Account Security Bulletin
Epic Games is providing this bulletin to explain what’s happening and how to best secure your Epic account and other accounts.
Though it’s common to use the same password across multiple Internet sites, this is a dangerous practice and should be avoided. If one of those sites is compromised, hackers can use your email and password from that site to break into your account on other sites using the same password.
Here’s what happens: Attackers frequently download password dumps – lists of username/password combinations -from third party sites and use “credential stuffing” to find out what other websites those credentials work on. When they are successful at logging in to those accounts, they see what trouble they can create for the account holder. In many cases, that appears as fraudulent V-Buck purchases.
Fake Fortnite Offers
We’ve seen several instances of account theft and fraud related to websites that claim to provide you free V-Bucks, Cosmetics or the ability to share or buy accounts. Please never share your Epic account details with anyone. Epic will never ask you for your password. Groups claiming to provide special Fortnite deals this way are fraudulent.
How Do I Know If I’m At Risk?
There is a fantastic web service Have I Been Pwned that will let you search your email address and determine if it has been part of any data breaches. If it has, you should assume that the password associated with that service is public knowledge and change all accounts that use it (not just your Epic account!).
Even if your account information hasn’t been publicly identified as leaked, it’s possible that it may be leaked in the future, so there are steps that you can do to help protect yourself against that. You can start by signing up for the Have I Been Pwned notification service so you’re immediately alerted if your email is ever included in future dumps.
What Are We Doing To Help?
We’ve been working hard to hunt down password dumps in order to
proactively reset passwords for player accounts that may have been
leaked online. This approach involves a lot of manual work on our side
but we believe that it prevents a significant amount of fraud.
Unfortunately, this approach does not find every impacted account, because of this we are constantly working to automate and streamline our process for finding and resetting impacted accounts.
Good Security Practices
Use Unique Passwords
We recommend using unique passwords as a way to protect yourself from credential stuffing attacks. Having a unique password for every service will guarantee that one compromised account won’t lead to everything you own being stolen. Of course, it can be hard to remember so many different passwords.
Consider using a password manager to help. Using a password manager, you can generate a unique password for every service and only remember a single strong password (for the password manager).
Link Your Social Accounts For Extra Security
We offer support to integrate Facebook and Google logins with our Epic account system. This provides you with several advantages.
First, you can log in without needing to use your Epic password, as long as you’re actively logged in to Facebook or Google on your browser. You’ll receive a login prompt asking you to authorize the activity and then will be let straight in.
Second, you can always use these login methods to regain access to the account in the event that it is locked due to invalid passwords. Due to the additional security measures provided through Google and Facebook login, you can set correspondingly more secure passwords for your Epic account and then not worry about using them due to the pass-through authentication with Google and Facebook.
Install And Update Antivirus
While antivirus and antimalware products won’t solve every problem, they will help keep your computer safe from a lot of threats. Epic doesn’t endorse any particular product, but you can view a list of options here along with the various features of each. Keeping your computer clean of unwanted software will again minimize the number of ways your account can be compromised.
Keep Your Computer Up To Date
You should always keep your operating system, installed software, and drivers as up to date as possible. Small bugs from outdated drivers or software can result in performance issues or other game stability issues while missed security updates could compromise your entire computer. Epic always recommends updating to the latest secure versions of software and operating systems.
Don’t Trust Shared Systems
Logging in from a shared computer (cyber cafes, libraries, a friend’s
house, etc.), introduces additional risk. Only log in on shared systems
controlled by people you trust. Just by logging into your account on a
shared system, your credentials could be stolen and you have no real
insight into how secure those machines are.
If you’ve used an untrusted shared machine in the past, we recommend changing your password to ensure that it’s not compromised. If you play on a shared machine on a regular basis, it is critical that you use a unique password for your Epic account and make sure to log out of the launcher when finished each time.
Enable Two-Factor Authentication
Two-factor authentication adds an extra layer of complexity to your account security, this makes it much more difficult for someone to gain unauthorized access. Get protected now.
Be sure to also protect your accounts for other services too! This site will let you review different services and see which support it.
Don’t Share Accounts
While sometimes you might struggle to complete that quest and would love for a friend or family member to help, we encourage you not to share your account information with others. Any actions committed on your account are your responsibility. If someone cheats on your account and it is banned, it is your responsibility as the account holder.
Don’t Buy Accounts
Sometimes, people get tired of a game and want to quit – and would like to get something for the time they’ve invested in the game. As a result, they’ll list their accounts online. While you might be tempted to purchase one and gain access to the sweet skins they have, please don’t. As the original account creator, they are likely in possession of significant facts that may enable them to recover the account through our Player Support process (such as transaction history, address history, etc.) by claiming you stole the account.
There’s No Such Thing As A Free V-Buck
We’ve seen the sites online, just like you. Click here, put in your
username, maybe answer a survey question or two, and you’ll get as many
free V-Bucks as you’d like. Those sites aren’t real. They want you to
enter your account credentials into their page (enabling them to log in
as you and create fraudulent charges) or else encourage you to click
down a chain of advertising referrals, getting click-through advertising
money for the person running the site. Under no circumstances are those
sites able to actually grant V-Bucks. Our legal team is constantly
prowling to hunt down those sites.
If you’ve tried one of them in the past, we encourage you to change your password as soon as possible.
Verify Email Address
While it is currently optional, we ask that you please verify your e-mail address associated with your Epic account. This helps protect your account with our two-factor authentication and makes it easier for Player Support to assist you in the event of any anomalous activity with your account.
Player Support Details
Need additional help? Our Player Support team is here for you. We have a Fortnite Help Portal with answers to many of your questions.
If there’s anything where you feel we need to clarify further or something else you’d like assistance with, feel free to e-mail in a request.