From the Mass Effect 3 debacle to last year’s disastrous SimCity launch, things always seem to go badly for video game goliath Electronic Arts around the time of our Worst Company In America contest; perhaps that’s why EA is the two-time reigning champ. The latest gaffe involves a hacked EA web server that appears to have been used by scammers in an attempt to steal folks’ Apple ID credentials.

Netcraft.com noticed that two websites within the ea.com domain were suddenly asking visitors to enter the ID and password for Apple’s online services. First users filled in that information and were then sent to a second screen and asked to enter information that is even more sensitive — full name, card number, expiration date, verification code, date of birth, phone number, mother’s maiden name — before ultimately being directed to an actual Apple website to give the appearance that they had successfully logged in.

According to Netcraft, the most likely point of entry into the server was a vulnerable, outdated version of WebCalendar.

“The mere presence of old software can often provide sufficient incentive for a hacker to target one system over another, and to spend more time looking for additional vulnerabilities or trying to probe deeper into the internal network,” writes Netcraft’s Paul Mutton.

When reached for comment by the BBC, a rep for EA said it had fixed the problem.

“We found it, we have isolated it, and we are making sure such attempts are no longer possible,” said the rep.

Want more consumer news? Visit our parent organization, Consumer Reports, for the latest on scams, recalls, and other consumer issues.