As Epic Games ramps up the competition against Steam, one thing that it still needs to work on is ensuring that customers trust it. Just last year, a massive security hole was found in the Fortnite creator's launcher, which allowed fake APKs to be installed on Android devices.
To quell those fears, the company has detailed how it secures user accounts and the steps that it plans to take in the future to strengthen its security measures.
In a recent security bulletin, Epic has discussed that providing security to its 250 million registered users is the primary concern for the company. It boasted how its system has never been compromised and the only breaches that had occurred so far were due to similar credentials being leaked from other compromised websites.
That said, it also pointed out the reason behind some new users being told their email accounts are already associated with Epic Games. The company stated that this was due to a botnet creating "millions of inactive accounts" using leaked email addresses from other websites. Epic is in the process of rectifying this situation by deleting these accounts, but has also suggested that new users who face this problem should reset their account password to claim an account registered using their credentials.
Furthermore, it noted that it is a proponent of multi-factor authentication (MFA), and it plans to roll out SMS-based authentication in the near future as well. The company also made the following recommendation:
Use a unique password for each account. Use a password generator or password manager to keep track of passwords, rather than using passwords that are short and simple.
As an additional layer of account protection, we are constantly monitoring for email address and password combinations that have been publicly leaked from other sources, and automatically lock these accounts to require a password reset upon next login. This security system runs within Epic, utilizing hashed passwords, so your data never leaves Epic.
Additionally, we have begun ensuring security of new passwords by comparing them against the Have I Been Pwned “Pwned Passwords list (v4)” before they are applied to an account, in order to prevent users from securing their account using passwords already well-known to attackers.
Epic also encouraged users to utilize unique passwords across all their services, and noted that it is planning to integrate additional layers of security this year to strengthen account security. These include email verification for new accounts, and automatically locking accounts in case a credential breach occurs, among others.