(Credit: Epic Games, Inc.)

With Fortnite reportedly making billions just in 2018, it's basically the biggest game that civilization has come up with since the invention of checkers. And if you're a student of history, you know that a gold rush can attract some unsavory people who want a cut of the action -- and they aren't particularly concerned with legality or ethics.

As such, Fortnite's security systems have been relentlessly poked and prodded by both the malicious and the benevolent, which brings us to a recent report from Check Point Research, who says that the login page on the Fortnite website has security weaknesses that can be used to intercept someone's password and username.

SEE: How to play Fortnite Mobile and win: A guide for beginners

The main concern with unauthorized access to your account is that a person could view your personal info, including your email address, full name, payment info and your username on other devices where Fortnite is available. Fortnite players can also optionally add their mobile phone number, street address and the name of the company they work for.

Meanwhile, the BBC reported last month that selling stolen Fortnite accounts has become a cottage industry in its own right, with teens in the UK making thousands of dollars a week, as part of a coordinated effort that spans the globe.

When your account is stolen, your password is changed, preventing you from logging in.

The thief will also change the email address associated with the Fortnite account, so that a password reset email will never reach you. They may also add two-factor authentication to the account, so that you can't even guess a password. Once this process is complete, it can be difficult to prove that you are the rightful owner.

What you can do to protect yourself against this flaw

First, a brief explanation of how the hack works, according to Check Point Research: A malicious hacker sends you a link to a version of the Fortnite login page where the hacker has added some tricky JavaScript code. This code takes you to a website crafted by the hacker when you attempt to login, and this other site makes a second authentication request, which is now intercepted, allowing the hacker to pose as you.

FOLLOW Download.com on Twitter for all the latest app news.

Fortunately, you can force this interception method to deal with two-factor authentication (2FA). With app-based 2FA, such as what you use with Google Authenticator (download for iOS or Android), the free app generates a new six-digit code every 30 seconds, which must match up with a code that's being generated on Fortnite's side at the same time. You enter this code after entering your password and username.

Epic Games, the maker of Fortnite, enabled app-based authentication last year, and we can walk you through the process, which should only take a few minutes and is free of charge.

Since only Fortnite and your app have access to this code, and the code is necessary to complete your login, anyone without it can't get in, even if they've acquired your user name and password.


  • Check Point Research reported a flaw on the login page of Fortnite's website that they say could be used intercept your account name and password.
  • However, you can deflect this attack by enabling app-based two-factor authentication now on your Epic Games account.

Read more

Tom McNamara is a Senior Editor for CNET's Download.com. He mainly covers Windows, mobile and desktop security, games, Google, streaming services, and social media. Tom was also an editor at Maximum PC and IGN, and his work has appeared on CNET, PC Gamer, MSN.com, and Salon.com. He's also unreasonably proud that he's kept the same phone for more than two years.