Jump to content
rllmuk
Sign in to follow this  
Harsin

EA Origin Hacked?

Recommended Posts

Thanks for forcing me to have an Origin account if I want to play any of your games on my console EA! FDC1x.gif

http://www.rockpaper...-your-password/

Uh-oh. Eurogamer are reporting that a number of people have woken up this morning to find that their EA Origin account has been hacked. Receiving emails telling them that changes have successfully been made, recipients are not too delighted since they never asked for any. And then of course getting control of their accounts back again is a great big palava. It’s even happened to one of Eurogamer’s own.

Rather than the phishing scam it might at first appear to be, these really are successfully changed account notifications. Which means someone has got hold of both a username and password of an account holder, and been able to circumnavigate the security that prevents an outsider being able to change such details. Because, as is mostly the norm, there isn’t any. I’ve just loaded my own Origin account, and when logged in all I need to do to change the password is know the old one. That done, the original account holder is locked out. Fairly standard, obviously.

And because your Origin account details are the same as those for your EA profile, with the same info you can log into profile.ea.com and change the email address too. The only security check to do that is, obviously, to enter the same password again. Doing this sends an email to your previously registered address, but contains absolutely no information about what it’s been changed to. So once someone’s been in and changed the details, you’ve no way of knowing what they’ve changed both your email address nor password to. They’ve got complete control of your account, and with that can even change your Origin ID.

Using this account to then buy games isn’t immediately possible, however. While Origin stores credit card information, it doesn’t store the three digit CSS code, making it have a practical application for the first time ever. And many banks now have that added layer of security requiring yet another password. So it’s unlikely they’ll be able to go on any sprees, and your card number is obscured other than the last four digits. However, what IS on full display is your home address.

A thread on NeoGAF reveals that this has been happening to a lot of people, over the last few days, and also that EA has not been too impressive in responding. However, one person reports a clever trick for at least finding out some of the email address of the person who’s nicked your account – resetting your EA account using a linked account, such as Xbox Live, rewards you with a message saying that an email has been dispatched, and to which domain. Then logging on to the associated XBL account, and downloading EA Sports’ app, the full email address was revealed.

EA assures Eurogamer that they are “escalating the matter”, but more details have yet to appear. So really the larger concern here is: how were email addresses and passwords of multiple accounts obtained? While very many online games and stores are getting hacked of late, passwords tend to be pretty well protected, and people are usually notified to change them after such an attack. Hopefully EA will be back with some answers soon. Meanwhile, it seems prudent to go change your Origin/EA account password now, just in case.

  • Upvote 3

Share this post


Link to post
Share on other sites

I don't know if this is an Origin hack per se or some people's email addresses and passwords for Origin are the same as, for example, their email addresses and passwords for LinkedIn. But I'm sick of email addresses being used as usernames. All it takes is for someone to use the same email address as a username on multiple sites and the same password across their email and those sites and they've got a massive security problem if that password and email address ever get out.

Share this post


Link to post
Share on other sites

All EAs iOS apps require you to log in with Origin as far as I'm aware. That shitty Simpsons city thingy, that I tried for 5 minutes, did at least and I know the Mass Effect companion app did as well.

Share this post


Link to post
Share on other sites

It never ceases to amaze me that things like this don't have any form of multifactor authentication. No matter how complex your password, it's still just a password.

It's certainly becoming more commonplace with MMOs, and while the inconvenience of getting a phyiscal key outweighs the fear of being caught by this sort of thing to a lot of people there's no reason they couldn't do a mobile app for two-factor authentication.

Share this post


Link to post
Share on other sites

It's certainly becoming more commonplace with MMOs, and while the inconvenience of getting a phyiscal key outweighs the fear of being caught by this sort of thing to a lot of people there's no reason they couldn't do a mobile app for two-factor authentication.

Or even just a downloadable grid that you print off or something. Shouldn't be that difficult.

Share this post


Link to post
Share on other sites

It never ceases to amaze me that things like this don't have any form of multifactor authentication. No matter how complex your password, it's still just a password.

Steam does, and it works pretty well.

  • Upvote 1

Share this post


Link to post
Share on other sites

So, my account was hacked (or whatever). I received an email yesterday saying I'd changed my email address, which I hadn't. In fact, I haven't even used Origin in months.

Crazily, in order to even phone up and tell EA, you have to have an account. The help guide actually tells you to sign up with a new email address to make a new Origin account and then use that account to contact support to sort out your old account. I've never known anything like it!

Of course, first I tried logging in anyway in case it was a mistake. Couldn't log in, so I requested a password change, sent to my email address, which is said it had sent. I didn't receive anything. (If the address on the account had changed, I would have expected an error message, not a "check your inbox" message. Presumably, then, the hacker received the email instead?)

So then I was able to set up a new account with the same email address (buh?) and used that to contact support. Fair play to them, I spoke to a helpful man who sorted it all out in about 5 minutes. That said, I couldn't remember my Origin 'tag' so I had to read out the serial number for Mass Effect 3 to prove the account was my account. What I would have done had I thrown the box away (as you would), I do not know. Thankfully, the account was restored and I was able to change the password. I only used Origin to play ME3 so thankfully no payment info was stored.

No explanation was given over the phone for how this might have happened, but it was sorted out for me at least.

What struck me as odd, however, is the fact that all I needed to retrieve my account over the phone was the email address originally used, a serial number of a game and my date of birth. Surely this information is in the account - what's stopping the 'hacker' from calling EA, pretending to be me, and getting into my account again (assuming they made a note of this info when they logged in)?

I've been a Steam user for over five years and never had a problem. I've been on Origin twice in not even nine months and been hacked. Frankly, Mass Effect 3 wasn't really worth the hassle. I'll be avoiding "Origin-only" games from now on, I think.

  • Upvote 1

Share this post


Link to post
Share on other sites

I've received the following e-mail.

You're receiving this email because you requested a password reset for your Origin Account. If you did not request this change, you can safely ignore this email.

To choose a new password and complete your request, please follow the link below:

This wasn't generated by any request I've made.

Nothing appears to have been changed on my account and it looks like they've recently added a two-step verification system, so I've switched that on as well.

How worried should I be?

Share this post


Link to post
Share on other sites

Change your email address password, it's likely compromised.

How did you come to that conclusion?

If anything, that email not being intercepted and actioned indicates that his email account is safe.

How worried should I be?

Looks like someone tried to sign in with your account, probably thinking it was theirs (entered their email slightly wrong maybe) then went through the 'i forgot my password' bit.

You then got the email to kick off that procedure. It even says to ignore it if you didn't request the change.

  • Upvote 1

Share this post


Link to post
Share on other sites

If they had his Origin details they'd change the Origin password and get to work on it. If they have his email details they'll use their access to work on resetting the password on all the accounts they can find that use it.

Better safe than sorry.

Share this post


Link to post
Share on other sites

*bump*

Cross post from the BF4 thread but I'm looking for some tips :( I've also realised I never received any email notifications saying any changes were made which is really slack:

I imagine like most of the world you already had a linked origin account and you just need to migrate that to PSN

Nope, I just had the one email address and it was fine.

What it seems has happened that sometime in November, someone contacted EA and said they had 2 origin IDs and wanted to merge the accounts. They could verify my account (with my security question the agent thinks) and so they sent my origin ID to another account and also changed the email address on it.

As such, when I booted up battlefield it wanted a new origin ID as I no longer had one so my account shows as starting on 21/12/14 rather than 10 years ago or whenever it was.

He reckons they can't do anything as it was a 'legimate verified' request they received even though he can see my origin ID moved to one account in November and from that one to another. The logic of why I would do that and then call up all bemused about it seems irrelevant - as they verified the account the transfer will remain. One point he made was that as I couldn't verify the account where is was now, I couldn't have it back. I tried pointing out that the nature of a theft means that I wouldn't know who took it but again, irrelevant.

Someone is going to call back apparently but I'm not expecting anything.

I can't understand why someone would do it - there's no financial gain to be had?

TL;DR - does anyone work at EA and can help? :(

Also, would anyone have a screencap that showed my gamertag & Origin ID on it?

Thanks

Share this post


Link to post
Share on other sites

Please note the original thread was from a while back - I bumped it I should have added.

I've updated my account with 2 factor authentication now too though. I wish I had before.

Share this post


Link to post
Share on other sites

Please note the original thread was from a while back - I bumped it I should have added.

:facepalm:

Just changed my Origin password again.

Share this post


Link to post
Share on other sites

Update for me:

Turns out customer service guy 1 was wrong. My account wasn't nicked, some bozo in the contact centre misunderstood what someone wanted any just nuked my (completely unrelated) account in error. I have it back now but all my stats are still gone - they are looking into getting them back.

I can pick an EA game from their range but aren't sure what's around and I think I'm getting Dragon Age for Christmas.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue. Use of this website is subject to our Privacy Policy, Terms of Use, and Guidelines.