Cybernews reports that major U.S. video game company Electronic Arts had more than 700 million user accounts leaked as a result of a critical vulnerability impacting its account system, which could have been exploited to facilitate username and game data exfiltration, as well as unauthorized account logins.
Extensive account exposure by a misconfigured API was discovered by game developer and ethical hacker Sean Kahler through a developer testing environment privileged access token obtained following the identification of hardcoded credentials in a game's executable. Such an issue was alerted by Kahler to EA in June but patches were only issued between July and October. "Given the severity, it's a bit strange how long it took EA to get fixes out. Their original estimation was that it wouldn't be done until the end of the year despite this being a simple case of exposed documentation and a single insecure endpoint. I understand it's more complicated than that internally, but a quick patch to fix the crux of the problem would've been prudent,” said Kahler.