Activision has confirmed it suffered a cybersecurity incident in December 2022, but failed to provide more detail on the suspected data breach.
The Call of Duty developer released the following statement to media: "On December 4, 2022, our information security team swiftly addressed an SMS phishing attempt and quickly resolved it. Following a thorough investigation, we determined that no sensitive employee data, game code, or player data was accessed.”
However, on Monday, security researchers at vx-underground claimed on Twitter that the phishing incident successfully compromised a privileged user on the gaming giant’s network.
“They exfiltrated sensitive workplace documents as well as scheduled to be released content dating to November 17, 2023,” it added. “Activision did not tell anyone.”
A separate reporting from Insider Gaming confirmed the veracity of vx-underground’s findings and claimed the breached content not only included “plans” for Call of Duty 2023 and Call of Duty 2024, but also sensitive employee information such as full names, emails, phone numbers, salaries and places of work.
If Activision did not inform employees about this incident, as vx-underground claims, it may have fallen foul of Californian breach notification rules, depending on the number of victims impacted by the breach.
“Also worth noting that the threat actor(s) did attempt to phish other employees,” vx-underground added in a separate Twitter post. “Other employees did not fall for the phish. However, it appears they did not report the security incident to the Activision information security team.”
The news comes at a sensitive time for the Californian game developer as it is in the process of being acquired by Microsoft for nearly $69bn, although US, UK and EU regulators have raised concerns about the deal.
Image credit: David Cardinez / Shutterstock.com