before EA was even breached, Engelberg and his team reportedly tried to warn the company that at least six (now 10 according to Engelberg) vulnerabilities left multiple domains and other assets exposed online. While 15 EA sites served login pages over HTTP as opposed to HTTPS which is more secure, others contained DNS misconfigurations that made them vulnerable.
While speaking with ZDNet, Engelberg recommended that large organizations like EA should decommission unused subdomains and keep their certificates up to date in order to protect their networks from similar attacks.
As Cyberpion told its side of the story to ZDNet, so too did EA with a company spokesperson saying the cybersecurity firm approached them about being a potential vendor. However, according to the spokesperson, Cyberpion did not provide EA with a full list of vulnerabilities and was more concerned about arranging a sales meeting to “show of their techniques”. At the same time, the firm did not follow EA's product security vulnerability disclosure process.