Gaming giant Electronic Arts (EA) confirmed that about 50 high-profile FIFA 2022 accounts were hacked over the last few weeks.
In a statement, the company said the accounts were compromised through phishing techniques and other social engineering methods that were used to dupe EA customer experience team members into helping the hackers around two-factor authentication. EA said the hackers used "threats" to "exploit human error within our customer experience team."
"Over the last few weeks we've been made aware of reports that high-profile player accounts are being targeted for takeover. Through our initial investigation we can confirm that a number of accounts have been compromised via phishing techniques," EA said in a statement.
"At this time, we estimate that less than 50 accounts have been taken over using this method. We are currently working to identify rightful account owners to restore access to their accounts, and the content within, and players affected should expect a response from our team shortly. Our investigation is ongoing as we thoroughly examine every claim of a suspicious email change request and report of a compromised account."
Gamers took to social media over the last two weeks to complain about the issues. While the EA statement only cites less than 50 accounts, the initial story about the incident from Eurogamer said the top 100 traders in FIFA Ultimate Team were targeted. Many of these players make significant amounts of money through their gameplay.
French soccer star Valentin Rosier wrote on Twitter that his FIFA account had been hacked as well, causing him to lose access to 60 million credits. He also expressed worry because he put money into his account.
One of the biggest FIFA players in the world said that his account was given to "a random person via the live chat, a clear breach of data protection laws."
"I told EA live chat 2 times to add notes to my account to put that my account was being targeted by hackers and to not change any details, and they still did it. Nothing more I could have done and tbh I shouldn't have to do anything. It is basic security, disgusting stuff," FIFA player FUT Donkey said.
In the comment section, the player shared a screenshot of dozens of emails received from EA's customer support team, explaining that the hackers were able to "spam the livechat asking to change my account details until some incompetent advisor finally gave them the account."
"It's not enough to get my stuff back, every last person who got hacked needs to get their shit back or we are taking action, clear breaches of data protection regulations in every country in Europe," the player added.
EA said all of its advisors and individuals who assist with the service of EA accounts will get "individualized re-training and additional team training" centered on security and phishing. The company will also be "implementing additional steps to the account ownership verification process" like managerial approval for all email change requests.
They also plan to update the software used for the customer experience processes so that they can "better identify suspicious activity, flag at-risk accounts, and further limit the potential for human error in the account update process."
The changes, according to EA, may lead to longer wait times for gamers.
BreachQuest co-founder Jake Williams said it is always difficult to eliminate the risk of account compromise when social engineering support staff is the exploitation vector.
"By definition, customer support staff are expected to assist people who often have imperfect information about their accounts. Unfortunately, scammers can also amass imperfect information about their victim's accounts," Williams said. "Operations that provide access to high profile or high value accounts should require review by multiple staff (ideally including a senior staff member)."