Over the weekend, Pokémon source code, art, and other documentation spread rapidly on social media and other Internet forums. Where did it come from? Game Freak confirmed last week that it had been hacked and that more than 2,600 of its employees' data had been extracted. He No However, it confirms the massive theft of your game data, but it is likely that the game data originates from that same breach. A hacker claimed that he had acquired 1 TB of data, including the source code of Pokémon Legends: ZA and the next-generation Pokémon games, plus versions of older games, concept art, and historical documents. According to the hacker, a large amount of information has already been published and more will be uploaded to the Internet.
Simply put, this is probably one of the biggest leaks in Pokémon history. It rivals the leak of 1.67 TB of hacked Insomniac Games data from the notorious Rhysida ransomware group, which was released in December last year, and a 2022 Rockstar Games hack in which it was not completed grand theft car 6 The images were posted early. These tricks are always big news because the video game industry is famous for its secrecy and generates buzz through carefully planned trailers, teasers, and announcements. That publicity is valuable to developers and publishers, but also to leakers seeking online influence, hackers seeking ransom, and gamers eager to consume. anything about your favorite franchise. But how does this keep happening?
Phishing attempts occur frequently and are not unique to Game Freak or any other video game company, Akamai cybersecurity researcher Stiv Kupchik told Polygon. But the audience for the leaked information is huge, which means widespread attention. Video game fans are clamoring for this type of content.
“There's intense interest from fans of the product about what's coming, what people are thinking, etc.,” said Justin Cappos, a professor at New York University's Tandon School of Engineering. “At least I know that when I was a kid and playing computer games and stuff like that, one of my favorite things was to go into my local copy of the game, revert it, change it, and make it work differently. things. So nowadays, there are obviously a lot of people who are very interested in this, and video games are a particularly easy target, which also makes them attractive to people like cybercriminals.”
Cappos said video game companies often prioritize other things beyond security: They focus on systems that enable rapid development, often using “large teams that tend to be overworked.” Nintendo is good at security, Cappos said, but things can get complicated when it comes to Nintendo's different partners. “One of the hard things about playing defense is you have to do it correctly all the time,” Cappos said. “You can't make a mistake even once. That's why it doesn't matter if two of the three companies did a good job. One of them makes a mistake and you're in trouble.”
Adam Marrè, chief information security officer at cybersecurity firm Arctic Wolf, added that video game companies tend to be targeted because they may be more inclined to pay ransoms to keep unreleased content offline.
There doesn't appear to be any ransom at stake in the recent Game Freak breach, but screenshots of a Game Freak employee's Nintendo developer portal suggest the hacker gained access to the files in a social engineering or phishing scheme, like with Insomniac Games and grand theft car 6 leaks. However, in the case of both Rockstar Games and Insomniac Games, well-known hacking groups claimed responsibility for the leaked information. A group called Lapsus$ claimed responsibility for the GTA6 violation, through which a 17-year-old hacker used phishing and social engineering methods to gain access to the company's Rockstar Games Slack channels. (The hacker was sentenced to indefinite custody in a hospital.) A different group, Rhysida, claimed responsibility for the Insomniac Games leak; Rhysida is known for using phishing attacks to gain access to servers. The motivation for the recent Game Freak hack is unclear, but it may sometimes be due to influence.
“Gaming is a very high-profile industry,” said Kevin Gosschalk, CEO of Arkose Labs. “Many of the attackers targeting the gaming industry are also gamers who are simply interested in leaking upcoming games. “It's a lot of publicity and it gives them a lot of influence.”
Social engineering and phishing do not necessarily require special tools or technical skills: instead, hackers using these methods attempt to trick the victim into providing access to an account or downloading malicious software. Cappos said research shows that 20% of people who receive a credible phishing attempt – “not just a random email from a Nigerian prince,” he said – fall for it.
“Phishing works by prompting the victim to share sensitive credentials or access tokens, or execute commands or files sent by the attacker,” Kupchik told Polygon. “Just like traditional fishing, it starts with bait: it can be an email, document, or website that looks legitimate but is actually under the attacker's control. The victim would think they were downloading legitimate software or logging into an internal site, but instead they would be handing over their credentials to attackers or unsuspectingly executing malicious payloads.”
The “easy” part is getting those credentials to log in, said RSA Security senior manager Lorenzo Pedroncelli. The difficult part is overcoming the multi-factor authentication that secure platforms may also require; That's where social engineering comes into play. “If you don't have MFA in place, then a spoofed email, password, or other credential can go a long way.” more damage,” Pedroncelli said. Cappos added that SMS-based authentication is less secure than other types, but there are still ways to get in. “Usually what happens with most authentication-based hacks is that they don't have multi-factor authentication enabled everywhere,” he said. . “Some people have it, some people don't, and they can find a way in through people who have more access than they should and don't have multi-factor authentication enabled.” Otherwise, an attacker has to trick a person into handing over their MFA codes. (Cappos recommends using secure multi-factor authentication and keep your software up to date, because the latter can be yet another way for people to enter, by exploiting outdated software).
Cybersecurity experts who spoke to Polygon say it's too early to fully understand the hackers' impact or motivations; Insomniac Games was hacked by a ransomware group and their stated interest was financial. The person who hacked Game Freak seems to have some affinity with Game Freak and Pokémon: they claimed to have the source code for Pokémon Legends: ZA and next-gen games, but they reportedly said they “won't ruin the releases of those games.”