Published: May 18, 2023 on our newsletter Security Fraud News & Alerts Newsletter.
In their own words, Activision explains what they do as “We connect and engage the world through epic entertainment.” Late last year, the gaming powerhouse with hits like “Call of Duty” and “Candy Crush” underwent an assault on their data systems. What started the attack was an employee who answered an SMS text, a phishing text. That’s all it took to steal sensitive company data: one phishing text + one response = a data breach.
After learning about the phishing text, Activision says their information security team immediately settled the situation before any sensitive data was lost. But not everyone agrees it was that clear-cut – not even close. Malware analysis gurus vx-underground, the first to publicly expose the breach, reports their own findings contradict Activision’s.
One Phish = One Data Breach
One thing Activision and vx-underground agree on was the breach started with a phishing text. vx-underground found the phished employee was an Activision network “privileged user.” Hackers prefer phishing those with higher access privileges since they can lead to other criminal prospects.
According to vx-underground, the Activision breach led to data loss for the company and its employees, and both had secrets divulged. vx-underground found the attacker used the phished employee’s privileged credentials to steal “sensitive workplace documents.” Also, breaching the compromised employee’s Slack account led to even more phishing possibilities. Insider Gaming reports the breach exposed employee data like salary, email address, phone number, and more. One of Activision’s most coveted products “Call of Duty” had its game release schedule leaked.
It's a Data Breach World Out There
What happened with Activision is a reality for businesses everywhere. No enterprise wants their data stolen, and their employees don’t want that either. However, TechCrunch revealed Activision didn’t plan on telling their staffers about the breach. In fact, some say they have yet to be told it happened at all. It’s a decision making their staff being even more vulnerable to criminal abuse. It takes away their choice to be proactive, and with cyberattacks, quick actions like changing passwords can prevent further compromise, as can reminding employees not to click on links that arrive in text form when they aren't expected or are from unknown senders. And also very importantly, they should never give out their login credentials to anyone.
Cyber-educated employees can prevent a data breach before it happens. And at the rate breaches happen today, fortifying data security is everyone’s responsibility – from the top on down.
Quick strong password hints:
Use at least eight characters containing a combination of upper and lower-case letters, numbers, and special characters.
Avoid using personal information in passwords such as birthdates of loved ones.
Use non-sensical combinations of the above rather than proper names or words that can be found in a dictionary.
Keep up to date: Sign up for our Fraud alerts and Updates newsletter
Want to schedule a conversation? Please email us at firstname.lastname@example.org