It’s all fun and games until someone gets hacked.
This week marks the end of one console generation and the beginning of a brand new adventure. The Playstation 4 and Xbox One were both released to consumers in November of 2013. In the years since, both consoles have given gamers plenty of reasons to celebrate. A slew of award-winning exclusive games on PS4 and the launch of several consumer-friendly initiatives from Microsoft, like Xbox Game Pass, pleased both sides of the console wars.
But now the year is 2020, and gamers are ready for something new. The Xbox Series X began launching for consumers starting on November 10th, and the Playstation 5 is gearing up for its first phase of launch on November 12th. This undoubtedly is an exciting time for the booming industry.
But how safe are these new consoles going to be? Gaming consoles are no stranger to massive and expensive security breaches. This problem is compounded further by the fact that consoles in today’s modern age are expected to be “all in one” media systems that store tons of personally identifiable information (PII), including login credentials, billing information, and more.
Before we dive into the common ways that hackers infiltrate game consoles and networks (and how you can protect against these attacks) later in the week, it’s important to learn the history of cybersecurity, or lack thereof, in gaming.
Like previously stated, video game consoles are no stranger to devastating cyberattacks. In fact, Akamai reports that the video game industry remains a growing attack vector for security breaches, as over 12 billion credential stuffing attacks were reported within a 17 month period between 2018 and 2019. But these numbers relate to the gaming industry now.
Let’s take a second to look back on some of the biggest security breaches of the 21st century in the gaming industry.
In the early days before gaming consoles became consistently connected IoT devices, cyber threats were significantly lower for gaming companies. Compared to today, the amount of data and its availability to nefarious actors was insignificant. It wasn’t until multimedia applications and online gameplay became a staple of gaming that attacks began to ramp up, imposing devastating damage on both gaming businesses and customers. One of the first, and most notorious, attacks in gaming was one that crippled Sony’s Playstation Network back in 2011.
Security breaches cannot escape even the biggest fishes in the sea. This can be evidenced by the breach of the Playstation 3’s Playstation Network in 2011, an attack on arguably the biggest video gaming company in the world.
In what was deemed an “external intrusion,” Sony’s Playstation Network outage in April of 2011 was one of the most highly publicized attacks of the 2010’s. This attack saw the compromise of 77 million users’ data to hackers. This data included the names, addresses, and other personal information of all of those 77 million Playstation accounts. While Sony maintains that the attackers did not break into the financial information on these accounts, they claim that the data was “within reach,” and reports swirled about 2.2 million banking credentials finding a home on online forums.
Overall, the attack on the network of the Playstation 3 brought Sony $171 million in losses split between a large investment in security enhancements, “apology” packages sent to consumers, and estimated future losses.
As reported by The Guardian, three years after the infamous Playstation hack of 2011 was the Christmas Day hack carried out by the famous hacker group “Lizard Squad.” The attack, while not nearly as devastating as the previous on Playstation, knocked Xbox Live and Playstation Network servers offline for the entirety of Christmas Day 2014. This was done with a sophisticated distributed denial of service (DDos) attack. Soon after the attack was carried out, Lizard Squad claimed responsibility for the shutdown.
This wasn’t the only attack on Sony and Microsoft as a pair. Later on in the year 2017, 2.5 million Xbox and Playstation users’ details were obtained by breaching two popular gaming forums. The total damage done by these breaches is not completely clear, but what remains clear is that the juggernauts of Xbox and Playstation are and will continue to be targets for nefarious actors.
While not as big of a player in the gaming sphere as Xbox and Playstation, Zynga has had its time in the spotlight. You may know Zynga for creating browser games like Facebook’s Farmville and mobile apps like Words with Friends. While these mobile games may seem benign, as reported by Norton, in September of 2019 Zynga’s cybersecurity suffered a breach. The breach exposed approximately 200 million users’ personal information to the attackers.
The hack was carried out by attackers gaining unauthorized access to a database containing the account information of players who installed the game Words with Friends. The online hacker known as Gnosticplayers took responsibility for the attack, which obtained the following information:
Overall, it’s been reported that out of the approximately 200 million users of Zynga games, 172 million of their account passwords were stolen. This number makes the Zynga breach one of the largest in modern gaming history.
The last breach we wanted to put under a microscope on was one from 2020. Nintendo, who is often viewed as Xbox and Playstation’s older brother, had over 300,000 accounts breached by hackers, as TechCrunch reported. While it was originally reported that the Japan-based company had only 160,000 accounts exposed, the number ended up being almost double that. The breach was originally discovered when users complained about being charged for digital items they did not purchase. Upon further review, it was determined that accounts had been improperly accessed.
Nintendo put out a statement two weeks later confirming the breach and responded to the breach by resetting passwords for those accounts, refunding those who had been improperly charged, and contacting all customers affected. This statement also reiterated that the breach affected less than 1% of their total customer base. Nintendo has refused to disclose exactly how the accounts were breached, only claiming that hackers gained access to accounts by obtaining passwords “by some means other than our company’s service.”
Some may consider this review of gaming companies who made security mistakes in the past as throwing gas on the fire. However, rather than trying to put these companies on blast, we see these past breaches as opportunities to learn and grow.
Security breaches happen and are becoming increasingly common in a world filled with more databases of information than ever before. This is why we as customers and businesses need to be better about identifying potential threats to our cybersecurity and, in turn, maximizing our defenses against these threats to protect ourselves and our precious data.
In a follow-up article, we’ll be detailing the common attack vectors and tactics that hackers use to gain access in the gaming industry. Additionally, we’ll be offering up some tips you can use as a consumer to protect yourself when navigating your brand new PS5 or Xbox Series X.