Hackers breached a security system for the video game platform “Hack the Worlds” and stole $4.7 million, according to security firm FireEye.
The attack was discovered by researchers at FireEye and is being investigated by the Federal Bureau of Investigation.
FireEye’s research uncovered the hack during the “Hack The World” contest, in which video game fans submit their own creations for the contest’s $6 million grand prize.
The researchers also discovered that the hackers could easily copy user data and even steal passwords.
The hack involved the same security vulnerability that was exploited during the 2014 “WWE 2K17” hacking spree that caused a $40 million hack of WWE’s YouTube channel.
The hackers stole user credentials and information including email addresses, YouTube username and password, and the login information for the account holders.
In the event that an attacker breached the security of an individual’s account, they could gain access to their full YouTube account and all the content that they had uploaded to the platform.
Firefall also discovered other security vulnerabilities, including the possibility of a “dictionary attack,” which was used to steal the username of an account holder from their account.
“In the case of ‘Hack The Worlds’ Hack the World, the attacker exploited the same vulnerability found in the WWE 2K18 hacking spree and used it to steal credentials from a number of accounts,” FireEye said in a statement.
“This breach was the result of a large-scale, coordinated breach of multiple YouTube accounts that was perpetrated by a large, well-funded and well-organized criminal group.”
FireEye researchers said that the attack could have been done in “under the cover of darkness” if the attackers were aware of the flaw.
“The hack was likely done using an unauthorized, unpatched network,” the researchers said.
“An attacker who has full access to a video game account could potentially be able to remotely control a number or individuals’ accounts, as well as potentially upload or download content from any video game channel that they are in control of.”
Firefall said that it found no evidence of video game users being the intended victims of the attack, but the company said that there was a “possibility” that the breach might have been a result of “bad actors exploiting YouTube’s platform to gain access.”
The hackers are currently being investigated.