Reading Time: 2 minutes

Electronic Arts (EA) confirmed that over 50 high-profile accounts of FIFA players have been hacked over the past few weeks. 

EA confirmed in an official statement that the accounts have been compromised using phishing techniques. Hackers used phishing and social engineering methods to trick the EA customer support team into helping them around the two-factor authentication. According to EA:

“Individuals acting maliciously were able to exploit human error within our customer experience team and bypass two-factor authentication to gain access to player accounts.”

The affected individuals also took to Twitter and social media to highlight the issue with FIFA account takeovers. While EA says only 50 accounts are affected, Eurogamer, who initially broke the news, says around 100 FIFA accounts have been targeted. It is important to note that professional players on FIFA make a lot of money through these gameplay accounts.

One of the biggest players on FIFA, Fut Donkey (top FUT trader on the PlayStation), said that his account was handed to a random individual through live chat, which is a clear violation of data protection laws.

FUT Donkey on Twitter said that after receiving multiple emails from the EA Customer Experience team regarding the account changes, he contacted live chat support multiple times and told them not to change any details of his account as he did not make the request. Even then, the EA team changed account information, helping hackers easily bypass two-factor authentication, leading to account takeover.

He also shared a screenshot of the emails received by the EA customer support team that shows that cybercriminals were able to spam live chat into changing account details.

French soccer player Valentin Rosier also said on Twitter that his FIFA account has also been hacked, resulting in a loss of more than 60 million credits. The affected players are saying that if they do not get their assets back in full, they are going to take legal action because the incident is a clear breach of data protection laws in Europe.

According to EA, the initial investigation reveals 50 accounts have been compromised and they are currently working to restore access to those accounts and the affected players will be contacted by the EA team.

EA also said that all its individuals who assist with accounts will be re-trained, and the company will also implement additional security steps in the account verification process. They are planning to update the customer support process to identify scams or suspicious activity and minimize potential human error.

Jake Williams, the co-founder of BreachQuest, says that when social engineering on support staff is involved, it is very difficult to eliminate the risks because, naturally, customer support is there to assist users who are having trouble accessing their accounts. “Unfortunately, scammers can also amass imperfect information about their victim’s account,” said Williams.

To avoid this, all operations related to high-profile accounts should be reviewed by multiple people before taking the final action.

The FIFA community has been really upset with this account takeover incident as it shows a lack of security at EA. For now, EA has released official advice on account security, including 2FA.