Activision was hacked but failed to notify its employees: Report

Last week, gaming behemoth Activision announced that a cybercriminal gained access to its network late last year. How did the hacker accomplish this? Take a wild guess. Is the solution…

A) The old USB parking lot method B) Sophisticated router-hijacking malware C) Whatever they performed in this Blackhat scene

Nah, nothing that difficult or intriguing. Of course, the correct answer is D: phishing an employee. That’s what happened because that’s what occurs all the time.

According to TechCrunch, the corporation never told its own employees that it had been hacked. Two current Activision employees told the newspaper anonymously that they had yet to get an official communication from the firm about the incident as of this week. Not a wise choice if your firm has just been the target of a phishing campaign!

The attack occurred in early December, according to the gaming company, and was the consequence of a malicious text message sent to a company employee.

“On December 4, 2022, our information security team rapidly addressed and resolved an SMS phishing attempt. “After a comprehensive investigation, we discovered that no critical staff data, game code, or player data was accessed,” the company said in a statement to Bleeping Computer.

Nevertheless, while Activision asserts that no “critical” data was stolen as a result of the breach, security researchers who have been investigating the incident paint a slightly different picture. According to the malware analysis organization vx-underground, which first reported the event, the hacker was able to phish a “privileged user” on Activision’s network. With that access, the cybercriminals “exfiltrated important workplace documents” before attempting to phish other firm employees through the staffer’s Slack account. Meanwhile, Insider Gaming’s gaming journalists discovered that the stolen data harvest contained employee email addresses, phone numbers, salary data, and other sensitive information. In the aftermath of the breach, a Call of Duty content schedule has also been leaked.

Gizmodo contacted Activision for further information and will update this story if they answer.

Of course, Activision isn’t the only huge IT company that has been hacked in a basic way and dealt with it in an ineffective manner. That appears to be Silicon Valley’s strategy lately. For example, despite the hacker’s use of rather basic intrusion techniques, a big phishing campaign managed to access the networks of dozens of prominent corporations late last year. Reddit recently reported that it has been hacked using a simple phishing scheme. It only goes to demonstrate that the most basic cyber advice remains: if you don’t know who sent it, don’t trust it.