Cybersecurity researchers recently found an issue that allowed them to, among other things, obtain a list of Slack channels belonging to video game giant Electronic Arts. The issue has since been fixed and EA said it found no evidence of compromise beyond the researchers' own investigation. But if it had been discovered by hackers before the researchers, they could have exposed channel names and other information related to secretive company projects.
"Apparently some ex-engineer had left a piece of code exposed on a Github repo," Mossab Hussein, a security researcher from Dubai-based cybersecurity firm spiderSilk, who reported the issue to EA, told Motherboard.
Hussein said spiderSilk found exposed EA credentials for a service called PagerDuty, which helps large companies monitor their infrastructure. Accessing this allows an attacker to see all the infrastructure components that EA was monitoring with PagerDuty, Hussein added.
Login tokens for Slack were configured inside EA's deployment of PagerDuty, meaning an attacker could "retrieve the entire list of users which belongs to old and new employees of EA, across the world," Hussein said. An attacker could also retrieve a complete list of all channels in EA's Slack workspace, as well as "title of projects they are working on, descriptions of channels that contain URLs to docs, internal QA pages, etc," Hussein added.
In all, spiderSilk found a total of around 29,000 channels, Hussein said.
Do you work at EA? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on email@example.com, or email firstname.lastname@example.org.
Hussein said spiderSilk reported the issue to EA on November 19, 2019 along with a sample list of 1,000 channels, and that EA responded on December 21 saying that it had remediated all the issues.
"I can confirm that the issue was quickly resolved after reporting," John Reseburg, VP, Global Communications at EA, told Motherboard in an email. "Our security teams worked closely with the reporting researcher and Slack to investigate, and found no evidence of compromise beyond the researcher’s own examinations."
"We appreciate the research community’s findings on this. Seeking input from the broader research community is an important part of continually testing and refining robust security measures for our players, our games, and our company," he added.
Video game companies are so worried about details about their games leaking before their prepared marketing strategy, they often use codenames to discuss them internally. Even if hackers got their hands on a list of Slack channels, it's possible that they wouldn't reveal any unannounced game names.
This month, a man pleaded guilty to child pornography and hacking charges around his infiltration of various Nintendo systems to steal properitary data.
Subscribe to our cybersecurity podcast, CYBER.