Hackers Targeting FFXIV Twitch Viewers

We saw it once awhile back- a Twitch channel that, at a quick glance looks like it could be the official channel for Final Fantasy XIV. Though often it might have unnecessary underscores, or the odd choice of having an ‘l’ where an ‘I’ should be.

More recently however, hackers have been taking to impersonating Twitch streamers from the Final Fantasy XIV community. They do this by creating a similar channel name, and by stealing, and re-streaming the content of that streamer. Typically, they’ll use some message like “Double EXP Weekend” or “streamer is quitting” to try and lure viewers in.

At the bottom of their page, is a single link to what appears to be an official Square Enix site where you can log in to either get your Double EXP code, or to see the full forum post why that streamer is quitting the game. It’s here that you’re asked to login. Username. Password. Authenticator code.

A thread on r/ffxiv has recently appeared wherein multiple people have apparently fallen victim to these tricks. If that’s not bad enough already, it appears that those that have fallen for this trick are getting their accounts hacked into- even if they have two-factor authentication on their account.

The running theory is that a keylogger grabs all of the information you input into the form, including your 2FA code, and then proceeds to DDOS you and log-in to your account during the short period where the 2FA code is still valid.

Regardless of the technical details of it all, we would like to remind everyone here of the following:

  • Square Enix/Final Fantasy XIV have never given out codes for “Double EXP”
  • You do not have to log into the Final Fantasy XIV forums to view a post on them
  • If something seems off, double check the name of the channel and make sure it doesn’t appear misleading
  • If something sounds odd, or to good to be true- it probably is
  • If a channel is promoting something using comic-sans, turn around. It’s likely a scam. (or at best someone with a bad sense of design)

With Final Fantasy XIV: Shadowbringers Early Access starting next week, it’s likely that those behind these false accounts will be out in full force. Please be extra vigilant when watching, and don’t input your log-in credentials into a page linked on a Twitch page.

Thank you to @NKato for bringing this to our attention.