New data from Akamai, an internet delivery and cloud services company, has exposed that the video game industry remains a growing threat vector for security breaches. Hackers have targeted 12 billion credential stuffing attacks against game websites within a 17-month period. Emuparadise, the retro gaming site, is the latest gaming community to admit having suffered a credential stuffing attack.
So why is gaming such a weak link?
Industries that have significant financial risk, like banking or ecommerce, store passwords in robust hashing algorithms that make them difficult to crack. This deters cybercriminals who look for the easiest and fastest way to breach systems: credential stuffing attacks. Those are attacks where other sites with passwords have been hacked, and those names and passwords can then be attempted.
The rise and success of credential stuffing attacks is a result of people continuing to reuse the same passwords across multiple accounts. Google identified that 59% of online users reuse passwords. When a data breach happens, user credentials are exposed and can subsequently be found on the internet and the dark web. Cybercriminals use a bot with a list of exposed credentials against a website to gain access to an account on that site. When the bots successfully access an account, it’s logged. From there, they can either takeover the account or they can sell the data to other bad actors for use at a later date.
The reason that gaming is subject to so many breaches is twofold; No. 1, most video game companies use low-friction authentication measures because increasing friction drives customer attrition and results in a loss of revenue. The second issue is that from a consumer perspective, gaming is seen as having a low financial risk and, as a result, gamers tend to use less secure passwords. Adding to these challenges is the fact that game developers are pressured to deliver more products at a faster pace, meaning there are more bugs and security issues for cybercriminals to exploit. This has created a perfect storm in the video game industry upon which hackers are all too eager to capitalize.
Credential stuffing isn’t the only security vulnerability that gamers need to be cognizant of. Gaming forums are another easy opportunity for hackers. The forums are a place to learn more about the game and to get tips and tricks, but many of them are free, and the owners tend to run these forums in their spare time. Despite the efforts of the hosting companies rolling out security updates and features, it’s ultimately up to the forum administrators to update patches and maintain security on the forum. As it’s typically a passion rather than a paid profession, it’s not uncommon for these updates to fall through the cracks. As a result, it’s easy to hack into most video game forums, and as most people reuse passwords across multiple sites, credentials for video game sites are used not only in attacks to penetrate the gaming accounts but in attacks on numerous other industries.
Outside of these game-specific risks, the bottom line is non-gaming breaches on totally unrelated sites can also impact a video game site, because we are all guilty of using the same password for multiple different sites. This is validated by the fact that the Yahoo and Target breaches a few years ago are still affecting unrelated sites. According to BeyondTrust, nearly two-thirds (64%) of business polled worldwide admit they have been hit by a breach linked to abuse of user credentials in the past year, with 62% blaming compromised credentials belonging to third parties.
Why gamers need to think privacy, privacy, privacy
A significant number of gamers are young — elementary, middle, and high school-aged — who are less security-conscious and more trusting of people they meet online. To them, privacy is a learned behavior leaving them open to exploitation. They may need to be taught best practices to safeguard their accounts and understand the risks of using weak passwords linked to the games they play. This means avoiding easily guessed passwords such as the name of the game, favorite skins, characters, or gaming terms. In the case of Fortnite, for example, don’t create a password incorporating any of the following; Fortnite2019, BattleRoyale, Crackshot, BunnyBrawler, NoNoobies, or SummerDrift.
The gaming industry conundrum
Providing a seamless online experience is paramount in the digital age and, as a result, many organizations balk at implementing robust security procedures for fear of alienating customers. The challenge for the video game industry is to find a balance between increased security without frustrating its players. One notable exception is Microsoft, which has deployed vigorous security measures with Xbox in line with the rest of its business. As a result, it’s almost impossible to find Xbox credentials on the dark web.
Without a fundamental change in approach from both gamers and the industry overall, the escalation of this problem shows no signs of slowing down. Next year’s data looks set to continue to reflect this growing cybersecurity black hole.
Michael Greene has deep software and cybersecurity experience acquired from a range of different roles with a variety of global high growth companies. He is currently CEO of Enzoic.