Last weekend’s shocking leak of footage from The Last Of Us Part II was likely committed by hackers who exploited a security vulnerability in prior Naughty Dog games, according to a person who said they were familiar with the hack. Kotaku has confirmed some of the details with a second source who is familiar with how development studio Naughty Dog’s games are structured.
He described a sequence of events that started in January. That’s when, he says, a hacker group discovered a method for accessing the Amazon servers for Naughty Dog games using what was essentially password information included in the code for the studio’s games, including 2011’s Uncharted 3 and 2013’s The Last of Us. Those games access the servers for multiplayer functionality but apparently could also be used to fetch files stored there.
“The UC3 key got them UC3 development material, and UC2’s key did the same, but there was some TLOU1 content mixed into UC3’s server,” Pixelbutts said. “It wasn’t too much of a stretch to think TLOU1’s server would have TLOU2 material.”
By March, he said, the group grabbed at least one terabyte of data from the part of the server associated with The Last Of Us.
That timeline tracks with what leaked of the highly anticipated upcoming PS4 exclusive. At least one of the pivotal, plot-spoiling cutscenes that was posted online by the leaker included developer code that identified the footage as being from an April 1 build of the game. While the leak also included gameplay footage, it’s unclear if the hackers would have been able to obtain a playable build of the game as opposed to gameplay footage recorded by Naughty Dog and saved on the studio’s servers.
Pixelbutts claims to have notified Naughty Dog of the security flaw in February and also says that he neither participated in the hack nor has obtained any of the materials that leaked.
He told Kotaku today that the key to access the Amazon servers was changed on or before April 30, closing off the apparent hole that allowed for the leak.
A Sony PlayStation rep did not reply to Kotaku’s request to comment about this account.
This morning, however, ever-reliable former Kotaku news editor Jason Schreier reported that the leak was indeed a hack, citing two people with direct knowledge of it as well as conversations with Naughty Dog employees. Our own second source also corroborated some of these details.
What remains less clear is who carried out the leak and why. Pixelbutts said he doesn’t believe that the group of hackers who discovered the exploit in January perpetuated the leak of Naughty Dog’s Last Of Us 2 material. “Their circle is more just ND enthusiasts that like development content from their games, rather than malicious actors,” he said. Nevertheless, he believes that someone who became aware of the exploit, possibly through that group, put the material out there.
The big leak occurred a week ago and quickly led to rumours that it was the action of a disgruntled employee, perhaps one angered by the studio’s controversial crunch culture. Those rumours soon were reported as fact by some gaming news outlets and across forums and social media, but it doesn’t seem that the leak ever included that claim. The leak managed to ruin a lot of plot points that were intended to be kept secret, and the release of footage showing what was next for the series’ characters angered many players who wanted to start the game unspoiled. It also clearly infuriated developers at Naughty Dog, who had managed for years to keep secret the details of their characters’ second virtual sojourn through a post-disaster United States.
On Friday, a Sony rep told Kotaku that the company had identified the “primary individuals” responsible for the leak and noted that those people were not current or former employees or contractors. That shot holes in the disgruntled employee theory. Consistent with Sony’s claim would be a scenario in which the leaked files were obtained via a hack and posted online by an outsider, but were all based on an exploit of a vulnerability that Naughty Dog didn’t know about or didn’t expect could lead to disaster.
“Don’t believe what sounds like the juiciest story, even if it’s what you wanna hear,” Pixelbutts wrote on Twitter today. “Sometimes it’s really that boring. Hackerman exploiting a vulnerability created by the company’s own games to gain internal access.”
If Naughty Dog had detected any intrusions in recent weeks, certainly the rush to finish the game and the stress of shifting to working from home due to covid-19 would have left the team in the worst position to stop it. And if they managed to plug that hole by April 30, they simply got to it too late.
After an extraordinarily dramatic development cycle, The Last Of Us Part II will finally be released next month on June 19.