
And because your Origin account details are the same as those for your EA profile, with the same info you can log into profile.ea.com and change the email address too. The only security check to do that is, obviously, to enter the same password again. Doing this sends an email to your previously registered address, but contains absolutely no information about what it’s been changed to. So once someone’s been in and changed the details, you’ve no way of knowing what they’ve changed both your email address nor password to. They’ve got complete control of your account, and with that can even change your Origin ID.
Using this account to then buy games isn’t immediately possible, however. While Origin stores credit card information, it doesn’t store the three digit CSS code, making it have a practical application for the first time ever. And many banks now have that added layer of security requiring yet another password. So it’s unlikely they’ll be able to go on any sprees, and your card number is obscured other than the last four digits. However, what IS on full display is your home address.
A thread on NeoGAF reveals that this has been happening to a lot of people, over the last few days, and also that EA has not been too impressive in responding. However, one person reports a clever trick for at least finding out some of the email address of the person who’s nicked your account – resetting your EA account using a linked account, such as Xbox Live, rewards you with a message saying that an email has been dispatched, and to which domain. Then logging on to the associated XBL account, and downloading EA Sports’ app, the full email address was revealed.
EA assures Eurogamer that they are “escalating the matter”, but more details have yet to appear. So really the larger concern here is: how were email addresses and passwords of multiple accounts obtained? While very many online games and stores are getting hacked of late, passwords tend to be pretty well protected, and people are usually notified to change them after such an attack. Hopefully EA will be back with some answers soon. Meanwhile, it seems prudent to go change your Origin/EA account password now, just in case.