The most recent security breach to hit Epic Games happened on January 2019, when a webpage security flaw left 200 million Fortnite players vulnerable to hacking. As of October 2023, there have been no reported Epic Games breaches since this incident.
Below, we’ll dig into a full timeline of Epic Games’ security and data breaches, starting with the most recent.
January 2019: Webpage Security Flaw Exposes 200 Million Fortnite Users to Being Hacked
In January 2019, news broke of a security flaw found on an unsecured webpage created by Epic Games that left 200 million Fortnite users vulnerable to hacks. Epic Games – which owns and operates Fortnite – initially created the unsecured page – which was for Unreal Tournament, another game owned and operated by Epic Games – in 2004. Hackers were able to make use of the page to send phishing links to Fortnite players. If a player clicked the link, hackers got complete access to the associated account.
Hackers didn’t even need players to provide login details: simply interacting with the link was enough to gain access through token hijacking. As a result, any of the game’s 200 million players were potential targets, though it isn’t fully clear how many were actually hacked using the approach.
Once the hackers gained access, they could gather up login credentials and make purchases through the accounts using associated payment cards. Additionally, they had the ability to listen to in-game conversations and record player actions without the accountholder’s knowledge.
The vulnerability with initially identified by Check Point, a security firm. Once they found it, they informed Epic Games about the issue. Epic Games did take the webpage down.
Some of those affected by the breach weren’t satisfied with Epic Games merely addressing the source of the issue. In August 2019, a class-action lawsuit against the gaming company was filed. The suit claimed that Epic Games failed to notify users in a timely manner and that the company didn’t properly safeguard users in the first place.
Additionally, some users had to deal with fraudulent charges on their connected payment cards, creating a hardship and, in some cases, financial challenges. However, the lawsuit was dismissed in late 2019 since the named plaintiff wasn’t able to prove actual harm.
August 2018: Fortnite Android Vulnerability Leaves Samsung Users Open to Man-in-the-Disk Attack
In August 2018, news broke that an issue with the Android version of Fortnite left Samsung users open to man-in-the-disk attacks. The Android version of the app had only been available for a few weeks. Within the Fortnite installer was a software flaw that could trick the installer into installing software other than Fortnite.
Due to the installer issue, the Android APK file could be swapped out for a malicious third-party app right before installation began. The Samsung API only checked the package name, ensuring it matched with “com.epicgames.fortnite” before moving forward. Once that check occurred, they could swap out the APK for another app.
Depending on the OS version, the malicious app could also be granted permissions during installation. In either case, users wouldn’t know anything went wrong until the malicious code was in place.
While Epic Games addressed the issue the day after it was identified, it was likely in place since launch. It isn’t clear how many users were impacted.
May 2018: Epic Games Sues QA Contractor for Leaking Details About an Upcoming Fortnite Season Ahead of Launch
In another example of Epic Games taking action against an individual for sharing proprietary information, the company sued a QA contractor for leaking details about an upcoming season, claiming the action did irreparable harm. Epic Games sought punitive damages based on trade secret laws.
In June 2018, Thomas Hannah – the QA contractor in question – replied to the civil suit stating that they didn’t coordinate with a third party to share the information, as they were accused of doing in the lawsuit. Instead, Hannah claimed that he was unaware the person he spoke to would share information, saying anything that was discussed was part of a private conversation and that he had no hand in the information being released.
August 2016: Hackers Steal Data from 808,000 Accounts from Legacy Epic Games Forums
In August 2016, hackers stole user names and email addresses from 808,000 accounts. Additionally, they were able to grab scrambled password data, along with birth dates, post histories, comment histories, private message logs, activity data, IP addresses, and join dates. For users that signed in using a Facebook account, Facebook access tokens were also in the dataset.
The information was gathered by legacy forums owned by Epic Games, including some dedicated to Unreal Tournament, Infinity Blade, and other properties. The hacker used a known SQL injection vulnerability associated with older vBulletin forum technology to access the full user database.
July 2015: Epic Games Forums Hacked, Compromising User Data
In July 2015, Epic Games informed users about a forum hack. Usernames, email addresses, passwords, and other details were compromised for those who used specific channels, including some dedicated to popular properties like Gears of War, Infinity Blade, Unreal Tournament, and Bulletstorm. It wasn’t clear how many users were impacted.
2011: Hacker Group Steals from Major Tech Companies, Including Epic
Between 2011 and 2013, a small group of skilled hackers gained access to systems and property owned by tech companies, including several in the gaming industry. They came into possession of Gears of War 3 – an Epic Games title – before its release, though that isn’t all they made away with during their time.
David Pokora – a member of the group – was able to obtain login credentials for the Epic Games network, giving him the ability to download Gears of War 3 from the company’s systems months before its official release.
SuperDaE – another member of the group – claimed that he contacted Epic in 2012 while drunk, stating that he was able to play the game in advance of its release and pointing out flaws in company systems. The company sent him a signed poster in exchange for his insights and later said that no sensitive customer data was compromised during the incident.
SuperDaE also claimed to have come into possession of an Epic Games’ company credit card, though he said he never used it.