It turns out that for the millions of people playing Fortnite, there was more than just a Victory Royale at stake.
On Jan. 16, internet security firm Check Point Research disclosed a vulnerability in the popular online video game that could have allowed malicious actors to take over practically any Fortnite account — all a player had to do was click a malicious link.
“By discovering a vulnerability found in some of [Fortnite owner] Epic Games’ sub-domains, an XSS attack was permissible with the user merely needing to click on a link sent to them by the attacker,” explains the report. “Once clicked, with no need even for them to enter any login credentials, their Fortnite username and password could immediately be captured [by] the attacker.”
Epic Games confirmed the now-patched vulnerability in a statement to the Washington Post, noting that it “[encourages] players to protect their accounts by not re-using passwords and using strong passwords, and not sharing account information with others.”
The vulnerability was discovered “the last few weeks,” writes Check Point Research, and “a fix was responsibly deployed” by Epic Games after the company was notified.
Fortnite, for those still unaware, is a gaming phenomenon — drawing, according to Epic Games, 78.3 million players in August of 2018 alone. That’s a lot of potentially hacked accounts.
Notably, this isn’t the only bad Fortnite news to drop today. According to The Independent, the game’s currency has been used to launder money by criminals. Dubbed V-bucks, the digital dollars were reportedly purchased from the in-game store using stolen credit cards and then resold to players at a discounted rate for bitcoin or bitcoin cash.
“Epic Games takes these issues seriously, as chargebacks and fraud put our players and our business at risk,” an Epic Games spokesperson told The Hollywood Reporter.
So the next time you log in for a little old-fashioned battle royale, keep in mind that it’s not just the grenade launchers and hand cannons that could hurt you.