Fortnite, the world’s most popular game, has come in for plenty of attention lately during the battle between creator Epic Games Ltd. and both Apple Inc. and Google LLC, but it’s also drawing extensive interest from hackers.

A new report released today by Night Lion Security Chief Executive Officer Vinny Troia, “The Fortnite Underground Cybercrime Economy,” details the extent to which Fortnite credentials have become a big business in underground and dark web marketplaces.

Access to Fortnite accounts is said to be gained by credential stuffing. That’s a process that uses account login details stolen in other hacks in an attempt to gain access on the assumption that many people reuse the same email and password across multiple sites.

Those targeting Fortnite apparently use automated tools that can check up to 500 accounts per second to see if the stolen credentials match those used by Fortnite users. Some of the tools used also can test variations on stolen passwords, such as incremental numbering or changed capital letters.

Having obtained access to Fortnite accounts, the hackers then offer those accounts on dark web marketplaces and private groups, with the credentials being packaged and sold in groups. Accounts with multiple skins or upgrades that users can purchase in Fortnite are particularly coveted.

The report notes that Fortnite hacking and sales have become a lucrative business. In one example, collections of a few thousand stolen accounts being auctioned in a private Telegram channel were found to be selling for between $10,000 and $40,000 each. High-end sellers average sales of $25,000 per week, or roughly $1.2 million per year, while lower-end sellers were making around $5,000 per week in sales.

“Video game accounts just happen to be one of the more valuable right now because more people are home from work and Fortnite is just the game many people are playing,” Troia told Fox News.

Ben Goodman, certified information systems security professional and senior vice president of business and corporate development at the digital identity firm ForgeRock Inc,. told SiliconANGLE that the hacks demonstrate the fundamental weakness of the traditional password and username method of authenticating users.

“No one can remember the tens or hundreds of unique passwords they would need to keep all their accounts secure, so people reuse login information across multiple accounts and expose themselves to the risk of being hacked,” he said. “What’s more, every data breach of a system using passwords and usernames makes downstream breaches more likely, which is what we saw here. Criminals used automated tools that allowed them to see whether login credentials stolen in other data breaches could be used to unlock any Fortnite accounts.”

The only way to stop the attacks and protect consumers is for businesses to stop using usernames and passwords to authenticate their users, he added. “Businesses should instead embrace alternative user authentication methods, such as behavioral biometrics and multimodal authentication systems, which keep users secure without requiring users to memorize hundreds of passwords,” he said.

Photo: Needpix