As the online gaming and esports industry has become valued at over $100 billion, it also has become a prime target for cyber threats. The majority of PC games are delivered through digital platforms, such as Steam, and users ultimately store their credentials in these platforms (including bank information). Thus, digital platforms like Steam, EA Origin, Blizzard’s Battle.net, and a handful of other digital game clients are ripe for malicious attacks. Steam alone has over 125 million users. Also at risk are game-specific clients, such as Garena’s League of Legends.
With so many gamers not thinking twice about storing payment account information in platforms like Steam, it’s absolutely certain that hackers will continue to target these digital gaming clients. And because e-sport conventions attract massive crowds, all connecting to public WiFi, these events are prime targets for malicious attacks.
To combat this threat, client developers should make security a top priority. Digital platforms need to undergo rigorous pen-testing, from the best IT security consultants available. Gamers also need to make sure their clients are always up to date, and to be extremely wary of what actions they perform while connected to public WiFi networks, such as at esport conventions. Connecting to a VPN would also add a layer of security – you can choose a good VPN from this list.
This isn’t a hypothetical scenario – hackers can and have breached these game platforms, stealing large amounts of customer data. In fact, the developers of Kaspersky Antivirus raised serious concerns over the discovery of malware known as the ‘Steam Stealer’ in 2016.
The ‘Steam Stealer’ reportedly steals the account credentials of 77,000 Steam members each month and, with 1,200 types of malware in activity, Kaspersky’s researchers, Santiago Pontiroli and Bart P, claim these data breaches have “turned the threat landscape for the entertainment ecosystem into a devil’s playground”.
Later in 2017, hackers managed to get into the database of ESEA (E-Sports Entertainment Association League), threatening to release the details of over 1.5 million user accounts, to the ransom of $100,000. ESEA is one of the leading matchmaking services in online gaming, and offers professional tournaments with cash-based prizes for popular games like CounterStrike: Global Offensive, and Team Fortress 2.
ESEA advised players to secure their accounts, while working to patch the vulnerability. The hackers later also breached the ESEA game server infrastructure, changing ever player’s karma rating to a score of “-1337”.
Then in late 2018, a critical bug was uncovered in EA’s Origin client, by an independent security researcher. The bug allows a malicious entity to scrape account data. The independent researcher, online handle Beard, explained the bug:
“The bug occurs when you use the EA Origin client but request to edit your account on EA.com […] The EA Origin client will spit out an auto-login URL, in which the token is basically the equivalent of your active username and password.”
Auto-login URLs are fairly common, and are typically based on a user’s cookie files stored on their device. However, this was not the case with the EA Origin auto-login URL, which allowed using the URL without any prior authentication. An attacker could then guess a user’s security question, hijack the account entirely, and use any kind of stored payment method associated with the account.
The scariest thing about the bug was how these auto-login URLs could easily be harvested from unsecured WiFi networks. If an attacker were to hit an esport convention where a large number of users were connecting to a public WiFi, and then logging into EA Origin accounts, the damage could have been massive.
Fortunately, the independent researcher quickly notified EA of the bug, and a patch was quickly released. It is, however, just one example alongside others we’ve shown, of how tiny security flaws can put millions at risk.