By utilising an unsecured Unreal Tournament stats page from 2004, Check Point researchers were able to redirect log in access tokens from Epic’s servers to Check Points’ own, indicating they could access accounts without requiring passwords.
As Fortnite doesn’t permit multiple sign-ins to the same account, if the hacker is on the victim’s account, the victim can’t log on.
Once logged into the victim’s account, hackers would have been able to eavesdrop on Fortnite squad members’ chats, access players’ contact lists, and purchase V-Bucks virtual currency, weapons, and more using players’ stored credit card details.
Fortnite gamers could have been affected if they used their Facebook, PlayStationNetwork, Nintendo, or Xbox Live account instead of their Epic username and password to log in.
Epic Games hasn’t confirmed how many players may have been affected by the security flaw, but reportedly about 80 million people play Fortnite every month, and as many as 200 million gamers have registered accounts.
Fortnite is a big pull for hackers due to the massive user base. Just this week, The Independent reported money laundering schemes involving stolen credit card details that were being used to buy V-Bucks and then were sold back to players at a discount through the dark web.
Latest reports state that Fortnite made $US2.4 billion in 2018, and is only on track to grow in 2019.