Gaming community giant ESEA suffered a major cyberattack at the end of December, resulting in the compromise of over 1.5 million players’ details, it has emerged.
The details which ended up on LeakedSource included user names, email addresses, birth dates, postcodes, phone numbers and enough other information to construct convincing follow-up phishing and fraud attacks.
No financial details were stolen in the process and ESEA passwords were secured with bcrypt – an algorithm which the firm described as “industry best practice”, but in reality can be cracked by determined hackers.
It’s still unclear exactly how the hackers got their hands on the data.
They first made contact with ESEA on 27 December through the firm’s bug bounty program, demanding a ransom of $100,000 to not release the data, according to a security notice.
ESEA claimed to have patched the vulnerability exploited by the hackers by the end of December and instituted a password reset for users.
However, the following week the hackers were able to do more damage, this time by editing the community feedback system (Karma) and stealing IP.
It explained:
“Several pieces of intellectual property that were stored on our game servers (game server plugins for CSGO) were exfiltrated from the compromised game server. This is how we operate our game servers and NOT associated with user data. In order to further secure the game servers, we moved up planned maintenance and security updates for our infrastructure. We were able to verify that no personal identifying information had been compromised from this incident. Karma was restored while we performed other updates to the ESEA network, which resulted in service outages.”
ESET IT security specialist Mark James, argued that the Steam ID, Xbox ID, and PSN ID data stolen in the hack is likely to be used in further scams.
“Gaming entities and online profiles can be worth ‘real life’ money, not to mention in some games the ability to sell in-game items for actual money can reap large payloads for some unscrupulous individuals,” he explained.
“Gaining access to those accounts can be achieved by many ways, using malware to harvest login credentials or phishing scams to either trick the user into entering their details to ‘keep their account safe’ or trying to validate a scam email by including something they can relate too. The details leaked from this breach could enable someone to do just that.”