What to do with repeat e-mails re "a series of unsuccessful login attempts"

Sorry, but I cannot find a better place to ask this.

I have been getting rather regular e-mails from Epic (or what is made to look like Epic) with the following content:

Re: Epic Games - Help Protect Your Account
Unsuccessful Login Attempts
Hi X!
We detected a series of unsuccessful login attempts for your Epic Games account.
We strongly encourage you to enable Two-Factor authentication for additional security and to prevent your account from being locked in the future. Please see this blog for extra information on how to protect your account.
Kind Regards,
Your Friends at Epic

Is that indeed from Epic? My passphrase is >15 characters, translating to >>10^35 permutations. Is there anything (outside of two factor authentication, which for several reasons i will not use) that I can do in addition.

Thanks

Its people attempting to get into epic accounts because of Fortnite, really all you can do is make sure your password is strong and enable two factor auth.

15 characters that aren’t dictionary words with some numbers and symbols should keep you safe.

May I ask why you don’t use 2FA

Hi there,

Sorry to hear you are experiencing this, it is happening because hackers are attempting to access your account. Here’s some info posted by Epic detailing the hacking attempts (and successes unfortunately) being carried out by a group of Russian hackers, and what Epic is doing to combat it. There were large “dumps” of email account username (or email addresses) and passwords posted to some hacking forums a while back and the hackers use “credential stuffing” (automated injection of breached username/password pairs in order to fraudulently gain access to user accounts) to gain access to accounts on other websites that use the same password.

The hackers are targeting Epic account holders with payment options to fraudulently purchase Fortnite V-Bucks, which they are then reselling on some shady websites.

First thing to do is change your email password (if you haven’t already done so). If you use the same password as your email account on any other websites change those passwords AND your email password immediately to prevent more accounts being hacked. That includes your password on this website. See the security bulletin I linked above for more details.

Next enable 2 factor authentication on your account here to further prevent them from being able to access your account. Whenever you log in from a new computer you will need to enter a code that Epic will email to you before you’re allowed access, this provides an additional layer of security. Doing this should also reduce or eliminate the number of unsuccessful alert emails you receive. I also highly recommend adding 2FA to all of your critical accounts (email, banking, credit card, PayPal, etc).

If 2FA is already enabled here it probably means they know your password since the 2FA screen is only shown after entering your user/pass. Changing your password (make it completely different, they use automated programs to guess passwords similar to your current one) should eliminate these emails.

You can also check whether your email account(s) have been exposed to hackers. The  haveibeenpwned.com website will allow you to see whether your email address has been included in any of the data breach “dumps”. If it has you do not need to stop using the account (unless it concerns you) but you should increase your security on that email account by using a stronger/longer password (preferably with a mix of upper/lower case letters, numbers, and symbols), and changing your passwords regularly. I recommend using a password manager such as LastPass, Dashlane, 1Password (those 3 need to be purchased), or if you’re on a budget try KeePass. I use KeePass myself and it works just as well as the paid products to store your passwords, and they even include a random password generator to create strong passwords.

Lastly please make sure you do not have any payment options saved to your account, especially if you are getting the “unsuccessful login attempt” emails. You can add them back in when you need to buy something, but make sure you remove it again afterwards. Leaving this info stored in your account is a potential security risk that just isn’t worth it.

Hope that helps to stop the emails.

Thanks very much for the detailed information.

I have used the haveibeenpwned.com website and found I have been pwned mutliple times, though not in any way that would put the integrity of my Epic account in question. As stated above, I am using a unique and rather strong password, but 2FA is not enabled (as to why, my computer sits in a basement, where the airwaves do not reach).

That said, I have not yet seen any indication that the account has been compromised. Only that there were attempts to hack into it. If anyone were to succeed in getting access and buying V-Bucks, would I get a notification on the successful purchase? However, just in case I have deleted the payment information included with my account, and will not save it again.

What always puzzled me in this context: It seems these hackers can process 40 billion login attempts per second in brute force attacks. It would still take them some 10^20 yrs to hack my password that way, but it would seem such an easy fix to limit login attempts from one IP to 1 (or 5?) per second. But I guess these self-deluded individuals have ways around such measures?

The 2FA used by Epic is through email so you should enable it, and it has stopped the emails for other users. You only need to enter it once for your PC, I have mine enabled and it’s been a few weeks since I had to use it, I believe it’s tied to IP.

Likely they use IP spoofing so it’s not the same IP trying to get in, but I’m not sure about that.

Hopefully Epic will find a way to eliminate this problem soon, but for now 2FA is your best option.

The problem is, my IP also changes due to the way my provider has the service set up; hence, I would likely have to go through the proces every time I log in.

But I will give it a try, regardless. It IS the more secure way of doing things, I know. Feels like two condoms, too.