Credential Stuffing Increasingly Targets Video Games

The video gaming business is booming. And not just booming, but mega booming.

Forced to stay inside, a broad and very diverse customer base has driven the video gaming market "in the US to increase 37% year-over-year to $3.3 billion, according to the market research firm NPD Group." (Source: Quartz) 

This feeds an increasingly popular—and profitable—business model called "free to play." The game is free and offers the option to purchase in-game digital assets via microtransactions. Candy Crush, if you recall, was one of the first to make this model a reality. According to Gamestop, "the Candy Crush series of mobile games collectively made more than $1.5 billion in revenue from microtransactions in 2018 across iOS and Android. That works out to a staggering $4.2 million USD spent per day on average."

I will admit to contributing to this increase as our entire household spends our "entertainment" budget these days on in-game assets. Not games, necessarily, just in-game assets. Consider this screenshot. In it is about $22 worth of in-game, digital assets that have no impact on the game itself. They can't be used anywhere else. Most gamers have tens or hundreds of costumes and emotes and other digital cosmetics. The cost quickly adds up.

This model is increasingly profitable. In 2019, Epic Games' popular battle royale, Fortnite, "brought in revenues of $1.8 billion, according to data reported by SuperData Research, a Nielsen Company." (Source: Investopedia) Its business model is based entirely on microtransactions.

Microtransactions, of course, are backed by credit cards and payment processors like PayPal. That is the information attackers are really looking to get their hands on by gaining access to gaming accounts.

Which makes recent data analyzed by Atlas VPN both logical and terrifying. After all, "follow the money" is a phrase just as applicable to understanding motives of attackers as that of politicians. The firm found that "hackers attacked gamers a staggering 9.83 billion times from July 2018 to June 2020. In other words, players are hit with around 14 million attacks per day or 584 thousand attacks per hour." (Source: Information Security Buzz)

Gamers are not unaware of the potential impact. A survey on gamers' concerns conducted during the summer of 2020 found that they were most worried about their credit card information (49.1%) were their accounts to be hacked. (Source: Atlas VPN Blog) It should be noted that "access to their account" and "loss of in-game assets" were not far behind. The rise of competitive gaming and streaming gameplay as a source of income means these concerns are not as superficial as you might think.

These accounts are valuable to attackers, so it's no surprise to find such substantial attacks against them. Given that these accounts—like those in other industries—can be used across platforms (website, console, mobile phones) to gain access, they pose a lucrative target with multiple attack vectors for those savvy enough to go after them.

And if the account doesn’t have financial account data, they can always sell the digital account in the illicit game account market.

Yes. That's a thing that exists. It's against every game company's policy and terms of service, but it happens. Frequently.

Credential stuffing is a real threat to every industry with a digital presence—even video gaming. As we increasingly turn toward not just a digital economy, but a digital-first economy, this threat is one that needs to be addressed.

That's why it's important to continue to improve the technology used to detect and thwart fraud and abuse. Every industry can benefit from putting in place the best protection they can against credential stuffing attacks.