Cyber Incident Victim: Electronic Arts Inc.

On or around June 10, 2021, hackers breached the network of Electronic Arts (EA), a major gaming developer and publisher with over 450 million registered players and $5.5 billion in fiscal year 2020 revenue. The attackers exfiltrated approximately 750 GB of data, including proprietary game source code, debug tools, and software development kits (SDKs). Specifically stolen were the source code for the FrostBite game engine, FIFA 21 matchmaking server code, FIFA 22 API keys, SDKs, debug tools, proprietary game frameworks, and private SDKs and API keys for Xbox and PlayStation platforms. The threat actors also acquired cryptographic materials such as PFX certificates and private keys. They advertised the stolen data for sale at $28 million, claiming buyers would gain "full capability of exploiting on all EA services" and provided directory listings and source code screenshots as evidence. In-game currency points, historically used by cybercriminals for money laundering, were also compromised. The hackers declined to disclose their initial access method when questioned.

EA confirmed the intrusion, clarifying it was not a ransomware attack and emphasizing that no player data was accessed or at risk. The company stated only a "limited amount" of source code and related tools were stolen and implemented immediate security improvements following the breach. EA downplayed operational impacts, asserting no expected disruptions to games or business operations. The organization engaged law enforcement and third-party experts to support the ongoing criminal investigation. Publicly, EA maintained confidence in its mitigation measures while continuing internal reviews to fully assess the incident’s scope. The breach highlighted vulnerabilities in safeguarding high-value intellectual property like game engines and platform-specific development tools, though EA’s revenue streams and player services remained unaffected according to corporate statements.