EA: 50 high-profile FIFA 22 accounts taken over by phishing actors

football

Electronic Arts (EA) has published an official response to numerous reports about hacked player accounts, confirming the problem and attributing it to phishing actors.

As the notice explains, hackers used social engineering against EA’s customer experience team to bypass two-factor authentication and take over 50 player accounts.

FIFA 22 is a very popular football (soccer) simulation game featuring a multi-player mode where people can compete in real-time, trade in-game items, etc.

The gaming company has promised to restore rightful owners’ access to the compromised accounts and has also announced the following measures to prevent this from happening again in the future:

  • All EA Advisors and individuals who assist with service of EA Accounts are receiving individualized re-training and additional team training, with a specific emphasis on account security practices and the phishing techniques used in this particular instance.
  • Implementation of additional steps to the account ownership verification process, such as mandatory managerial approval for all email change requests.
  • The customer experience software will be updated to better identify suspicious activity, flag at-risk accounts, and further limit the potential for human error in the account update process.

The above changes will inevitably make customer service more cumbersome and slow, but they will improve account security, something that the FIFA community has been complaining about for years.

“We’d like to apologize for the inconvenience and frustration that this has caused, and that we were unable to share additional details in our original communication last week as we conducted a thorough investigation.” concludes EA’s statement

High-profile accounts hacked

The accounts that were targeted by the phishing actors include those of real footballers like Valentin Rosier, professional streamers, and in-game currency traders.

These high-profile accounts have invested significant amounts of money in the game and use it as a source of income by monetizing their presence in that virtual space.

Some of the hacked account holders point out the possibility of EA’s staff giving away their personal data to the hackers, which would violate the GDPR, incurring fines up to 4% of EA’s annual turnover.

However, at this time, no data protection probes have been announced, and EA’s investigation on the incident is still ongoing, so the scope of the impact hasn’t been determined with certainty yet.

It is also worth noting that Bleeping Computer has seen reports of lower-tier FIFA 22 accounts having been hacked recently, so the number of accounts taken over by phishing actors may be much greater than 50.