UPDATE: Activision has told TechRaptor that the Activision account compromise is not happening, despite a number of people who've reached out to us saying otherwise. It's also worth noting that we've seen evidence of Call of Duty accounts being hacked in the past, with some users waiting months to get their credentials restored. Here's the statement we received from the company in full:
Activision Call of Duty accounts have not been compromised. Reports suggesting otherwise are not accurate. We investigate all privacy concerns. As always we recommend that players take precaution to protect their accounts at all times. Please visit our player support page for further information, including a helpful set of tips and step-by-step instructions: https://support.activision.com/articles/keeping-your-activision-account-secure)
Original story follows below.
ORIGINAL STORY: A major breach has led to over 500,000 Activision accounts being hacked, with credentials then being leaked to the public. If you've got an Activision account, we strongly recommend logging in to make sure you haven't been affected.
How were these Activision accounts hacked?
The breach was first reported by a number of Call of Duty content creators via Twitter. Prominent gaming personality Okami reported that over 500,000 accounts had been breached and that the breach is still happening. Elsewhere, TheGamingRevolution claims that 1,000 accounts are being generated every 10 minutes, so even if yours isn't part of the breach right now, there's a chance it may be compromised later down the line. This information was originally posted on Call of Duty YouTuber oRemyy's Discord server before oRemyy himself managed to block the hacker and shut down all of his social media profiles.
Yeah, it's legit guys. Change your Activision account passwords and add 2FA immediately.— Okami (@Okami13_) September 21, 2020
Apparently over 500k accounts have been breached already and it's still ongoing. @Activision @ATVIAssist https://t.co/mjKecaty1m
Prior to deletion, oRemyy said that the "biggest hack in Call of Duty history" was happening, claiming the hack was "10x worse" than the "notorious PS3 hack" (an attack in early 2011 which saw PlayStation servers down for a prolonged period and many accounts compromised). The latter tweet was accompanied by a picture depicting a person in a Guy Fawkes mask, generally associated with hacker group Anonymous. This, combined with the fact that the hack was originally released on oRemyy's Discord server, has led to speculation that oRemyy is involved in the hack himself. We haven't been able to confirm this information.
TechRaptor has spoken with Twitter user Prototype Warehouse, who saw first-hand proof that the hack had happened. We've also been able to confirm said proof is authentic; the hacker, under the username "South African", tweeted sensitive account information accompanied by other pertinent details. The hackers publicly posted certain login details with promises to post more within a certain timeframe. Said details included not only usernames and passwords, but also which platform the account is primarily used on alongside some of the account's Call of Duty statistics, and other games. The hacker themselves stated that they were using certain software, which presumably brute-forces Activision's encryption, so this doesn't necessarily mean Activision was storing passwords in plain text form.
We've also spoken to a victim of the hack who says that they've contacted Activision support, who have confirmed that this - hackers stealing login credentials, then changing them so users can't log in - is an increasingly common problem. It's likely because, no matter what Okami says above (which Okami later noted themself), Activision doesn't have 2-factor authentication available on its platform. As our source told us, this leads to hackers being able to change information without users needing to confirm via email or mobile authenticator.
What should I do if my account is affected?
The first thing you need to do is to change the password associated with the account. Unfortunately, you cannot add 2-factor authentication to your account as Activision doesn't support that, so try to make the password as strong as you can. Remember that if you're using the same password to log in to your Activision account as other services, this should be changed not only on your Activision profile, but everywhere else, too.
In addition to this step, you should also immediately de-link any other services you have associated with your account. This includes PlayStation Network, Xbox Live, Steam, Battle.net, and anything else you've added to your Activision profile. Naturally, if you've got any payment methods saved on your account, you should immediately delete them. It might also be worth doing this on other services linked to the account.
We have reached out to Activision and are working to gather more information on the Activision hack, which we will provide as we have it.