Over the weekend, Pokémon source code, art, and other documentation quickly spread across social media and other internet forums. Where did it come from? Game Freak confirmed last week it had been hacked, with more than 2,600 pieces of employee data taken. It didn’t confirm the massive heist of its game data, though, but the game data likely originates from that same breach. A hacker alleged they’d acquired 1 TB of data, including source code for Pokémon Legends: Z-A and the next-generation Pokémon games, on top of builds of older games, concept art, and lore documents. Troves of information have already been released — and more will be uploaded to the internet, according to the hacker.
How do video game companies like Game Freak keep getting hacked?
Simply put, this is likely one of the biggest leaks in Pokémon history. It rivals notorious ransomware group Rhysida’s 1.67 TB leak of hacked Insomniac Games data, which was released in December last year, and a Rockstar Games hack from 2022 in which unfinished Grand Theft Auto 6 footage was published early. These hacks are always huge news because the video game industry is famously secretive, building hype through carefully planned teasers, trailers, and announcements. That hype is valuable to developers and publishers, but also to leakers looking for clout online, hackers looking for ransom, and players eager to consume anything about their favorite franchise. But how does this keep happening?
Phishing attempts happen a lot, and they’re not unique to Game Freak or any other video game company, Akamai cybersecurity researcher Stiv Kupchik told Polygon. But the audience for leaked information is huge, which means widespread attention. Video game fans clamor for this type of content.
“There’s intense interest by the fans of the product about what’s coming, what people are thinking, and so on and so forth,” said Justin Cappos, a New York University professor in the Tandon School of Engineering. “At least I know when I was a young boy and playing around with computer games and things like that, one of my favorite things to do was to break into my local copy of the game and reverse it and change it and make it do different things. So nowadays, there’s obviously a lot of people that are quite interested in this, and video games are especially an easy target, which also makes them attractive for people like cyber criminals.”
Cappos said video game companies often prioritize other things beyond security: They focus on systems that allow quick development, often using “large teams that tend to be overworked.” Nintendo is good at its security, said Cappos, but things can get hairy when it comes to Nintendo’s different partners. “One of the hard things about playing defense is that you have to play defense correctly all the time,” Cappos said. “You can’t slip up once. And so it doesn’t matter if two of the three companies did a good job. One of them messes up and you’re in trouble.”
Adam Marrè, chief information security officer for cybersecurity firm Arctic Wolf, added that video game companies tend to be targeted because they may be more inclined to pay ransom to keep unreleased content offline.
There doesn’t appear to be any ransom at play in Game Freak’s recent breach, but screenshots of a reported Game Freak employee’s Nintendo developer portal suggest the hacker gained access to the files in a social engineering or phishing scheme — as with the Insomniac Games and Grand Theft Auto 6 leaks. However, in both Rockstar Games’ and Insomniac Games’ cases, known hacking groups claimed responsibility for the leaked information. A group called Lapsus$ claimed responsibility for the GTA6 breach, whereby a 17-year-old hacker used phishing and social engineering methods to gain access to Rockstar Games’ company Slack channels. (The hacker was sentenced to indefinite custody at a hospital.) A different group, Rhysida, claimed responsibility for the Insomniac Games leak; Rhysida is known for using phishing attacks to gain access to servers. The motivation for Game Freak’s recent hack isn’t clear — but sometimes, it can be led by clout.
“Gaming is a very high-profile industry,” Arkose Labs CEO Kevin Gosschalk said. “Many of the attackers targeting the gaming industry are also gamers who are just interested in leaking upcoming games. It’s high-publicity and gives them a lot of clout.”
Social engineering and phishing don’t necessarily require special tools or technical skill: Instead, hackers using these methods try to trick a victim into providing access to an account or downloading malicious software. Cappos said research shows that 20% of people who get a credible phishing attempt — “not just a random Nigerian prince email,” he said — fall for it.
“Phishing works by enticing the victim into sharing sensitive credentials or access tokens, or executing commands or files sent by the attacker,” Kupchik told Polygon. “Just like in traditional fishing, it starts with a bait — it could be an email, a document, or a website, appearing legitimate but in fact under the attacker’s control. The victim would think they’re downloading legitimate software, or logging into an internal site, but instead they would be delivering their credentials to the attackers or run malicious payloads unsuspectingly.”
The “easy” part is getting those credentials to log in, RSA Security senior manager Lorenzo Pedroncelli said. The hard part is getting past the multi-factor authentication that secure platforms may also require — that’s where social engineering comes in. “If you don’t have MFA in place, then a phished email, password, or other credential can do a lot more damage,” Pedroncelli said. Cappos added that SMS-based authentication is less secure than other types, but there are still ways in. “Usually what happens with most of the authentication-based hacks is that they don’t have multi-factor authentication enabled everywhere,” he said. “Some people have it, some people don’t, and they’re able to find a way to get in through people that have more access than they should and don’t have multi-factor authentication enabled.” Otherwise, an attacker has to trick a person into giving their MFA codes up. (Cappos recommends you use secure multi-factor authentication and keep your software up to date, because the latter can be yet another way folks get in, by exploiting out-of-date software.)
The latest Game Freak leak is a much different sort of leak than, say, the time that someone took photos of the Pokémon Sword and Pokémon Shield strategy guides ahead of the games’ release. The Pokémon Company settled a lawsuit in 2021 with the people who leaked those photos on Discord, ordering them to pay $150,000 each. In that previous situation, the information that was leaked was limited to things that were printed inside the strategy guide, like new Pokémon. It was information that The Pokémon Company didn’t want out, but it’s a lot less serious than what’s been shared online from this massive recent hack. It’s also a different scenario than when employees leak information to the press, like with Fallout 4’s setting, or when Microsoft accidentally uploaded redacted court documents to a file repository associated with the Federal Trade Commission v. Microsoft case.
Cybersecurity experts who spoke to Polygon say it’s too early to fully understand the impact or motivations of the hackers; Insomniac Games was hacked by a ransomware group, and their stated interest was financial. The person who hacked Game Freak appears to have some affinity for Game Freak and Pokémon: They claimed to have source code for Pokémon Legends: Z-A and the next-generation games, but reportedly said they “will not ruin those game’s releases.”