A number of accounts have recently been compromised using well-known hacking techniques. Epic Security is providing this bulletin to explain what’s happening and how to best secure your Epic account and other accounts.
Though it’s common to use the same password across multiple Internet sites, this is a dangerous practice and should be avoided. If one of those sites is compromised, hackers can use your email and password from that site to break into your account on other sites using the same password.
Here’s what happens: Attackers frequently download password dumps - lists of username/password combinations -from third party sites and use credential stuffing to find out what other websites those credentials work on. When they are successful at logging in to those accounts, they see what trouble they can create for the account holder. In many cases, that appears as fraudulent V-Buck purchases.
Fake Fortnite Offers
We’ve seen several instances of account theft and fraud related to websites that claim to provide you free V-Bucks or the ability to share or buy accounts. Please never share your Epic account details with anyone. Epic will never ask you for your password through email, social media, or a non-Epic website. Groups claiming to provide special Fortnite deals this way are fraudulent.
How Do I Know If I’m At Risk?
There is a fantastic web service (Have I Been Pwned) that will let you search your email address and determine if it has been part of any data breaches. If it has, you should assume that the password associated with that service is public knowledge and change all accounts that use it (not just your Epic account!)
Even if your account information hasn’t been publicly identified as leaked, it’s possible that it may be leaked in the future, so there are steps that you can do to help protect yourself against that. You can start by signing up for the Have I Been Pwned notification service so you’re immediately alerted if your email is ever included in future dumps.
What Are We Doing To Help?
At Epic, we’ve been working hard to try to hunt down password dumps in order to proactively reset passwords for player accounts when we believe they are leaked online. While this approach involves a lot of manual work on our side, we believe that it prevents a significant amount of fraud. However, this approach doesn’t find every impacted account, or you might have created your Epic account after we checked a particular password dump.
As a result, we’re working to further automate our process to check our account database against password dumps to close the gap on identifying impacted users and resetting their passwords. We’re also working hard to enable multi-factor authentication in the next few weeks and plan to have an additional blog post with more details soon.
Use Unique Passwords
We recommend using unique passwords as a way to protect yourself from credential stuffing attacks. Having a unique password for every service will guarantee that one compromised account won’t lead to everything you own being stolen.
Of course, it can be hard to remember so many different passwords. Consider using a password manager to help. Using a password manager, you can generate a unique password for every service and only remember a single strong password (for the password manager).
Link Your Social Accounts For Extra Security
Recently, we rolled out support to integrate Facebook and Google logins with our Epic account system. This provides you several advantages.
First, you can log in without needing to use your Epic password, as long as you’re actively logged in to Facebook or Google on your browser. You’ll receive a login prompt asking you to authorize the activity and then will be let straight in.
Second, you can always use these login methods to regain access to the account in the event that it is locked due to invalid passwords. Due to the additional security measures provided through Google and Facebook login, you can set correspondingly more secure passwords for your Epic account and then not worry about using them due to the pass-through authentication with Google and Facebook.
Install And Update Antivirus
While antivirus and antimalware products won’t solve every problem, they will help keep your computer safe from a lot of threats. Epic doesn’t endorse any particular product, but you can view a list of options here along with the various features of each. Keeping your computer clean of unwanted software will again minimize the number of ways your account can be compromised.
Keep Your Computer Up To Date
You should always keep your operating system, installed software, and drivers as up to date as possible. Small bugs from outdated drivers or software can result in performance issues or other game stability issues while missed security updates could compromise your entire computer. Epic always recommends updating to the latest secure versions of software and operating systems.
Don’t Trust Shared Systems
Logging in from a shared computer (cyber cafes, libraries, a friend’s house, etc.), introduces additional risk. Only log in on shared systems controlled by people you trust. Just by logging into your account on a shared system, your credentials could be stolen and you have no real insight into how secure those machines are.
If you’ve used an untrusted shared machine in the past, we recommend changing your password to ensure that it’s not compromised. If you play on a shared machine on a regular basis, it is critical that you use a unique password for your Epic account and make sure to log out of the launcher when finished each time.
Enable Multi-factor Authentication When Possible
Epic’s account doesn’t yet support multi-factor authentication, but we’re working to implement it as quickly as we can. We’re sorry this hasn’t come online sooner, and we’ll have an update on the status of this within the next two weeks.
Multi-factor Authentication helps keep your account secure by requiring more than just a password. We recommend enabling it on every service you can. This site will let you review different services and see which support it.
Don’t Share Accounts
While sometimes you might struggle to complete that quest and would love for a friend or family member to help, we encourage you not to share your account information with others. Any actions committed on your account are your responsibility. If someone cheats on your account and it is banned, it is your responsibility as the account holder.
Don’t Buy Accounts
Sometimes, people get tired of a game and want to quit - and would like to get something for the time they’ve invested in the game. As a result, they’ll list their accounts online. While you might be tempted to purchase one and gain access to the sweet skins they have, please don’t. As the original account creator, they are likely in possession of significant facts that may enable them to recover the account through our Player Support process (such as transaction history, address history, etc.) by claiming you stole the account.
There’s No Such Thing As A Free V-Buck
We’ve seen the sites online, just like you. Click here, put in your username, maybe answer a survey question or two, and you’ll get as many free V-Bucks as you’d like. Those sites aren’t real. They want you to enter your account credentials into their page (enabling them to log in as you and create fraudulent charges) or else encourage you to click down a chain of advertising referrals, getting click-through advertising money for the person running the site. Under no circumstances are those sites able to actually grant V-Bucks. Our legal team is constantly prowling to hunt down those sites.
If you’ve tried one of them in the past, we encourage you to change your password as soon as possible.
Verify Email Address
While it is currently optional, we ask that you please verify your e-mail address associated with your Epic account. This will help protect your account when we implement multi-factor authentication and make it easier for Player Support to contact you in the event of any anomalous activity with your account.