Game company 2K on Thursday warned users to remain on the lookout for suspicious activity across their accounts following a breach last month that allowed a threat actor to obtain email addresses, names, and other sensitive information provided to 2K’s support team.
The breach occurred on September 19, when the threat actor illegally obtained system credentials belonging to a vendor 2K uses to run its help desk platform. 2K warned users a day later that the threat actor used unauthorized access to send some users emails that contained malicious links. The company warned users not to open any emails sent by its online support address or click on any links in them. If users already clicked on links, 2K urged them to change all passwords stored in their browsers.
On Thursday, after an outside party completed a forensic investigation, 2K sent an unknown number of users an email warning them that the threat actor was able to obtain some of the personal information they supplied to help desk personnel. The email stated:
Following further investigation, we discovered that the unauthorized third party accessed and copied some of the personal data we record about you when you contact us for support: the name given when contacting us, email address, helpdesk identification number, gamertag and console details. There is no indication that any of your financial information or password(s) held on our systems were compromised.
We also found that the unauthorized party sent a communication to certain players containing a malicious link purporting to provide a software update from 2K. Instead, the link contained malware that had the potential to compromise data stored on your device, including passwords.
An online FAQ said there was no indication that online assets were affected and that anyone who received one of the malicious emails had already received a later email from 2K informing them of this. The FAQ went on to say that it’s now safe to use the online help portal and to once again trust emails sent from the support address. Out of an abundance of caution, 2K encouraged all players to reset account passwords and ensure that multifactor authentication has been turned on.
It has been a rough few weeks for companies owned by Take-Two Interactive. On September 19, Rockstar Games said it experienced a network intrusion that resulted in the theft of confidential development footage for the next installment of its blockbuster game franchise Grand Theft Auto. Dozens of videos posted online included roughly 50 minutes of early gameplay that provided spoilers relating to the protagonists and settings for the long-anticipated sequel. Rockstar has been famously tight-lipped about such details in an attempt to generate buzz about upcoming releases.
Rachel Tobac, CEO of SocialProof Security, a company focused on social engineering prevention, said that the targeting of 2K’s help desk has been a recurring theme in recent breaches. The teenagers behind a 2020 breach of Twitter, for instance, targeted members of the company’s customer support team in phone-based phishing attacks that successfully tricked them into revealing their passwords and two-factor authentication codes.
“We continue to see cybercriminals target customer support and help desk credentials in their hacks because the admin tools those roles have access to are extremely powerful and full of sensitive user data,” she said in an online discussion. “For that reason, I continue to recommend upgrading MFA to match the threat model of client-facing roles like Helpdesk.”
2FA that relies on one-time passcodes sent through SMS or generated by apps remain wide open to credential phishing attacks, something security firm Twilio recently learned the hard way. 2FA based on the FIDO2 industry standard, by contrast, is credential-phishing proof. Despite being an open standard that works across a wide ecosystem of devices and form factors, FIDO2 is still not widely used.
2K’s advisory today means that the threat actor has enough information about specific users to produce convincing scams that might be hard for people to recognize. Any communications purporting to be related to 2K or gaming in general should receive extra scrutiny from people who received Thursday’s email.
2K’s advice that all users change their account passwords is also solid. Users should use a password manager to generate a long, random phrase or string unique to their 2K account. Even when 2FA offerings aren’t FIDO2 compliant, they provide more protection than not using 2FA at all.