500,000 Activision accounts 'hacked' — or were they really?

Call of Duty Black Ops Cold War
(Image credit: Activision)

Rumors have been buzzing around the online gaming world that game publisher Activision has suffered a massive data breach. But the truth is likely to be less dramatic. Instead, this seems to be a case of reused passwords coming back to bite gamers in their digital butts.

"Over 500,000 Activision accounts have reportedly been hacked in a new Activision data breach," reported gaming website Dexterto.com yesterday (Sept. 21), saying Call of Duty players were hit especially hard. 

The site added that attackers (there's probably no actual hacking involved) were "changing the account details, making it so the original owners can't recover them."

But later that day, Activision Support's Twitter account posted a statement that "reports suggesting Activision Call of Duty accounts have been compromised are not accurate."

"We recommend that players take precaution to protect their Activision accounts, as well as any online accounts, at all times," the statement added. 

The Activision tweet linked to a support page that advised Activision account holders to "use a strong password," "do not use passwords you've used for other accounts" and "do not share account details or credentials," among other tips. 

This is why you shouldn't reuse passwords

Read between the lines, and you can see what Activision is getting at. These account takeovers are probably happening because Call of Duty players are reusing passwords that have already been used for other accounts on other sites, and some of those sites may have indeed suffered real data breaches.

If you reuse passwords, then your accounts are vulnerable to credential stuffing. That's when attackers hammer websites with long lists of usernames and passwords harvested from data breaches, phishing attacks and other forms of digital leakage. If a set of stolen credentials works on one site, it likely will on several others, the reasoning goes.

This is the chief reason why you should never reuse passwords for sensitive accounts, and why it's best to go with one of the best password managers to keep all your long, unique, hard-to-remember passwords straight.

If you have an Activision account and you know you've used the password somewhere else, then you need to changes those passwords on both (or more) accounts. Make sure the passwords you end up with are all only used once.

One thing that would make this whole problem go away

But as security blogger Graham Cluley pointed out, Activision left out one detail that would go a long way toward protecting even those accounts with reused passwords: two-factor authentication (2FA). 

That's because Activision doesn't offer 2FA, which is too bad. Anyone trying to break into an account with 2FA activated would need more than just the username and password.

"When they try to log into your account from an unrecognised device, a site's 2FA check can request that a six-digit number is entered after the username and password," Cluley wrote. "That number is typically generated by an app on your smartphone — a smartphone that your wannabe account hacker doesn't have access to."

Or that number, which can also be four digits, can be texted to your phone by the service you're trying to log into. Or you can have a physical security key that plugs into a USB port on your computer or can be tapped against the back of your phone to serve as the "second factor" alongside your password.

Cluley pointed out that other game publishers, such as Fortnite maker Epic Games, do offer 2FA. So do hundreds of other online services, including Apple, Dropbox, Facebook, Google, Microsoft, Twitter and, as of last week, Zoom

Of course, it's still possible that Activision is covering its own digital butt and has in fact really suffered a data breach. But it's much more likely that these account takeovers are the result of password reuse. Activision should accept that there's always going to be some level of password reuse among its users and offer them 2FA as a remedy.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.