Activision Confirms Data Breach Exposing Plans for Call of Duty, Employee Data

A data breach has exposed internal data of Activision, including info on its plans for Call of Duty, after an unwary HR employee fell for a phishing attack, the gaming studio has confirmed.

Malware research group vx-underground broke the news Monday that Activision suffered a data breach in December after the successful phishing of a “privileged user” on the company’s network.

“They exfiltrated sensitive work place documents as well as scheduled to be released content dating to November 17th, 2023,” the group said.

Industry news outlet Insider Gaming spoke with vx-underground and learned that the leaked files were passed on to them by “a single individual who was unable to sell the contents of the breach.”

The hacker allegedly phished a human resources (HR) employee to gain access to their computer, “which the hacker was able to scrape easily, gaining access to the information.”

The leaked data contains plans for the future of Activision’s massively popular Call of Duty franchise, such as upcoming downloadable content.

The leak was also (initially) said to include sensitive employee information, including full names, emails, phone numbers, salaries, places of work, and more.

However, a spokesperson for Activision refuted those claims yesterday, telling inquiring news outlets:

“The security of our data is paramount and we have comprehensive information security protocols in place to ensure its confidentiality. On December 4, 2022, our information security team swiftly addressed an SMS phishing attempt and quickly resolved it. Following a thorough investigation, we determined that no sensitive employee data, game code, or player data was accessed.”

Screenshots shared by vx-underground show that the threat actor tried to phish several more employees who were wary enough to avoid the trap.

Unfortunately, the same people failed to inform Activision’s security department about the attempted hack.

The studio has yet to issue a formal data breach notice.