Earlier this month, reports about major game publisher Electronic Arts getting hacked emerged. While the company appeared to have been taken by surprise, more recent reports suggest otherwise. The company has been warned of its domain vulnerabilities, and those warnings were ignored for months.
ZDNet reports that representatives from Israeli cybersecurity company Cyberpion approached EA late last year regarding this. The company had warned of at least six vulnerabilities including login pages that connected via HTTP rather than the safer HTTPS protocol. Other issues include over 500 DNS misconfigurations across the publisher’s domains. The company even went as far as to simulate an attack based on the disclosed vulnerabilities in December 2020.
The reports states that EA acknowledged the vulnerabilities disclosed by Cyberpion. The publisher also said that it will contact the cybersecurity firm if it had any more questions, but that never happened. Which may have ultimately led to the hack earlier this month. Vice reports that the hack was initiated as simply as buying stolen cookies – the very same one that websites these days tell you they use – for US$10 (~RM42).
EA has responded to the statements by Cyberpion stating that the latter approached them as a potential vendor. The publisher explained that the cybersecurity firm did not provide them with a full list of the vulnerabilities, but instead asked for a sales meeting to “show off their techniques”. Beyond that, EA also said that Cyberpion did not follow its product security vulnerability disclosure process. Which, maybe with hindsight, sounds like a strange deflection of responsibility given the events that transpired.