Originally posted by
Like this person here and here, I too was a victim of a compromised account, and with the CREDIT CARD on file, I was charged nearly $500 in V-Buck purchases, with MANY more attempted, upwards of $1,000. I am honestly terrified, and I have no idea what to do as I have 25 dollars left in my account, and I don't have enough to pay my bills (no sob story, just the truth). I have sent 2 seperate e-mails, one pertaining to my account name and password being changed, and another through their proper form. I can't call the bank as it is far too late right now, and the game was bought with the card on file as a gift (Any payment option has since been promptly deleted)
I am meticulous with my Internet security, so I am not only financially wounded, but also at a loss for how my account was compromised.
Edit: It appears that Epic has promptly corrected the problem and returned the money. I have since cleared my 5 most recent passwords, and reinstalled my OS (It needed it anyway).
Edit 2: I appreciate the insight. For those of you who keep asking about the correlation, I really don't know. I pretty much only play Overwatch, and honestly haven't played Fortnite since the beginning of January. No password sharing, and as far as I can tell, I wasn't phished. I always opt for any 2FA whenever is an option, but normally in these circumstances, the support sends a warning message to my email and tells me where the suspicious IP is from, and none of this happened. Best advice is to remove any form of payment, as in my case, they simply changed password, logged in game, and bought V Bucks with one click and no CCV authorization.
Edit 3: Epic has been very forward and helpful. Everything is now fixed, and in proper order. Here is a screen of the responding emails, and here is the confirmed refunding (multiply by 4+extra 59.99)
As a show of good faith, they allowed me to keep the purchased items (was indifferent either way, but still very appreciated) and promptly changed my Username to what was desired. Mistakes happen and while no doubt an inconvenience, Epic Games reacted accordingly. Thanks is in order.
PM me your display name, we'll get it taken care of today.
Editing this comment to add additional details.
One common theme that we've seen across all accounts so far (from those of you who've spoken with me over PM) is that they all show up on https://haveibeenpwned.com/ as having username/password combinations leaked in at least one dump. This is not meant to shame the users. My email address shows up there in at least ten different leaks.
We're working to put out additional guidance on account security as well as implementing 2FA, but in the mean time I'd encourage everyone who reads this to go check their e-mail address against that service.
As a general security practice, you should use unique passwords for every service. That way, if site-X gets compromised, the bad guys won't be able to retry that username/password against every other service (credential stuffing). You should then utilize some kind of password manager to manage those unique passwords for each service, in order to ensure that the passwords are appropriately complex.