The makers of the Fortnite video game have been hit with a class action lawsuit, alleging they allowed a security breach to remain in place for at least two months, which allowed their users’ in-game identities to be hijacked and expose their real-life personal and financial information.
On Feb. 15, attorneys with the firm of McGuire Law P.C., of Chicago, filed suit in Cook County Circuit Court against North Carolina-based Epic Games, accusing them of not doing enough to safeguard their players’ supposedly secure information. The lawsuit was brought on behalf of named plaintiff Eric Krohm, of Illinois, and potentially a class of millions of other members.
The lawsuit centers on the use of so-called “Vbucks,” the in-game currency used to make purchases within the game of Fortnite, one of the world’s most popular video games ever.
The online game is played by millions daily, and brings in hundreds of millions of dollars in revenue for Epic Games, the lawsuit said.
According to the complaint, a “benevolent third-party research firm” identified a “vulnerability” in the Fortnite program, which allegedly allowed hackers to steal players’ in-game “security tokens.” With those tokens, hackers could “access and utilize every feature” of a player’s account, “including the ability to make purchases of (Fortnite) Vbucks currency” using a player’s actual financial account information.
Players must provide personal identification information when they register to use Fortnite, and must also provide financial account information to purchase Vbucks, which are then used to make in-game purchases.
“The Vulnerability allowed unauthorized parties the ability to extract and store players’ (personal information) and Payment Information for future misuse and/or resell on the criminal black market,” the complaint said.
This would then require users to continuously monitor their personal identities and financial accounts into the future, to prevent misuse in other venues, not just in Fortnite.
The complaint says the “vulnerability” also allowed hackers to “covertly eavesdrop on the in-game conversations between Fortnite players.”
The lawsuit says the third-party group notified Fortnite and users of the vulnerability in November 2018.
The lawsuit asserts Epic Games “failed to implement reasonable technical measures to detect irregularities in its systems.”
And they said Epic Games “failed to remedy the Vulnerability within a reasonable time after being made aware of its existence” and didn’t notify players and Fortnite account holders of the problem, giving would-be hackers more time to exploit the problem and steal more players’ information.
“For at least several weeks, unauthorized third parties were able to freely access, extract, misuse or sell, or store for future misuse or sale, the (personal information) and Payment Information of millions of (Epic Games’) customers,” the lawsuit said.
The plaintiffs asked the judge to approve a class of additional plaintiffs which would include every Fortnite user registered on the site in the last two months of 2018, which could include millions of players.
The lawsuit requests unspecified actual, compensatory and punitive damages, plus attorney fees and fraud monitoring services.
The lawsuit also seeks a court order requiring Epic Games to “implement commercially reasonable security measures to properly guard against future cyberattacks and to provide prompt, reasonable notification in the event of such an attack.”