Activision Games and Employee Data Were Stolen

Activision is just the latest victim in a series of hacks against video game companies. A security breach in December broke into the company’s human resources computer and has obtained sensitive information about employees of the company and certain video games. 

This all became public on Sunday, February 19, when cybersecurity and malware research group vx-underground published screenshots of data allegedly stolen from Activision, including the schedule of planned content for the popular shooter Call of Duty. And on Monday the 20th, gaming blog Insider Gaming claimed to have confirmed the data breach after obtaining “the entirety” of the stolen data, which had not been published by vx-underground. 

A human resources computer was hacked 

The problem with this hack is that the information obtained includes full names, emails, phone numbers, salaries, work locations, addresses and more for each employee. According to Insider Gaming the hacker would have accessed the computer of a human resources worker, hence the data on games is quite limited. 

The hacked information also includes the listing of downloadable content for Modern Warfare 2 and dates for Call of Duty seasons, but they are outdated data. Most relevant is the mention of this year’s game, codenamed Jupiter, and the 2024 Call of Duty, codenamed Cerberus. 

Releases 

In a tweet, vx-underground wrote that “It is worth noting that the Threat Actor(s) attempted to phish other employees. Other employees did not fall for it. However, it appears they did not report the security incident to Activision’s information security team.”  

While Activision spokesperson Joseph Christinat reported, “The security of our data is paramount, and we have comprehensive information security protocols in place to ensure its confidentiality. On December 4, 2022, our information security team quickly addressed an SMS phishing attempt and quickly resolved it. After a thorough investigation, we determined that no sensitive employee data, game code or player data was accessed.” 

A series of hacks against video game companies 

And throughout 2022, a hacking group known as 0ktapus (or Scattered Spider) attacked at least 130 companies, according to cybersecurity firm Group-IB. The group gained notoriety for hacking cloud communications company Twilio, which provides other companies with services such as sending automated text messages to their users. 

For example, in early September last year, hackers released unreleased footage of the upcoming and highly anticipated Grand Theft Auto VI. At the time, game maker Rockstar Games admitted that hackers had been able to get their hands on “confidential information from our systems, including early development images of the next Grand Theft Auto.” And in January, Riot Games disclosed a breach in which hackers gained access to the company’s “development environment,” allowing them to steal source code for the popular League of Legends and Teamfight Tactics games, as well as source code for the company’s anti-cheat system. 

Employees found out about the hacking via Twitter 

Activision’s employees have learned of a data breach affecting their contact information months after the fact, and they learned it was via Twitter and months later.  

Although Activision did not publicly disclose the breach, neither did it do so internally, according to anonymous accounts from current company employees, with one describing the situation as “problematic” and stating that the company should have notified all employees who had their data compromised.