Epic fixes Fortnite security flaw which left all 200M+ players vulnerable

It looks like Epic Games' Fortnite was host to a series of bugs (that have since been fixed) which, if exploited together, could have exposed the accounts of any of its 200 million players. 

It looks like Epic Games' Fortnite was host to a series of bugs (that have since been fixed) which, if exploited together, could have exposed the accounts of any of its 200 million players

This isn't the first time Fortnite vulnerabilities have been exploited. Around this time last year, players noticed that hackers had been making fraudulent charges to their accounts after taking advantage of "well-known hacking techniques." 

As reported by Check Point, a cybersecurity firm, if the flaws were exploited they would have stolen the account access token set on the player's device once they entered their password. After the access token had been stolen, it could be used to impersonate the player and log in as if they were the account holder without needing their password.

According to these researchers, the flaw lies in how Epic processes login requests. Hackers could send any user a special link that (on the surface) looks as if it came from Epic Games’ own domain. This in turn would allow a hacker to steal an access token needed to break into an account.

As for how the bug worked, the researchers say that after a user clicks on the link, which points to an sub-domain, the hacker would embed a link to malicious code on their own server by exploiting a cross-site weakness in the sub-domain.

Once clicked, with no need for the user to enter any login credentials, their Fortnite username and password could immediately be captured.

Epic has since fixed the vulnerability.

"We were made aware of the vulnerabilities and they were soon addressed. We thank Check Point for bringing this to our attention," said Epic in a statement. 

"As always, we encourage players to protect their accounts by not re-using passwords and using strong passwords, and not sharing account information with others."

For a more detailed explanation of how the bugs worked, click here.

Latest Jobs


Vancouver, BC, Canada

Bladework games

Remote (United States)
Senior Gameplay Engineer

University of Canterbury

Christchurch, Canterbury, New Zealand
Academic in Game Arts and Animation

Fred Rogers Productions

Hybrid (424 South 27th Street, Pittsburgh, PA, USA
Producer - Games & Websites
More Jobs   


Explore the
Advertise with
Follow us

Game Developer Job Board

Game Developer


Explore the

Game Developer Job Board

Browse open positions across the game industry or recruit new talent for your studio

Advertise with

Game Developer

Engage game professionals and drive sales using an array of Game Developer media solutions to meet your objectives.

Learn More
Follow us


Follow us @gamedevdotcom to stay up-to-date with the latest news & insider information about events & more