Data dump suggests possible breach at Electronic Arts

A post to Pastebin containing account details for Electronic Arts (EA) customers hit a little too close to home for one gamer, who found his email address, account password, and games list among the harvested data. EA has been told about the alleged leaked records, but the company hasn’t made any official statements.

At about 3:00 p.m. on Thursday, a gamer who has asked that his name be withheld, got a password reset notification for an old Skype account. A few moments later, there were five additional password reset requests from Dropbox.

Soon after, the gamer got an email from someone who spends their time sending notifications to people who have had PII exposed online in data dumps. The message, from “urhack.com” contained his EA password in plain text and a link to the Pastebin post.

“Once I’d taken a look at the dump it seems linked to my EA account – a full list of my games appears to be there, along with the email address on the account and password,” the gamer told Salted Hash in an interview.

The data on Pastebin isn’t complete. While there are email addresses, passwords, dates that look like birthdays, and game listings, most of the other fields from the database are redacted, or they didn’t format properly once the data was downloaded.

Instead, the information is replaced with a series of question marks. At the same time, there are several hundred (~600) accounts listed, each of them with a Gmail address and password, but only accounts beginning with the letters A-F are shown.

Included with the leaked profiles are game listings for titles such as Battlefield (2, 3, 4, Hardline), SimCity, The Sims (2, 3, various expansions), FIFA, Dragon Age, Mass Effect, Theme Hospital, STAR WARS Battlefront, Dead Space, Need for Speed, Titanfall, and more.

It’s possible that EA wasn’t compromised, and instead the data in the Pastebin post was pulled from other data sources and combined. But the listing of his EA titles, along with his email address and password was enough for the gamer to sound the alarm.

A check of some of the addresses in the Pastebin post shows that some of them were involved in other data breaches, including Adobe, Patreon, the Bitcoin Security Forum’s Gmail dump, and more. However, most were first exposed in the paste itself, according to Have I been pwned?

To be certain, no matter how the leak happened, a large number of gaming enthusiasts have been exposed, and someone is checking other services to see if the leaked usernames and passwords have been recycled.

Last December, users on Reddit speculated that EA was compromised, after unauthorized purchases and other charges appeared on their Origin accounts. EA says they investigated the reports and “found no indication” of a data breach.

EA has been contacted about this most recent incident. However, they were not prepared to issue a statement by deadline.

In a statement, EA said that they would take steps to secure any EA or Origin account with user ID matching the accounts posted to Pastebin. However, the statement didn’t offer any exact details on the protection methods – hopefully password resets will be part of the resolution.

Salted Hash notified EA about the potential problem three hours before their statement was issued, so it’s likely the incident remains under investigation. Their statement in full is as follows:

“Privacy and security is our top priority at EA.  At this point, we have no indication that this list was obtained through an intrusion of our account databases.  In an abundance of caution, we’re taking steps to secure any account that has an EA or Origin user ID that matches the usernames on this list.  As always, we encourage all players to safeguard their account credentials and use unique usernames and passwords on all online accounts.”

Any new developments, including statements from EA, will be added as this story unfolds.

Shortly after this story broke, Sam Houston, the former community manager for Origin forums (now the senior community manager at Bugcrowd) had this to say:

“Gamers are often targeted with attacks, and with EA’s accounts tied into all of their games and their Origin e-commerce site, a gamer’s EA account can be very valuable. Gaining access to an EA account would enable a hacker to play any of their PC games purchased through Origin, and could potentially be used to play on a gamer’s account on a game connected via the EA account system. Those accounts are valuable not only for financial gain, but also for harassing or impersonating users. It’s also worth noting that this dump could just be someone targeting EA in response to something. Over the years, EA has been the target of a lot of ire from various gaming groups, so this could be a response to a particular issue that people are upset about.”

Edits:

[7:22 p.m. EST 15 OCT 2015]

– Added information on exposed emails, and the previous breaches they were part of.

[8:00 p.m. EST 15 OCT 2015]

– Added statement from EA.

[11:00 p.m. EST 15 OCT 2015]

– Added statement from Sam Houston