Over the last week I've been getting concerning emails about my Epic Games account, which acts as a single login for Fortnite, Unreal Tournament and the Unreal Engine. According to the emails, someone tried several times to break in but were unsuccessful.
With the account locked for two hours, I searched around for some method of shutting the account down, or posting a support ticket asking for the email to be changed. Problem: you can't do either of those things once your account is on lockdown.
It's an issue gamers have been raising over the last few weeks, the reasons for which Cecilia documented here. Put simply, hackers have been basically grabbing password dumps and using variants of brute force attacks, like credential stuffing, to access people's accounts.
In small fits and spurts, a Fortnite hacker typed out some sentence fragments over Discord. "maybe tomorrow / i get a letter / from epic games / holy fuck / paying 25k for fraud." What if, after a month of lucrative work, Epic Games shut him down with a firm letter from their lawyers?
One major problem is that there's still no way to change the email address associated with your account, or to even add a secondary account in case the first is compromised. Two-factor authentication also goes through the same email as the account, which isn't great. Epic posted that the ability to change email accounts would be added "very soon" on February 23, almost two months now.
Epic's communications could be better, too. When Epic sends out an email warning that an account has been locked, the email says "feel free to contact us if you need help". The link in the email then redirects to Epic's Customer Service page, but clicking through to the "Epic Account" link then brings up another login page - which you can't progress through once your account has been locked.
The Fortnite support centre is a little better, with a bunch of FAQs. But even then the advice is sometimes painfully vague. Should someone wish to cancel their account - given that you can't change the email address - Epic simply suggests that users "contact us for next steps", without providing a form or contact address:
Making matters worse, the [email protected] account is unmonitored and only sends automated replies redirecting people back to the Epic help page. I eventually found a contact form to contact Epic support without having to login, the link for which appears at the very bottom of the Fortnite support page.
There's also a form for users to challenge unauthorised charges on their bank statement, but again, you have to dig through the FAQs to find that.
The email also doesn't offer any suggestions or links to ways users can fortify their accounts, once you are eventually able to log back in. Epic's missive on March 7 - which wasn't emailed out to all users - notes that users can gain an extra layer of security by linking their Epic or Fortnite account to Facebook and Google:
Due to the additional security measures provided through Google and Facebook login, you can set correspondingly more secure passwords for your Epic account and then not worry about using them due to the pass-through authentication with Google and Facebook.
For users confused about why their accounts are being locked - especially if they don't play Fortnite, and haven't interacted with Epic Games for years - this is helpful, critical information. It's also information that should be a lot more immediately accessible, especially given the amount of users that are complaining via social media, the Fortnite forums and subreddits about their accounts being compromised.
The whole episode is a useful reminder to never be lax on security. Change your passwords, don't reuse passwords across accounts, get a good password manager, and don't have your credit card details permanently saved by accounts at all. Until then, expect to see alot more users unhappy with Epic's handling of the situation.