2K, the publisher behind NBA 2K, Bioshock and more is facing a security breach. The company is reaching out to players via email, notifying them of the personal data compromise.
The hacker managed to get hold of system credentials belonging to a vendor 2K uses to run its help desk platform. Once the threat actor gained access to customer email addresses, they sent out official-looking emails containing malicious links that would download password-stealing malware.
2K confirmed on September 20 that its help desk platform was hacked and used by the attackers to target customers using fake support tickets that pushed Redline Stealer malware via embedded links.
According to the company, on Thursday, September 19, an unauthorized third party accessed and copied “a limited volume” of information stored on 2K’s help desk platform.
This included users’ names, email addresses, Gamertags, console details, and other personal information provided to the company’s support team. “There is no indication that any of your financial information or password(s) held on our systems were compromised,” 2K says.
To be clear, it appears as though this breach predominantly affects those who have contacted 2K via the support portal. The breach doesn’t seem to affect players who actively play 2K games or have a 2K account. However, it’s always worth staying vigilant across all of your accounts.
Additionally, the publisher revealed that the hacker has contacted several players, sending them a malicious link masquerading as a software update from 2K. Instead, this link could potentially compromise data, such as passwords, stored on a user’s device. The support portal was taken offline shortly after the breach was discovered, and those sent malicious links have now been contacted.
Anyone who had already clicked on the link was advised to reset any user account passwords stored in their browser, enable multi-factor authentication where available, install and run a good anti-virus program, and check their email account settings to see if any forwarding rules had been added.
2K’s advice that all users change their account passwords is also solid. Users should use a password manager to generate a long, random phrase or string unique to their 2K account. Even when 2FA offerings aren’t FIDO2 compliant, they provide more protection than not using 2FA at all.