As one of my favorite anime titles reads, “No Game, No Life.“
Video games are a normal part of my daily routine and one of the best ways I deal with stress. You could say I’ve been playing them since I was old enough to walk.
So imagine my annoyance when someone tried to take that away from me. My oldest gaming accounts recently got hit with strange two-factor authentication requests.
Because I didn’t take them seriously, I got kicked out. The past 48 hours have been a comically frustrating cycle of retrieving them (no thanks to the support teams).
The experience made me realize I’m not as security-conscious as I thought. I’m fixing that now.
How I brawled for my accounts
It was me versus an unknown enemy
Days ago, I started getting random 2FA codes via Gmail. They came from Ubisoft, PlayStation, and Electronic Arts, which the email service flagged as spam.
I ignored them at first and assumed they were phishing attempts.
In the worst case, it could just be my nieces. They’d used my Premium subscription to download Brawlhalla and other titles in the past.
I became unsettled when I got more emails. The intruder managed to change my EA account address to theirs. The platform showed me the new one, but it was unfamiliar.
That’s when it clicked. I was about to lose data I’d had for more than a decade. Some date back to 2014, with the newest one sitting around 2022.
My EA and PSN accounts alone carry years of game history covering The Sims, Assassin’s Creed, my newly purchased copies of Last of Us: Remastered and Baldur’s Gate 3, cloud backups, and more.
The accounts were also linked to important virtual credit cards. Losing them wasn’t an option. The next 48 hours became a scramble.
Luckily, the intruder was slow. It bought me enough time to trigger my own password and email resets, and change 2FA methods with passkeys.
I’d unblocked the email alerts and followed instructions to recover the accounts.
EA’s recovery process was surprisingly easy. PlayStation required a few more steps, but I was successful.
Ubisoft, however, has been a headache. Its verification system barely works, and linking alternate accounts was useless.
It also didn’t help that its support team was unresponsive. I could potentially lose the account forever.
Hacking can happen to anyone
Being careful only reduces your chances
I’ve never been hacked before. I’m among those people who hype account security. I’ve written about it numerous times, and I’m always advocating for authentication apps over SMS.
So it was humbling that I still had old profiles floating around with little to no protection at all. It seemed enough to avoid questionable websites and adopt the best practices.
It now bothers me that I have forgotten data scattered across the internet. My attacker had access to the 2FA codes sent to my email, which meant that they were already past the first barrier.
I wondered how long they’d been lurking in my email, and whether they’d tried this before without me noticing.
I’ve been combing through every account I can remember since I had that thought.
I downloaded the PrivacyHawk app on my Android phone and plugged in my email to see connected accounts. I combined it with the Results about you feature in the Google app for the wider results.
To my horror, there are over 198 accounts with my personal details. I found a Sporcle quiz account, my old Tumblr profile, and even one for DoorDash.
I don’t even use the food delivery service, nor is it supported in my region.
Regardless, the unwanted accounts are mostly deleted. Since PrivacyHawk had limitations on the free tier, I had to visit each scanned website and wipe details for those I could access.
Internet security isn’t a passive matter
Since the hack scare, I’ve gone out of my way to clear saved passwords and switched to keeping my own manual records.
I’ve also strengthened my Google account password and revoked every device session.
These actions may make future sign-ins slower than letting my devices autofill everything. But it’s part of many inconvenient steps I’m taking to reduce my digital footprint.
That said, your internet identity is your responsibility.
One common myth is that security features like 2FA and passkeys are things you set up once and forget. They’re not.
They only work best if your recovery channels are also secured. It’s important to cover any gaps in your accounts before someone else finds them first.
