New reports suggest that last weekend’s The Last of Us Part II leaks weren’t the work of a disgruntled employee, but rather the result of hackers exploiting a security vulnerability to access Naughty Dog’s servers.
Massive spoilers for Naughty Dog’s highly-anticipated sequel found their way online last weekend. Major plot points, pivotal cut scenes, an exhaustive mission list – discovering the game’s narrative beats required little to no effort due to how rapidly the leak spread.
Social media was awash with spoilers. People went to extraordinary lengths to spoil the game for many, to the point of infiltrating completely unrelated threads and discussions to drop a major spoiler on unsuspecting users. During last week’s Assassin’s Creed Valhalla reveal, spoilers even found their way into chat on Twitch and YouTube.
Widely circulated rumors told a story of retribution. A lone Naughty Dog employee pushed to orchestrate the leak due to a contentious pay dispute.
While certainly fanciful when viewed in the context of the NDAs current and former Naughty Dog employees working on The Last of Us Part II will have signed, the story seemed to align with reports of difficult working conditions at the studio.
On Friday, GameIndustry.biz reported that Sony had identified those responsible for the leaks. No association exists between the Naughty Dog/Sony Interactive Entertainment and the leakers, debunking the theory that an employee was responsible. Sony offered no further comment on the matter.
Yesterday, former Kotaku reporter now at Bloomberg, Jason Schreier, took to Twitter to reveal that hackers were behind the leaks:
OK: After talking to two people with direct knowledge of how TLOU2 leaked as well as some Naughty Dog employees, I have a good idea of what happened. Short version: hackers found a security vulnerability in a patch for an older ND game and used it to get access to ND’s servers.
It appears the hackers captured the leaked footage from an older build of The Last of Us Part II:
I think the footage that leaked is from devs playing an early build (I haven’t watched it). Most importantly, rumors of this being an act of protest by a contractor whose pay was robbed are not true. (ND actually extended pay and healthcare benefits for contractors due to covid)
A hacker group discovered a method for accessing the Amazon servers for Naughty Dog games using what was essentially password information included in the code for the studio’s games, including 2011’s Uncharted 3 and 2013’s The Last of Us. Those games access the servers for multiplayer functionality but apparently could also be used to fetch files stored there.
Interestingly, hackers obtained over a terabyte of game data, and one of the hackers reportedly notified Naughty Dog about the exploit back in February. Naughty Dog allegedly took until April 30 to fix the vulnerability.
It’s safe to say that we can put the disgruntled employee rumors to bed definitively. The reality is, for better or for worse, far less thrilling.