Sabrina -

Activision shoots down data breach claims

Gaming company denies there has been any data breach after up to 500,000 accounts appeared to have been compromised, but evidence mounts that credential stuffing attacks are to blame

Gaming company Activision, the firm behind franchises such as Call of Duty, has branded reports of a major data breach that has seen up to half a million player accounts hacked and their owners locked out, as “not accurate”.

Reports of a widespread hack affecting thousands of Activision player accounts surfaced on 20 September and were traced to a – now suspended – Twitter account that claimed the cyber attack was “worse than the notorious PS3 hack”, a reference to a 2011 incident.

However, in a statement circulated by Activision’s support team on Twitter, the firm said this was not the case.

“Reports suggesting Activision Call of Duty accounts have been compromised are not accurate,” it said. “We investigate all privacy concerns. As always, we recommend that players take precaution [sic] to protect their Activision accounts, as well as any online accounts, at all times.

“You will receive emails when major changes are made to your Call of Duty accounts. If you did not make these changes, please be sure to follow the steps provided.”

Nevertheless, with login details for multiple Activision accounts allegedly being leaked and many players reporting their accounts inaccessible, it is clear that some kind of incident has taken place, most likely a credential stuffing attack.

Defined as the practice of using stolen credentials from one service to gain access to accounts on others where the same password has been used, credential stuffing attacks are easy pickings for cyber criminals as absent strict protective measures from the service provider thwarting them depends on the individual users’ security hygiene.

Accounts for media and entertainment services are known to be particularly vulnerable, and valuable, to cyber criminals – especially given the increased reliance on internet services during the Covid-19 pandemic – with credential stuffing attacks frequently affecting users of Amazon Video, Netflix and Disney+, to name but a few.

David Kennefick, product architect at Edgescan, said that in Activision’s case, the company appeared to have failed to implement measures that might help users ward off credential stuffing attempts.

Read more about credential stuffing attacks

  • Attacks on the media sector are spiking as cyber criminals try to gain access to valuable consumer accounts.
  • Social media service Houseparty denies its service has been hacked, and is offering a million-dollar bounty to anybody who can prove otherwise.
  • Mandatory password reset for all travellers who use TfL’s Oyster and contactless payment systems follows minor breach incident earlier in 2019.

“In general, it is best practice to enable MFA [multi-factor authentication] where possible, especially on accounts where there is valuable information available,” he said. “This option doesn’t seem to be available on, and there are also a few questionable password policies, including limits of 20 characters and disallowed special characters.”

Kennefick added: “When using a password manager, there are less limitations on password complexity, so they may consider removing these restrictions to encourage better password complexity and management.”

Niamh Muldoon, senior director of trust and security at OneLogin, added: “Given the profile of Call of Duty end-users, predominantly young male adults who may not be security conscious and/or aware, Activision now has a great opportunity to consider rolling out access control training and awareness through its platform as well as implement strong access control into its platform.”

Read more on Identity and access management products

Data Center
Data Management