I’ve noticed a surge in "hacked" accounts being sold on the dark web for popular titles like Fortnite and Roblox. Most users claim they never shared their passwords. Is this primarily due to credential stuffing from other data breaches? How can gaming platforms better secure user identities against these automated brute-force attempts without ruining the login experience?
3 answers
You hit the nail on the head. Credential stuffing relies on the fact that many gamers reuse the same password across multiple sites. When a random e-commerce site gets breached, hackers use bots to test those same email-password combos on gaming platforms. To stop this, companies are implementing risk-based authentication. If a login attempt looks suspicious—like coming from a new IP or country—the system triggers a mandatory MFA prompt. This balances security and user friction effectively.
Do you think that the industry's shift toward "passwordless" logins using FIDO2 or passkeys will finally put an end to these massive account takeover waves?
Most kids just want free skins and click on phishing links, making the hacker's job incredibly easy. Education is just as important as the actual technical security measures.
Spot on, Thomas. Social engineering is the "human element" that technical firewalls can't always catch, especially when the lure is a rare in-game item.
It's definitely the right direction, Robert. Passkeys are much harder to phish or stuff because they rely on a physical device or biometrics. The challenge is getting the average young gamer to set it up. Until then, we’re stuck with a hybrid approach of SMS codes and email verifications, which are still vulnerable but much better than nothing.