NeoGAF

Shaneus · 07:20 AM

Story goes, received an email very early Friday morning last week (around 4:00am Australia time) about my email address being changed for my Origin account. Didn't think anything of it (I first saw the email when I woke up for work early on Friday and quickly forgot about it).

Tried getting in today, Origin doesn't recognise my username. Or my email address. Had to create a new, dummy account just so i could raise a case about my old account because basically *all* the details must have been changed in it.

This appears to be a fresh wave, too. Possibly coinciding with the ability to change an Origin username at will (though I'm not sure exactly when this was implemented).

Here are some links to threads on their forum from within the last few days that contain individual cases of this exact same thing happening:

http://forum.ea.com/eaforum/posts/li....page#25793355
http://forum.ea.com/eaforum/posts/li....page#25793716
http://forum.ea.com/eaforum/posts/li....page#25793865
http://forum.ea.com/eaforum/posts/li....page#25797583
http://forum.ea.com/eaforum/posts/li....page#25793219
http://forum.ea.com/eaforum/posts/li....page#25792872
http://forum.ea.com/eaforum/posts/li....page#25789342
http://forum.ea.com/eaforum/posts/li....page#25784876
http://forum.ea.com/eaforum/posts/li....page#25784311
http://forum.ea.com/eaforum/posts/li....page#25784876
They're just the ones I could find using their very limited search option on their forums. Of note is that they're all literally within the last few days or so.

I can't recall if there was anything incredibly sensitive in there (I don't remember using a credit card at all with that account, just used it to register keys bought from Amazon etc.) but exactly the same thing is happening to a LOT of people.

This guy could probably offer a better explanation of what's happening (though it goes for 20 minutes, so don't get too excited):
http://www.youtube.com/watch?v=KJUtpJPpyMw

So, if you haven't checked in on your Origin account recently, you should login and make sure that everything is working fine. I didn't have anything that could've been guessed about my account (such as the password, security questions etc.) yet my account has been certainly hijacked.

It also exposes a huge, gaping flaw in EA's security system, given that:
a) there's no mention in the email of what it was changed *from*
b) there isn't a confirmation asking for the email address to be changed
c) people trying to raise cases about this with their online help/chat thing are getting knocked back because they have their own dates of birth wrong

Anyone else here having problems?

Smiles and Cries · (11-12-2012, 07:17 AM)

And just when they are about to ask me for my Nintendo Network ID

CryptiK · (11-12-2012, 07:21 AM)

Origin have a security loop hole. My team mates BF3 was hacked by a website that hacks accounts with a program rather than knowing your log in data.

Smiles and Cries · (11-12-2012, 07:25 AM)

they must be targeting accounts that have access to the most popular EA titles

Deadbeat · (11-12-2012, 07:28 AM)

Originally Posted by Shaneus:

c) people trying to raise cases about this with their online help/chat thing are getting knocked back because they have their own dates of birth wrong

I cant get back my EA account with bc2 vietnam because of this bullshit. Fuck the date of birth.

CheesecakeRecipe · (11-12-2012, 07:33 AM)

So this is how EA takes back all the accounts that stole games...

reptilescorpio · (11-12-2012, 07:41 AM)

Sad to see they are still so inept. They have done a terrible job of protecting consumers against theft and fraud this generation, would live to know the dollar value of all the games stolen or taken through the FIFA stuff.

flipswitch · (11-12-2012, 07:43 AM)

Every time I log into my origin account (I don't save my password so I have to enter it in manually) it says my username/origin account/ password) is wrong. This has happened twice in the past hour or so.

I have to choose forget password in which I enter my email address, then they send me this huge code to reset my password.

I am just going to close my origin account. Fed up.

Canis lupus · (11-12-2012, 07:56 AM)

Brb checking my 7 accounts if they are ok.

Shaneus · 09:20 AM

Originally Posted by flipswitch:

Every time I log into my origin account (I don't save my password so I have to enter it in manually) it says my username/origin account/ password) is wrong. This has happened twice in the past hour or so.

I have to choose forget password in which I enter my email address, then they send me this huge code to reset my password.

I am just going to close my origin account. Fed up.

I don't think you've been affected by this though (or at least, not exactly the same thing) because you can actually use your existing email account to reset your password. Because whoever it was changed both my account name AND my email address, I have no way of knowing what they were set to.

The guy's video I posted said he was lucky because he'd used the Facebook authentication as well and the hijackers had forgotten to change it (or it can't be removed, perhaps?) but if you're account's been broken into and your username and email have been changed, what hope do you have of getting anything back yourself?

Fucking pathetic work by EA. I wonder if it affects pre-Origin games like The Saboteur as well. I'll have to try that tonight. Until then, no Autolog for NFS:HP either. I'd be even more pissed as hell if I'd bought NFS:MW and couldn't play it (potentially even losing progress) as well.

I'm still not sure how they can change that email in the first place, because I think that's the core of the issue. Obviously they're bypassing whatever confirmation is normally needed to do such a thing, because I don't think they're getting into accounts right away via brute forcing a password. My gut says they're social engineering the account to get EA to change the email address... and I think the key is the DOB which they're probably guessing randomly via bots or something.

Shaneus · 10:51 AM

Ah ha! Double post, but worth the bump.

You can reset your EA account using a linked account, such as an XBL tag. I did that, and got this:

I just wish I could login using my XBL account rather than the Origin one :(

Edit: YES! FUCKING AWESOME! Sort of.
For those following, it looks like the link to my XBL account still worked, so I was able to download the EA Sports "app" on the 360 and log into it to suss out some info:

The fucking thing won't let me change the email ("Unable to update your account info at this time") but at least I can see the email they used. I can't see the account name though, I don't think. But it's a start!

Ronok · (11-12-2012, 10:33 AM)

Both my accounts that I've never used seem fine. lol Still I want to close them, but apparently have to contact customer service for this. :(

reptilescorpio · (11-12-2012, 10:36 AM)

Originally Posted by Shaneus:

Ah ha! Double post, but worth the bump.

You can reset your EA account using a linked account, such as an XBL tag. I did that, and got this:

I just wish I could login using my XBL account rather than the Origin one :(

I would change all your XBL related passwords as a precaution at this point.

Kageshinzo · (11-12-2012, 10:49 AM)

This is why I use Gmail for my emails and then use its secondary confirmation thingie whenever someone tries to access it on a different computer. Unless they have a way of knowing your Origin account's password firsthand, they have to have the password reset and sent to your email, and unless they can access your email, they're still stuck.

Shaneus · (11-12-2012, 10:53 AM)

So, I might try with something that isn't EA Sports. Can anyone think of a demo that would use EA's online shit that is just a regular game?

Edit: I've tried Burnout Paradise and Brutal Legend, they're the only ones I could think of. I'm not sure if there's anything EA/Origin related connected to Rock Band, but that might be something else to check.

Reckless Onion · (11-12-2012, 10:54 AM)

I'm trying to get my account back for 3 weeks now. I don't remember what I've put in as my birthday. So they say I'm basically fucked. Apparently having the keys from your games isnt enough proof. Fuck you ea

kurtrussell · (11-12-2012, 11:06 AM)

Originally Posted by Razor 81:

I'm trying to get my account back for 3 weeks now. I don't remember what I've put in as my birthday. So they say I'm basically fucked. Apparently having the keys from your games isnt enough proof. Fuck you ea

So you didn't put your correct date of birth in, meaning that they can't identify you and it's EA's fault?

*smh*

Perkel · (11-12-2012, 11:18 AM)

Originally Posted by kurtrussell:

So you didn't put your correct date of birth in, meaning that they can't identify you and it's EA's fault?

*smh*

yeah that shitty if they don't tell you that it will be used for account recovery. It is the same as using precision adress. , . ; all that things are fucking stupid. If someone stole your password you birth date also could be changed already same as almost any other information.

So "smh" dude

I was in same position as him with my first US account after PSN fiasco.

Daigoro · (11-12-2012, 11:44 AM)

happened to me a few months back, but customer support fixed it for me without too much trouble.

i only have 1-2 games on there and have never even used the service.

Rapstah · (11-12-2012, 11:48 AM)

Originally Posted by kurtrussell:

So you didn't put your correct date of birth in, meaning that they can't identify you and it's EA's fault?

*smh*

If I'm remembering correctly, some of the accounts they merged into their system didn't have birth dates on record.

Shark Johnson · (11-12-2012, 11:51 AM)

It was bound to happen. Every service that uses accounts is targeted at some point in time. Hopefully EA can iron their security issues out quickly. And those of you complaining about EA using your date of birth to identify your account, well, I guess that'll teach you to enter a bogus birthdate since many companies use the same method to check identities.

Originally Posted by CryptiK:

Origin have a security loop hole. My team mates BF3 was hacked by a website that hacks accounts with a program rather than knowing your log in data.

Hacked by a website that hacks accounts. Gee, I wonder what they were doing on this website? Sounds like one of those "FREE ORIGIN GAMES" or "RANK UP IN BF3 AUTOMATICALLY" scam websites and they fell for it.

kurtrussell · (11-12-2012, 01:07 PM)

Originally Posted by Perkel:

yeah that shitty if they don't tell you that it will be used for account recovery. It is the same as using precision adress. , . ; all that things are fucking stupid. If someone stole your password you birth date also could be changed already same as almost any other information.

So "smh" dude

I was in same position as him with my first US account after PSN fiasco.

Lol wut?

1 - EA need to prove your identity to ensure you are correct account owner

2 - DOB is easiest way of doing this. Entered a bogus DOB? Fail

3 - If the address wasn't a "precision adress" (sic) ie - you had it slightly incorrect, I am sure they would be able to establish you were the correct owner by the information you were able to provide about the account. Regardless, address is not a recognised way of proving identity as someone's address information is a lot more public domain than their DOB (usually DOB in conjunction with some other information that only you would know, such as payment methods, secret word etc)

4 - If someone stole your password and changed your DOB do you not think that would be visible to the customer service rep who would be able to tell what your original DOB was?

Essentially, for someone to lose access to their account here they have to have a) visited a dodgy website and downloaded some malware to perform some such "function"; b) not given a legitimate date of birth on registration. There are many, many things that EA can quite rightfully be called out on, but there is no way on earth that EA should be taking the hit for end-user stupidity.

Shaneus · 01:36 PM

Which one of those would I fall into? My DOB certainly wasn't fake on registration (I don't know how that would lead to an account being compromised anyway, even if it's fake it's still essentially a random number) and I assure you I haven't logged into any even remotely suspicious websites that use the same login I used for Origin.

The fact that there are so many cases that have popped up within the space of a few days indicates that there's something inherently wrong with EA's security surrounding accounts, not the users.

But hey, feel free to blame the end-user on this. I'm sure they all *adore* hearing how stupid they are right after they lost access to potentially hundreds of dollars worth of games.

TheSeks · (11-12-2012, 01:35 PM)

Nope. Had mine hacked this summer by a Russian kid. Yes, it royally sucks to call Origin to get your account back.

Shaneus · (11-12-2012, 01:39 PM)

Had to email, live chat isn't available to Australia it seems :/

Did you lose anything other than your friends (which they naturally would've cleared out), like scores, online game progress (such as Autolog for NFSHP), that sort of thing?

Stumpokapow · (11-12-2012, 01:40 PM)

Originally Posted by kurtrussell:

Essentially, for someone to lose access to their account here they have to have a) visited a dodgy website and downloaded some malware to perform some such "function"; b) not given a legitimate date of birth on registration. There are many, many things that EA can quite rightfully be called out on, but there is no way on earth that EA should be taking the hit for end-user stupidity.

As has already been said in this thread, EA has merged in several account databases over the years, including accounts that do not have DOBs.

Eideka · (11-12-2012, 01:40 PM)

So you have to make a dummy account to get your initial account back ?

That's retarded, why could not EA offer a hotline to call instead ?

Shaneus · (11-12-2012, 01:42 PM)

Originally Posted by Eideka:

So you have to make a dummy account to get your initial account back ?

That's retarded, why could not EA offer a hotline to call instead ?

They may have, but that doesn't help for international customers :/ And even their online live assistance thing seems to only be for the US.

Danj · (11-12-2012, 01:42 PM)

Is there any way to check if they have your date of birth on your account? I don't see a field for it on the origin website account management?

Trigger · (11-12-2012, 01:59 PM)

It's always horrible to hear these kind of stories, but fortunately EA has been pretty good to me when it comes to customer service.

Metal Gear?! · (11-12-2012, 02:07 PM)

Originally Posted by Rapstah:

If I'm remembering correctly, some of the accounts they merged into their system didn't have birth dates on record.

Or it was a crappy throwaway account that EA forced you to make just to play multiplayer on console so you just put in whatever you could enter fastest... and then EA turned it into a full blown EA/Origin account later on without even asking.

Shaneus · (11-12-2012, 02:27 PM)

Well, looking up that email address used in Origin has brought up this little cunt's profile:

For some reason, it looks like the support case I created has completely disappeared (or I'm just not looking in the right support area, their support/feedback area is a fucking mess) so I'm going to create another case and put in the existing case's reference number.

What a fucking joke.

Reckless Onion · (11-12-2012, 04:21 PM)

Originally Posted by kurtrussell:

So you didn't put your correct date of birth in, meaning that they can't identify you and it's EA's fault?

*smh*

As far as i can remember i put in my real date of birth like i do with all my accounts, i must have made a little mistake.

And having only 1 way to ensure it is that persons account is fucking retarded.
They basically said i was never getting it back despite having the email, account persona's, receipts, the visa number i used and the redeem codes for my games.

go shake your head some more, it is fucking stupid.

Tankshell · (11-12-2012, 04:30 PM)

Holy sh*t I just got one of these emails.... and low and behold, tried logging into origin and it no longer works!

Godamnit! F**king scumbag haxk0rs!

So what is the fastest way to get this sorted? Is there a UK phone number I can ring?

RoninChaos · (11-12-2012, 04:33 PM)

Shit like this makes me want to stop gaming. Every other week someone is getting hacked. I just want to play games. Not log in to 30 different servers just to get a game.

joeygreco1985 · (11-12-2012, 04:35 PM)

Shit like this scares me. I couldn't imagine losing my Steam account to a hacker.

Stallion Free · (11-12-2012, 04:38 PM)

Originally Posted by joeygreco1985:

Shit like this scares me. I couldn't imagine losing my Steam account to a hacker.

Thank god for Steam Guard. It allowed me to stop worry about my little brother with his Steam account (he got it stolen once prior to Steam Guard). I just had to make sure he used different passwords for his Steam and e-mail lol.

RionaaM · (11-12-2012, 04:42 PM)

This is outrageous. I demand more free games to ease me.

I hope they haven't stolen any CC number. Shame on EA for having a system with bad security measures.

diamount · (11-12-2012, 04:43 PM)

Originally Posted by CryptiK:

Origin have a security loop hole. My team mates BF3 was hacked by a website that hacks accounts with a program rather than knowing your log in data.

Or your friends use predictable/the same passwords for everything they have. That is usually the case of when game accounts get compromised, I learned the hard way with Guild Wars 2 and now I use lastpass for everything now.

Daigoro · (11-12-2012, 04:53 PM)

Originally Posted by Tankshell:

Holy sh*t I just got one of these emails.... and low and behold, tried logging into origin and it no longer works!

Godamnit! F**king scumbag haxk0rs!

So what is the fastest way to get this sorted? Is there a UK phone number I can ring?

tweet @AskEAsupport

worked for me.

Sysgen · (11-12-2012, 04:59 PM)

Originally Posted by Danj:

Is there any way to check if they have your date of birth on your account? I don't see a field for it on the origin website account management?

This. There's no way to verify the DOB. Further when you enter the DOB there is no retype DOB to confirm so it is easy to make a mistake.

Deadbeat · (11-12-2012, 05:06 PM)

Its amazing how stupid EA is in some ways compared to valve while intelligent in others. Valve cant grasp the concept of me deleting steam could data easily. You have to fuck around with desyncing and then deleting folders named random gibberish of numbers. EA just has a single button you press. A single damn button.

Yet here we are where EA cant make a proper system to retrieve stolen accounts or secure them in a redundant fashion.

Tankshell · (11-12-2012, 05:34 PM)

Just got off the phone with EA support, have access back to my account again now... what a pain in the ass, it had been hacked by somebody and renamed to "stainlessup2" whatever the fuck that is.

Mother f**kers.

Have spent the last 30 mins changing all my passwords everywhere I can think of =0)

EDIT - just spoke to one of my friends, and completely coincidentally they were hacked today as well. I have also noticed a few posts on the official EA forums about it, so something went down today for sure.

diamount · (11-12-2012, 05:37 PM)

Originally Posted by Tankshell:

Just got off the phone with EA support, have access back to my account again now... what a pain in the ass, it had been hacked by somebody and renamed to "stainlessup2" whatever the fuck that is.

Mother f**kers.

Have spent the last 30 mins changing all my passwords everywhere I can think of =0)

EDIT - just spoke to one of my friends, and completely coincidentally they were hacked today as well. I have also noticed a few posts on the official EA forums about it, so something went down today for sure.

Use lastpass man, makes using different passwords a breeze.

Bisnic · (11-12-2012, 05:38 PM)

Originally Posted by Tankshell:

Holy sh*t I just got one of these emails.... and low and behold, tried logging into origin and it no longer works!

Godamnit! F**king scumbag haxk0rs!

So what is the fastest way to get this sorted? Is there a UK phone number I can ring?

The way you wrote that post, its like you got the email and clicked on the link in it that gave you whatever malware that stole your account before posting here.

Please tell me that im wrong.

Dragon · (11-12-2012, 05:39 PM)

Originally Posted by diamount:

Use lastpass man, makes using different passwords a breeze.

http://www.pcworld.com/article/22726...interview.html

Tankshell · (11-12-2012, 05:39 PM)

Originally Posted by Bisnic:

The way you wrote that post, its like you got the email and clicked on the link that gave you whatever malware that stole your account before posting here.

Please tell me that im wrong.

Oh no. I am far too wise to go clicking on any shit. This was an official "changed email" from EA.

diamount · (11-12-2012, 05:41 PM)

Originally Posted by Dragon:

http://www.pcworld.com/article/22726...interview.html

I'm not sure what relevancy there is you posting a year and 9 months old article.

Coconut · (11-12-2012, 05:41 PM)

Last year my steam account was hacked bastards traded away my soldier medal. Steam couldn't do anything for me except grant me access back to my account after a week long process. I feel for you dude, shit is lame.

Dragon · (11-12-2012, 05:43 PM)

Originally Posted by diamount:

I'm not sure what relevancy there is you posting a year and 9 months old article.

It's almost as if the article I posted comments that lastpass has security issues of its own and shouldn't be used? Especially when a user is talking about being hacked themselves.