Epic Games Account Security

4.16.2019
More than 250,000,000 people around the world have Epic accounts. Account security is a top priority of Epic Games. We’re writing this to provide an update on the present and future of security features and practices we use to protect your account.

Attacks on Epic Accounts
The Epic account system powers Fortnite, the Epic Games store, and Unreal Engine. This account system has never been compromised. However, specific individual Epic accounts have been compromised by hackers using lists of email addresses and passwords leaked from other sites which have been compromised.

If you use the same email address and password on Epic as you used on another site which has been compromised, then your account is vulnerable to attack. To secure your Epic account, use a unique password, and enable multi-factor authentication.

If you use the same email address on Epic as a compromised site, but a different password, then your account is not vulnerable. In this scenario, however, you may receive emails from Epic notifying you of login attempts on your account.

Finally, some new users who create accounts are finding that their email address is already associated with an Epic account. This is the result of a recent attack in which a botnet created millions of inactive Epic accounts using known email addresses. We are working to remove these accounts. If you are creating a new Epic account and find one already exists using your email address, you can reset its password to reclaim it.

Enabling Multi-Factor Authentication
Multi-factor authentication (MFA) is the primary tool for protecting your account from unauthorized access.  We currently support two methods of MFA; email authentication and app-based authentication.  With multi-factor authentication, logging in from a new device, or after a period of inactivity, requires you to enter a unique code during login.

We recommend using a smartphone app authenticator like Authy, Google Authenticator or other services to help store and manage your MFA codes. 

We also support email authentication. When using email MFA, your Epic account is only as secure as your email account, so be sure to properly secure your email account.

In the future, we will also support SMS (text messaging) based authentication.

When you set up MFA on an account that has played Fortnite, you'll receive a free Boogie Down emote in Fortnite. Read this guide to set up MFA on your Epic Games account now!

Password Security
Always choose a strong password when creating online accounts on any platform, including Epic Games. Use a unique password for each account. Use a password generator or password manager to keep track of passwords, rather than using passwords that are short and simple.

As an additional layer of account protection, we are constantly monitoring for email address and password combinations that have been publicly leaked from other sources, and automatically lock these accounts to require a password reset upon next login. This security system runs within Epic, utilizing hashed passwords, so your data never leaves Epic.

Additionally, we have begun ensuring security of new passwords by comparing them against the Have I Been Pwned “Pwned Passwords list (v4)” before they are applied to an account, in order to prevent users from securing their account using passwords already well-known to attackers.

External Account Security
Your Epic account is only as secure as the external accounts attached to it, because if an external account is compromised, it can be used to log into your Epic account. It’s important to take all of the same security precautions with your attached external accounts that you would with regard to your Epic account. Utilizing unique passwords and enabling MFA on your external accounts (Playstation Network, Xbox Live, Nintendo, Facebook, Google) is the best way to remain secure.

Email Verification
In the near future, Epic will require email verification for all new accounts being created. In the meantime, you can manually verify your email via instructions found here.

Compromised Account Detection
Epic’s account system detects many forms of account compromises, and we’re working to add new forms of detection. If your email address is verified and we detect that your account has been compromised, we lock the account to prevent further access and immediately begin the email password-reset process.

Throughout 2019, we will be adding additional detection methods to identify attacks and prevent them from succeeding.

Prior Attacks on Epic’s Systems
Historically, Epic has run other online services not tied into the Epic Games account system. In 2016, Epic’s vBulletin forums were compromised, revealing forum login credentials, which we then reset.  Since then, we have upgraded all of our forums to utilize the Epic Games account system.