In November of 2018, a vulnerability was discovered in the Epic Games website and reported by outlets like CNET. A few months later, Epic Games finally addressed these vulnerabilities along with a breach that had potentially exposed the personal information of millions of Fortnite player accounts.
“We were made aware of the vulnerabilities and they were soon addressed. We thank Check Point for bringing this to our attention,” a spokesperson for Epic Games said. Following the breach, gamers have remained rightfully angry at Epic over how long it took the company to acknowledge the vulnerabilities. With growing concerns over cybersecurity, affected gamers have now joined forces to slap Epic Games with a class-action lawsuit.
Class-action lawsuit filed against Epic Games
The class-action suit comes from the US law firm, Franklin D. Azar & Associates. The main point of the class-action isn’t that the account breach happened per se, but that Epic Games failed to maintain proper security measures in the first place. Also that Epic waited several months before notifying anyone.
Other issues are with the vulnerability itself and how Epic Games simply advised its users to change passwords. Based on information provided by Check Point, updating passwords would have done nothing to safeguard against the breach that occurred.
“By discovering a vulnerability found in some of Epic Games’ sub-domains, an XSS attack was permissible with the user merely needing to click on a link sent to them by the attacker. Once clicked, with no need for them to enter any login credentials, their Fortnite username and password could be immediately captured by the attacker,” Check Point head Oded Vanunu explained.
“Even if you had a security product looking for anti-phishing, it wouldn’t catch the hack because it’s coming from a legitimate domain.”
As of right now, there are over 100 individuals signed on to the class-action, though that number could grow given that millions of people were potentially impacted by the breach. Epic has faced a number of lawsuits in the past for various reasons such as “stealing dances” and profiting off them, to stealing the unique take on the Battle Royale genre from predecessor PUBG.
All of these lawsuits were quickly resolved, and Epic’s lawyers are pretty seasoned at this point. We’re curious to see how they handle this class-action though, especially given that Epic appears to have accepted at least partial responsibility for the breach. Something else worth noting is that Epic’s failure to provide account security and the breach that followed are among the reasons why gamers have risen up against the Epic Games Store.
We agree that it’s a legitimate concern, particularly as people tie credit card information to Epic Games Store purchases. We hope Epic will take this class-action and the backlash towards the Epic Games Store as a chance to beef up their cybersecurity. After all, no one should have to suffer the panic of an account breach due to a vulnerability they had zero control over.
We’re curious to hear your thoughts on the matter. Should Epic Games pay out damages to those impacted by the account breach? What’s the best outcome for participants in the class-action lawsuit? Let us know down in the comments below.