How do video game companies like Game Freak keep getting hacked?
Over the weekend, Pokémon source code, art and other documentation spread quickly through social media and other internet forums. Where did it come from? Game Freak confirmed last week that it had been hacked, with more than 2,600 employee data taken. It it didn’t However, confirm the massive theft of his game data, but the game data is likely from the same breach. A hacker claimed they collected 1TB of data, including the source code for Pokémon Legends: ZA and the next-generation Pokémon games, on top of builds of older games, concept art, and lore documents. Huge amounts of information have already been released – and according to the hacker, more will be uploaded to the internet.
Simply put, this is probably one of the biggest leaks in Pokémon history. It competes with the leak of 1.67 TB of hacked Insomniac Games data from infamous ransomware group Rhysida, which was released last December, and a 2022 Rockstar Games hack that featured unfinished Grand Theft Auto 6 footage was published early. These hacks are always big news, as the video game industry is known for its secrecy, building hype through carefully planned teasers, trailers and announcements. That hype is valuable for developers and publishers, but also for leakers seeking power online, hackers seeking ransoms, and players eager to consume. something about their favorite franchise. But how does this keep happening?
Phishing attempts are common, and they are not unique to Game Freak or any other video game company. Akamai cybersecurity researcher Stiv Kupchik told Polygon. But the audience for leaked information is huge, meaning there is widespread attention. Video game fans are clamoring for this kind of content.
“There’s a lot of interest from fans of the product in what’s coming next, what people think, etc.,” said Justin Cappos, a New York University professor in the Tandon School of Engineering. “At least I know when I was a young boy and playing computer games and stuff like that, one of my favorite things to do was break into my local copy of the game and invert it and change it and make it work differently. things. So today there are clearly a lot of people who are quite interested in this, and video games in particular are an easy target, which also makes them attractive to people like cybercriminals.”
Cappos said video game companies often prioritize things other than just security: They focus on systems that enable rapid development, often using “large teams that tend to be overworked.” Nintendo is good about its security, Cappos said, but things can get tricky when it comes to Nintendo’s various partners. “One of the hard things about playing defense is you have to play correct defense all the time,” Cappos said. ‘You can’t make a mistake just once. And so it doesn’t matter whether two out of three companies did well. One of them makes a mistake and you’re in trouble.”
Adam Marrè, head of information security at cybersecurity firm Arctic Wolf, added that video game companies are often targeted because they are more likely to pay ransoms to keep unreleased content offline.
There doesn’t appear to be a ransom involved in the recent Game Freak breach, but screenshots from the Nintendo Developer Portal from a reported Game Freak employee suggest the hacker gained access to the files through a social engineering or phishing scheme – such as the Insomniac Games and Grand Theft Auto 6 leaks. However, in both the Rockstar Games and Insomniac Games cases, well-known hacking groups have claimed responsibility for the leaked information. A group called Lapsus$ claimed responsibility for the GTA6 breach, in which a 17-year-old hacker used phishing and social engineering methods to gain access to Rockstar Games’ Slack channels. (The hacker was sentenced to indefinite detention in a hospital.) Another group, Rhysida, claimed responsibility for the Insomniac Games leak; Rhysida is known for using phishing attacks to access servers. The motivation for Game Freak’s recent hack is not clear, but sometimes it can be guided by power.
“Gaming is a very high-profile industry,” said Kevin Gosschalk, CEO of Arkose Labs. “Many of the attackers targeting the gaming industry are also gamers who are only interested in leaking upcoming games. It generates a lot of publicity and gives them a lot of influence.”
Social engineering and phishing do not necessarily require special tools or technical skills: instead, hackers using these methods attempt to trick a victim into granting access to an account or downloading malicious software. Cappos said research shows that 20% of people who receive a credible phishing attempt — “not just a random email from the Nigerian prince,” he said — fall for it.
“Phishing works by tricking the victim into sharing sensitive credentials or access tokens, or by executing commands or files sent by the attacker,” Kupchik told Polygon. “Just like traditional fishing, it starts with bait: it can be an email, a document or a website, which looks legitimate, but is in fact under the attacker’s control. The victim would think they were downloading legitimate software or logging into an internal site, but instead they would hand over their credentials to the attackers or unsuspectingly execute malicious payloads.”
The “easy” part is getting the credentials to log in, says Lorenzo Pedroncelli, senior manager of RSA Security. The hard part is getting past the multi-factor authentication that secure platforms may also require – and that’s where social engineering comes in. “If you don’t have MFA, a phishing email, password or other login details can do a lot. even more damage,” Pedroncelli said. Cappos added that SMS-based authentication is less secure than other types, but there are still ways. “What tends to happen with most authentication-based hacks is that they don’t have multi-factor authentication enabled everywhere,” he said. . “Some people have it, some people don’t, and they can find a way to get in through people who have more access than they should and who don’t have multi-factor authentication enabled.” Otherwise, an attacker would have to trick a person into giving up their MFA codes. (Cappos recommends using secure multi-factor authentication And keep your software up to date as the latter can be yet another way people get in, by exploiting outdated software.)
The latest Game Freak leak is a very different kind of leak than, say, the time someone took pictures of the Pokémon sword And Pokémon shield strategy guides prior to the games’ release. The Pokémon Company settled a lawsuit in 2021 with the people who leaked those photos on Discord, ordering them to pay $150,000 each. In that previous situation, the leaked information was limited to things printed in the strategy guide, such as new Pokémon. It was information that The Pokémon Company didn’t want to make public, but it’s a lot less serious than what was shared online after this massive recent hack. It is also a different scenario than when employees leak information to the press, as with Fallout 4‘s settingor when Microsoft accidentally uploaded redacted court documents to a file repository associated with the Federal Trade Commission v. Microsoft case.
Cybersecurity experts who spoke to Polygon say it’s too early to fully understand the hackers’ impact or motivations; Insomniac Games was hacked by a ransomware group and their stated interest was financial. The person who hacked Game Freak seems to have some affinity with Game Freak and Pokémon: They claimed to have the source code for Pokémon Legends: ZA and next-gen games, but reportedly said they “won’t ruin the releases of those games.”