Hacking 700M Electronic Arts accounts

Original Article ↗ Hacker News Discussion ↗

Vulnerability impact & exploitation ideas

  • Many see the vuln as catastrophic: potential takeover of hundreds of millions of accounts, reversal of bans, stealing usernames, or mass banning.
  • Speculation on monetizing it: “unban APIs,” subscription “pay to stay unbanned,” paid username stealing, or selling bans as a service.
  • Some note that loud attacks (mass bans) would trigger investigation quickly; quieter abuse (e.g., account renames, targeted bans) could be more profitable and harder to detect.
  • Others fantasize about “teaching EA a lesson” via chaos, while several push back that this mainly harms players, not just the company.

Bug bounties and incentives

  • Strong criticism that EA paid nothing for a severe, well-documented finding.
  • Some say lack of bounty plus legal risk encourages researchers to hoard vulns or sell them on the grey market.
  • Others suggest bureaucracy and procurement rules make ad‑hoc payments hard, even when security teams want to reward.
  • A few argue a company might reasonably choose responsible disclosure without paying for unsolicited reports, questioning where “negligence” begins.

Legal and ethical considerations

  • Multiple comments warn that exploiting such bugs risks serious prosecution (CFAA, FBI, extradition).
  • Discussion of operational security tactics (VPNs, Tor, VPS chains) is met with caution: one mistake can be enough to get caught.
  • Debate on whether using the vuln to unban one’s own unfairly banned account would still be illegal; consensus leans toward “yes.”

Technical discussion

  • Noted that game binaries with hardcoded privileged credentials are inherently unsafe; if the client can read it, an attacker can too.
  • Suggestions around string extraction, reverse engineering, MITM, and obfuscation; obfuscation is seen as only a speed bump.
  • Emphasis that clients should be treated as untrusted; servers should rely on user accounts rather than trusted client secrets.

EA engineering, operations, and support

  • Former/adjacent engineers describe internal account systems (e.g., Nucleus, Blaze) as originally internal and locked down, later apparently proxied or exposed.
  • Some lament EA’s reliability and opaque, often harsh banning process.
  • There’s frustration over EA claiming some account-linking changes are “technically impossible,” while this vuln demonstrates such links are in fact mutable, though broader side effects remain unclear.