in Newswire Published on August 12, 2019

Epic Games Hit with Class Action Case in North Carolina Over Fortnite Data Breach [UPDATE]

by Corrado Rizzi

Last Updated on February 28, 2020

View Comments

Heidbreder v. Epic Games, Inc.

Filed: August 8, 2019 § 5:19-cv-00348

Read Complaint

A data breach affecting roughly 200 million Fortnite players' accounts is the subject of a proposed class action lawsuit against developer Epic Games.

Defendant(s)

Epic Games, Inc.

Law(s)

State(s)

North Carolina

Categories

Entertainment Privacy Data Breach

Case Updates

Update – February 7, 2020 – Case Sent to Arbitration

United States District Judge Terrence Boyle has ordered that the lawsuit detailed on this page be sent to arbitration.

In a February 1 order, Judge Boyle sided with Epic Games in holding up the arbitration agreement contained within the developer’s March 2019 end user license agreement that the plaintiff says his minor son agreed to upon creating his Fortnite account that same month. Though the plaintiff opposed the enforcement of Epic Games’ arbitration clause for a number of reasons, including that privacy-related data breach claims fall outside the scope of the clause and that his minor son was the one who actually hit “agree” to the terms, Judge Boyle held that the individual is bound to the agreement.  

“In sum,” the judge wrote, “the Court finds that the arbitration provision is valid and enforceable. In accordance with the delegation clause, whether the specific claims brought by plaintiff are covered by the scope of the agreement is a question for the arbitrator. Plaintiff is bound to individually arbitrate his claims against defendant.”

Epic Games finds itself facing a proposed class action lawsuit over a sizeable data breach during which the information of approximately 200 million Fortnite players was reportedly exposed.

Filed in North Carolina district court, the case revolves around Epic’s January 16, 2019 announcement that Fortnite players’ personally identifiable information had been involved in a security breach. To date, the lawsuit says, Epic Games has not directly informed or notified Fortnite players that their account information may have been compromised in the breach, nor has the game developer disclosed the time frame in which the hack reportedly took place or how many accounts may have been compromised.

Epic Games became aware of the incident when cybersecurity firm Check Point Software Technologies uncovered vulnerabilities in Fortnite’s web infrastructure and informed the company in November 2018, according to the complaint. The lawsuit says Fortnite’s vulnerabilities stemmed from the game’s single sign-on setup, which allows users to log into multiple services with one third-party account. Once logged in with a third-party account, players, the suit says, can access their Fortnite account by requesting that the third-party account, such as Epic Games, Xbox or Google, send an “access token” to Fortnite.

As the lawsuit tells it, hackers exploited Fortnite’s single sign-on structure by distributing over social media and message forums phishing links purporting to be a promotion for the game. When players opened the links, they were prompted to log into their Fortnite account via single sign-on, the suit says. Instead of the third-party account sending the aforementioned access token to a legitimate login, hackers, the complaint says, “redirected those users to an old, unsecured URL maintained by Epic Games.” Check Point Software Technologies discovered that hackers could embed that unsecured URL with “malicious JavaScript,” the case explains, which would enable them to steal Fortnite access tokens that could be used to hijack players’ accounts. 

The complaint charges that the breach resulted from Epic Games’ failure to maintain adequate security measures, and argues Fortnite players have been ascertainably injured in that their credit and/or debit card information linked to their game accounts was stolen “as a result of the defendant’s failures.”

“Hackers used this information to purchase in-game Fortnite currency without the permission of account holders, including Plaintiff,” the suit says.

According to the complaint, some stolen Fortnite accounts, once loaded up with in-game currency, were sold on third-party websites and the dark web.

The suit looks to cover a proposed class of all individuals in the United States who registered for Epic Games accounts and whose personally identifiable information was “accessed, compromised, or stolen” from Epic Games in the data breach. The case similarly looks to cover a Missouri-only class of individuals with Epic Games accounts and whose information was accessed, compromised or stolen during the data breach.

This browser does not support PDFs. Please download the PDF to view it: Download PDF.
Open Document
Last Updated on February 28, 2020 — 11:41 AM

Corrado Rizzi

corrado@classaction.org

Corrado Rizzi is the Senior Managing Editor of ClassAction.org.

About ClassAction.org

ClassAction.org is a group of online professionals (designers, developers and writers) with years of experience in the legal industry.

Learn More

Before commenting, please review our comment policy.