This security breach comes on the heels of a data breach at Rockstar Games, the developer of the Grand Theft Auto (GTA) franchise. Both Rockstar Games and 2K are owned by Take-Two Interactive, which makes us wonder whether the 2K security breach is related to the Rockstar Games breach. For those unfamiliar with the latter, an unknown actor recently stole GTA 6 gameplay footage from Rockstar Games and published it on the public forums for the franchise. The hacker also claims to have stolen source code for both GTA 5 and 6. While the actor behind this data breach is currently unknown, he claims to be the same actor behind the recent Uber security breach, who Uber believes to be associated with the LAPSUS$ hacking group.
The emails sent by the threat actor using the [email protected] email address provide updates on the status of a fake support ticket. An initial email informs recipients that the support request is under review. A second email then directs recipients to download a file presented as a new 2K Games launcher application. The file, named 2K+Launcher.zip, installs the RedLine stealer malware, which swipes all sorts of personal information from infected computers, including system information, browser history, cookies, credit card information, cryptocurrency wallet information, and login credentials stored in web browsers.
Users can also check their systems for the presence of malware with an antivirus scanner like Malwarebytes. Malwarebytes offers a free application for both Windows and Mac that is easy to install, use to run a full scan, then uninstall.
Users should also check their browsers to see whether there are any saved passwords, addresses, or credit card credentials, as the RedLine stealer malware can read and exfiltrate this information. Users can check for saved passwords in Chromium-based browsers, such as Chrome and Brave, by entering chrome://settings/passwords into the address bar. Users can do the same in Firefox-based browsers by entering about:logins. Users can also check for saved credit card information and addresses by visiting chrome://settings/autofill in Chromium-based browsers and Settings > Privacy & Security > Forms and Autofill > Saved Addresses/Saved Credit Cards in Firefox-based browsers.
Users who recently received emails from 2K Games support may want to setup multi-factor authentication (MFA) and change the login credentials for any services for which login credentials are stored in the users’ browsers. These same users may also want to freeze their credit if credit card information is stored in their browsers. Finally, users should check their email accounts and clients to make sure that there aren’t any new rules forwarding their email to unfamiliar email accounts. Check with your email provider for the exact process to accomplish this.
The 2K notice informing customers of the security breach tells customers that the publisher will “issue a notice when you can resume interacting with official 2K help desk emails,” so watch the 2K Support Twitter account for a further notice before interacting with 2K support over email any further.
Top Image courtesy of Dominik Deobald