Over the weekend, Pokémon source code, graphics and other documentation spread quickly on social media and other internet forums. Where did it come from? Game Freak confirmed last week that it had been hacked, with more than 2,600 employee details stolen. It not While confirming the massive theft of his game data, the game data likely came from the same breach. A hacker claimed to have acquired 1TB of data including the source code for it Pokémon Legends: ZA and the next-generation Pokémon games, in addition to builds of older games, concept art, and lore documents. A lot of information has already been published – and according to the hacker, more will be uploaded to the Internet.
Simply put, this is probably one of the biggest leaks in Pokémon history. It competes with the 1.67TB leak of hacked Insomniac Games data from the infamous ransomware group Rhysida, released in December last year, and a Rockstar Games hack from 2022 that is still ongoing Grand Theft Auto 6 The footage was released early. These hacks are always big news because the video game industry is notoriously secretive and creates a buzz through carefully planned teasers, trailers and announcements. This hype is valuable for developers and publishers, but also for leakers seeking influence online, hackers demanding ransoms, and spending gamers anything about their favorite franchise. But how can this continue?
Phishing attempts are common and not unique to Game Freak or any other video game company. Akamai Cybersecurity researcher Stiv Kupchik told Polygon. But the audience for leaked information is huge, which means big attention. Video game fans crave this type of content.
“The fans of the product are very interested in what’s coming, what people think and so on and so forth,” said Justin Cappos, a professor at New York University’s Tandon School of Engineering. “At least I know that when I was a little boy and playing around with computer games and things like that, one of my favorite things to do was to go into my local copy of the game and turn it around and change it and do different things. There are obviously a lot of people interested in it these days, and video games in particular are an easy target, which also makes them attractive to people like cybercriminals.”
Cappos said video game companies often prioritize things other than security: They focus on systems that enable rapid development and often employ “large teams that tend to be overworked.” Nintendo is good at security, Cappos said, but when it comes to Nintendo’s various partners, things can get tricky. “One of the difficult things about playing defense is that you always have to defend the right way,” Cappos said. “You can’t even slip. And that’s why it doesn’t matter if two of the three companies did a good job. One of them screws up and you’re in trouble.”
Adam Marrè, chief information security officer at cybersecurity firm Arctic Wolf, added that video game companies tend to be targeted because they may be more inclined to pay ransoms to keep unreleased content offline.
Game Freak’s latest breach doesn’t appear to be a ransom-related one, but screenshots of the Nintendo developer portal from a reported Game Freak employee suggest the hacker gained access via a social engineering or phishing scheme files – like with the Insomniac Games and Grand Theft Auto 6 Leaks. However, in both the Rockstar Games and Insomniac Games cases, well-known hacker groups took responsibility for the leaked information. A group called Lapsus$ claimed responsibility GTA6 Security breach in which a 17-year-old hacker used phishing and social engineering methods to gain access to the Rockstar Games company’s Slack channels. (The hacker was sentenced to indefinite imprisonment in a hospital.) Another group, Rhysida, claimed responsibility for the Insomniac Games leak; Rhysida is known for using phishing attacks to gain access to servers. The motivation for Game Freak’s recent hack isn’t clear – but sometimes it can be due to clout.
“Gaming is a very high-profile industry,” said Kevin Gosschalk, CEO of Arkose Labs. “Many of the attackers targeting the gaming industry are also gamers who are only interested in leaking upcoming games. This creates a lot of publicity and gives them a lot of influence.”
Social engineering and phishing don’t necessarily require special tools or technical skills: Instead, hackers use these methods to trick a victim into granting access to an account or downloading malware. Cappos said research shows that 20% of people who receive a credible phishing attempt — “not just a random email from a Nigerian prince” — fall for it.
“Phishing works by tricking the victim into sharing sensitive credentials or access tokens or executing commands or files sent by the attacker,” Kupchik told Polygon. “Just like traditional fishing, it starts with a lure – it can be an email, a document or a website that appears legitimate but is actually under the attacker’s control. The victim would think they were downloading legitimate software or logging into an internal website, but instead they would be passing their credentials to the attackers or unknowingly executing malicious payloads.”
The “easy” part is getting those credentials to log in, said Lorenzo Pedroncelli, senior manager of RSA Security. The hard part is overcoming the multi-factor authentication that may also be required for secure platforms – this is where social engineering comes into play. “If you don’t have MFA, fake emails, passwords or other credentials can do a lot more damage,” Pedroncelli said. Cappos added that SMS-based authentication is less secure than other types, but there are still options. “What usually happens with most authentication-based hacks is that they don’t have multi-factor authentication enabled everywhere,” he said. “Some people have it, some people don’t, and they can find a way to get in through people who have more access than they should and who don’t have multi-factor authentication enabled.” Otherwise, an attacker has to trick a person into to reveal their MFA codes. (Cappos recommends using secure multi-factor authentication And
The latest Game Freak leak is a very different kind of leak than, say, the time someone took photos of it Pokémon Sword And Pokémon Shield Pre-release strategy guides. The Pokémon Company settled a lawsuit in 2021 with the people who posted these photos on Discord, ordering them to pay $150,000 each. In this previous situation, the leaked information was limited to things printed in the strategy manual, such as: B. new Pokémon. It was information that The Pokémon Company did not want to reveal, but it is far less serious than the information circulating online in connection with this massive recent hack. It’s also a different scenario than when employees leak information to the press, like with Fallout 4‘s attitudeor when Microsoft accidentally uploaded redacted court documents to a linked file repository Federal Trade Commission v. Microsoft Case.
Cybersecurity experts who spoke to Polygon say it is still too early to fully understand the impact or motivations of the hackers; Insomniac Games was hacked by a ransomware group and their stated interest was financial. The person who hacked Game Freak seems to have some affinity for Game Freak and Pokémon: They claimed to have source code for Pokémon Legends: ZA and next-gen games, but reportedly said they “won’t ruin the releases of these games.”
