This is an automated archive made by the Lemmit Bot.
The original was posted on /r/epicgamespc by /u/HonestlyBadWifi on 2024-12-15 19:44:47+00:00.
When discussing account hacking, there are two main methods used by bad actors: social engineering and cracking.
Method-Based Attacks (Social Engineering) The first method involves pulling data through scraping APIs or purchasing statted lines from suppliers. These statted lines contain sensitive details, such as the time of the last match, current locker items, connected accounts and display names with connection dates, IP addresses used for login, and the account's associated email. Bad actors use this information in combination with social engineering tactics to manipulate Epic Games support into changing the account's email. Fortunately, Epic is cracking down on this, and it's being reported across Telegram channels that Epic Games is pursuing legal action against fraudsters for breaching terms of service, committing fraud, and accessing private data unlawfully.
Cracking Attacks The second, more common method is cracking. This involves using “combos” — combinations of usernames/emails and passwords sourced from breached databases. Some suppliers also use combo editors to generate password variations that mimic typical human patterns. Cracking itself is a complex process.
Once a bad actor has a combo, they run it through programs like OpenBullet or CNChecker, which attempt to log in to services like Epic Games, PlayStation, and Xbox. If a login is successful, they use custom checkers or Telegram bots to assess the account's value, including checking the skins available. Even two-factor authentication (2FA) is not a deterrent, as many hackers use private 2FA bypass methods. For instance, a PSN 2FA bypass method was available publicly for two years before being patched.
Once the cracker has attempted all combinations, they generate a log called "hits," which represent successful logins.
Example of a hit log:
These are typically non-full access (NFA) accounts, meaning the bad actor does not have access to the associated email but can log in through Epic Games or connected accounts. NFA accounts can have verified or unverified emails. Unverified emails are often easy to turn into full access accounts via the methods mentioned earlier. Even without full access the hacker can obtain information like IP addresses, transaction dates, last four digits of credit cards, account link dates, billing addresses, etc., which can be used to pull accounts.
Some hackers also target "headless" accounts — those created between Season 0 and Season 2 or 3, where the email associated with the account was never properly verified. The hacker simply creates the missing email address and gains full access to the account.
Email Cracking Another method involves cracking email accounts directly. Hackers use combos on email service providers and scan the successful login hits for email addresses tied to PSN, Xbox, and Epic Games accounts. They then initiate password resets for those accounts and check for valuable content like skins. If something valuable is found, the hacker changes the account’s email, blocks emails from Epic Games on the original email account (OGE), makes copies of receipts, deletes all emails from Epic Games, and then bombards the OGE with spam.
These fraudsters also use various techniques to prevent you from regaining access. Some common tactics include email bombing the original email account and keeping an active support ticket with Epic Games regarding the compromised account.
To protect yourself, use unique passwords for every account!