Activision hackers exposed employee and game info

Activision has suffered a data breach, with threat actors accessing the game publisher’s corporate Slack environment and game release calendar. Activision confirmed it was breached.

Researchers at VX-Underground first announced the breach, adding that Activision decided to keep the security incident under wraps.

“They [the attackers] exfiltrated sensitive workplace documents, as well as content scheduled to be released dating to November 17, 2023. Activision did not tell anyone,” researchers said.

According to supposed screenshots of the attack, threat actors posted an obscene message in Activision’s “#general” Slack channel using a compromised account. The attacker likely accessed a schedule for content release dates for the company’s popular Call of Duty game.

According to a representative of Activision Blizzard, Activision's parent company, the security incident occurred on December 4 of last year. However, no sensitive data was exposed.

“The security of our data is paramount, and we have comprehensive information security protocols in place to ensure its confidentiality. On December 4, 2022, our information security team swiftly addressed an SMS phishing attempt and quickly resolved it. Following a thorough investigation, we determined that no sensitive employee data, game code, or player data was accessed,” the company's representative told Cybernews.

The breach also targeted its employees via an SMS-based phishing campaign. Potential victims received a message supposedly from the “Activision Automated SMS Dispatcher” titled “Employment status: under review”, urging them to respond with two-factor authentication (2FA) code.

One of the victims responded with the code, giving the attackers access to their Activision account. Screenshots shared by VX-Underground indicate that threat actors targeted several company employees.

Others responded with curses aimed at the attackers, indicating an awareness of the phishing attempt. However, researchers believe no one reported the incident to Activision’s information security team – allowing threat actors to proceed with the hacking attempt.

Earlier this year, Microsoft announced plans to acquire the Call of Duty videogame maker for $68.7 billion in cash, reportedly the biggest deal in the tech sector. But to close it, Microsoft first must convince European lawmakers the transfer doesn’t violate EU antitrust laws.