Fortnite hackers making a fortune from reselling stolen accounts

Teenage hackers have been making a fortune from selling stolen accounts for the popular online game Fortnite, it emerged this week.

Players have been reporting stolen accounts for a while, but this week the extent of the “Fortnite cracking” problem was revealed. The BBC interviewed one Slovenian teenager who said he had made £16,000 (around $20,000) in the last seven months.

The attackers access the accounts using a technique called credential stuffing. They search lists of exposed usernames/email addresses and passwords obtained from the hacks of other online services that are posted online. They then try using these credentials to log into Fortnite’s site. When one of these credentials works, it’s because the legitimate Fortnight gamer reused their password from another service.

A successful account thief doesn’t know what they’ll get. It could be a valueless newbie’s account or something with more valuable electronic items.

Created by Epic Games, Fortnite is a gaming phenomenon, with earnings estimated in the hundreds of millions of dollars. It comes in various versions but the most popular is Battle Royale, which pits 100 players against each other in a gradually decreasing circle of play. The last player standing wins.

Its users can earn or buy the game’s internal currency, called V-Bucks. They can then use this currency to purchase in-game accessories like character models, skins for their backpacks and weapons, and emotes (such as dances for their characters to perform).

Some of these items are extremely rare and are worth a lot of money in the real world, so intruders that steal an account with valuable items can sell the account on for a big profit, sometimes making hundreds of pounds.

Users can make it far harder for attackers to steal their accounts by turning on two-factor authentication (2FA), which Fortnite supports using either a mobile authenticator app or via email.

Fortnite offers players incentives to turn on 2FA, like backpack slots and a Troll Stash Llama, along with a free emote. Still, many players still aren’t taking the hint.

When a hacker steals an account, there may be a window for the victim to reset their password, but the hacker might get there first. If the hacker switches on 2FA, they block the user from accessing their account.

However, even users that do turn on 2FA could still be vulnerable if they use the email-based 2FA option. If they’re reusing the same passwords across their Fortnite and email accounts, then the attackers could steal their email accounts too and intercept any communication from the game’s security system.

This isn’t the first time that gaming accounts have been stolen and traded online. In 2017 Riot Games, which makes League of Legends, went to court to stop someone operating a website that it said traded in stolen accounts. In 2014, the Guardian noted that crooks were also stealing accounts for the online gaming service Steam using botnets and then selling them online.

There have also been several incidents of password thefts from gaming forums, including a forum breach at Epic Games in 2016. Forum account thefts could let players into a gamer’s online game account, if they used the same login credentials, although Epic protected its passwords by salting them with extra data, making them far more difficult to crack.

The takeaway here is that if you haven’t turned on 2FA, you should do so now, not just for Fortnite but for any online service that supports it. Use complex passwords and a password manager, and never reuse your passwords. If you have reused passwords, go and change them now.