Final Fantasy head gear

Credential stuffers take aim at Final Fantasy XIV players

Square Enix, the company behind video games like Final Fantasy XIV, reports that a third party is attempting to gain access to its Account Management System.

How is this happening, and what are the risks? More importantly, what do you need to do to ensure your accounts are safe from harm?

Credential stuffing

Square Enix notes the following in relation to these compromise attempts:

[The attackers] are using a combination of email addresses and passwords that appear to have been obtained from other online services of other companies.

In other words, logins guessed, stolen, scammed or leaked from other websites—weeks, months, or even years ago (or all three)—are now being tried against the system responsible for Final Fantasy logins in a systematic “credential stuffing” attack.

People often use the same password on multiple websites and services. This can scale upwards in gaming circles, where:

  • Younger users may not be interested in creating different passwords, and may struggle with the idea of using password managers.
  • They end up with so many gaming logins via related platforms, services, or even individual titles that it’s easier for them to reuse one password for every login.

This is fertile ground for scammers, and once an account is hijacked all manner of mischief is on the table. They can be sold, traded, or have valuable digital items syphoned off to who knows where. All in all, not the best situation for fans of any title to find themselves in.

Warding off the threat of compromise

This is very much something where people who think they may be at risk can take proactive steps to lock down their account. As Square Enix puts it:

Using the same email address and password combination for your Square Enix account as you do for other online services increases the possibility of a third party gaining unauthorized access to your Square Enix account. Furthermore, even if your email address and password combination is not identical to those used for other services, there is still a high risk of your account being compromised if your password contains easily discernible patterns or sequences of characters, such as your date of birth.

  • Familiarise yourself with password management tools, and save yourself the hassle of worrying about reused credentials. As a bonus, some manager tools with autofill enabled won’t work on bogus websites so if you ever land on a phish, it won’t work and you’ll know instantly that you’re on the wrong site.
  • Make use of the Square Enix app which secures your account with One Time Passwords whenever you login. If the worst does happen and a scammer obtains your login details, they won’t be able to access your account unless they also somehow manage to obtain your OTP code. A word of warning here: Phishers increasingly do target additional forms of verification, occasionally asking for codes on fake websites. This is where combining your OTP habits with a password manager looking for bogus pages will pay dividends.

Accounts which may have been compromised will find their access restricted for the time being, and are being sent instructions to reset their passwords. With any luck, this particular attack will fizzle out as word spreads of the tactics and the publisher continues to shut down the bogus login attempts.

Stay safe out there!


Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.