This week, gaming giant Activision revealed that a cybercriminal had managed to get inside of its network late last year. How did the hacker do that, exactly? Better take a guess. Is the answer...
A) The ol’ USB parking lot trick
B) Some sort of sophisticated router-hijacking malware
C) Whatever they did in this scene from Blackhat
No, no, nothing that complicated or interesting. The real answer, of course, is D: phishing an employee. Because of course that’s what happened because that’s pretty much what always happens.
According to the gaming company, the hack occurred in early December and was the result of a malicious text message sent to a company employee.
“On December 4, 2022, our information security team swiftly addressed an SMS phishing attempt and quickly resolved it. Following a thorough investigation, we determined that no sensitive employee data, game code, or player data was accessed,” the company told Bleeping Computer in a statement.
Yet while Activision claims that no “sensitive” data was stolen as a result of the incident, security researchers who have been looking into the breach paint a slightly different picture. The malware analysis group vx-underground, which broke the news about the incident, has said that the hacker managed to phish a “privileged user” on Activision’s network. Using that access, the cybercriminals then “exfiltrated sensitive work place documents” and subsequently abused the staffer’s Slack account to attempt to phish other company employees. Meanwhile, gaming journos at the site Insider Gaming found that the stolen data haul included employee email addresses, phone numbers, salary data, and other sensitive information. A Call of Duty content schedule has also leaked in the wake of the breach.
On top of all that, TechCrunch reports that the company never deigned to tell its own employees that the company had been hacked. Two current Activision employees anonymously told the outlet that, as of this week, they were yet to get an official notification from the company about the incident. Not exactly a smart move if your company has just been the target of a phishing campaign.
Gizmodo reached out to Activision for additional details and will update this story if they respond.
Of course, Activision isn’t the only large tech company to get hacked in a really basic way and deal with it in a less than optimal fashion. Lately, it seems like that’s pretty much Silicon Valley’s MO. Case in point, a large phishing campaign managed to penetrate the networks of dozens of major companies late last year, despite the fact that the hacker was using pretty basic intrusion techniques. More recently, Reddit also revealed that it had been hacked via a very basic phishing ploy. It just goes to show that the most fundamental cyber advice is still: if you don’t know the sender, don’t trust that link.