The computer games company Activision Blizzard is apparently the victim of a successful attack. On December 4, 2022, an attacker allegedly tricked a person from HR into revealing the two-factor authentication (2FA) code for their account. The perpetrator then allegedly copied data on all Activision Blizzard employees, including full names, phone numbers, email addresses, salaries and office locations. What is surprising is the company’s assessment of what sensitive employee data is (or is not):
“The security of our data is paramount, and we have comprehensive information security protocols in place to ensure its confidentiality. On December 4, 2022, our information security team swiftly addressed an SMS phishing attempt and quickly resolved it. Following a thorough investigation, we determined that no sensitive employee data, game code, or player data was accessed.” Activision Blizzard does Submitted to Techcrunch. In plain English: Safety is important and we even have regulations on it. On December 4th, we quickly resolved an SMS phishing attempt. We took a very close look and found out that no sensitive employee data, the source code of our computer games or player data was accessed.
The timetable for the publication of future computer games was also disclosed during the burglary. The company’s statement does not indicate whether this is not sensitive either. It is also not known whether the affected employees were informed about the incident in a timely manner.
Activision Blizzard has not submitted a notification to the capital market authority SEC, as far as can be seen from the public database. According to currently applicable SEC 2018 guidance such a notification is only mandatory if knowledge is important for rational investors. The SEC (Securities Exchange Commission) working to tighten it up the disclosure obligation.
Insider Gaming confirms data leak
A security researcher from vx-underground disclosed the hack on Twitter, where he also posted screenshots, but emphasized that he was not involved in the hack. According to the gaming blog Insider Gaming vx-underground stated that the perpetrator tried in vain to sell the data copied from Activision Blizzard. Because that didn’t work, he passed the data on to vx-underground. Insider Gaming goes on to say that it has now obtained a copy of the data itself and can thus confirm the hack. heise online does not know this data and can therefore not assess its authenticity.
This screenshot is intended to demonstrate the successful overcoming of the 2FA protection.
According to a published screenshot, getting the 2FA code was a simple matter for the attacker: he asked for it. The screenshot shows that on the evening of December 4th, a Sunday in Advent, the attacker sent an SMS message that gave the impression that the recipient’s job was in danger. It contained a link. A few minutes later, the request for the 2FA code triggered via the linked website followed, and the victim dutifully submitted the six-digit number.
“Item settled,” the attacker replied immediately. As a result, the perpetrator is said not only to have copied internal data, but also to have exposed his character in another way: an indecent message was apparently posted in the company’s internal chat using the victim’s account.
(ds)
