EA is downplaying reports of a possible data breach circulating online, saying that it currently has no indication that a list of user account credentials appearing on the site Pastebin were obtained by an intrusion of EA’s servers. However, the company says that, as a precaution, it will proceed to secure the accounts where the EA or Origin user ID matches the usernames on the list.
The company didn’t say how that was being done, but it will likely involve a forced password reset.
The news was first reported by the security-focused website CSO, who had been alerted to the potential breach by one of the victims. The victim claimed that the list of accounts, which has now been pulled from Pastebin, included their EA username, password, email and a full list of their games. But CSO says that wasn’t the case for all the accounts, noting that only some accounts featured the email, password and dates that looked like birthdates, but others seemed to have redacted or corrupted information.
There was initial concern that EA could be yet another business whose account databases had been breached – and it would not be the first time the company would find itself in this situation, had that been the case. Last year, EA admitted to an older data breach that reportedly affected over 40,000 forum members, after a whistleblower came forward.
For now, however, EA is stating that its databases were not infiltrated.
In a statement, a spokesperson notes that:
“Privacy and security is our top priority at EA. At this point, we have no indication that this list was obtained through an intrusion of our account databases. In an abundance of caution, we’re taking steps to secure any account that has an EA or Origin user ID that matches the usernames on this list. As always, we encourage all players to safeguard their account credentials and use unique usernames and passwords on all online accounts.”
Reading between the lines, what this could indicate is that this is instead a scenario where usernames used for other online accounts have now been used in either a phishing or brute force attack to gain entry to EA accounts. With the number of user credentials circulating around the web thanks to prior attacks, it’s fairly trivial for hackers today to take those usernames and emails to create phishing emails or other attacks. In other cases, they simply try the same username and password combos on other services, then share their results.
In fact, the CSO piece points out that a check of some of the accounts listed on the new Pastebin post were those involved with other data breaches, including Adobe, Patreon, the Bitcoin Security Forum Gmail dump, and more. However, other accounts were exposed for the first time via this new list, the post indicates.
But even if EA is saying it has not been hacked, that doesn’t mean that EA account holders have not seen their user accounts accessed by bad actors. It just means that the credentials hackers may have used weren’t directly extracted from EA’s servers.
It’s also unclear at this time whether the list on Pastebin contained new account info, or was recycled following a prior breach or attack. EA couldn’t say, either. However, the company would note that the “number of actual valid/active accounts in the list was very small,” we’re told.
If anything, the news is a reminder of the dangers in using the same username and password combo for services around the web, as one data breach could have a long-lasting impact on the security of your personal information.