GAME OVER: top 10 data breaches in the gaming industry
Hacking and gaming go hand-in-hand. In fact, “game-modding” (an alteration of a video game that changes one or more its aspects of a video game, ranging from small changes and tweaks to complete overhauls) might be the first experience of programming for many cyber professionals, including those who later engage in criminal activities. For example, a legendary hacktivist Jake Davis admitted that his first experience of hacking was accessing Windows registry files when playing Paintball 3D of Windows XP and later creating gaming cheats for Diablo.
Nowadays the gaming industry is facing a never-ending battle between the production companies and hackers offering gamers mods and cheats, which are essentially malware, and sometimes a very sophisticated one.
No wonder data breaches in gaming are also very often. Highly anticipated releases are regularly leaked before the official premieres. As a matter of fact, any game can be attacked. For example, in April 2020, the source code and design files for the Nintendo 64, Nintendo GameCube, and the Nintendo Wii were leaked online. According to the user reported the breach, this is a result of "a server hack related to the BroadOn company, who Nintendo hired for developing most of the Wii hardware and software." The leak does not pose any risks to the users, but it will allow users to create emulation files for the old games and make it harder for the company to re release their iconic products.
User safety is also an issue. Account hijacking can result in gamers losing years of achievements and even money through connected credit cards and PayPal accounts. How possible is the attack? Highly possible! The largest catalog of hacked accounts by Breach Report includes more than 500,000,000 hacked users accounts of games and gaming forums.
Here are the top 10 gaming data breaches that took place over the last 2 years (by size):
1. Zynga.com: 26 083 520 hacked accounts in 2019
The breach initially exposed encrypted user email addresses, names, usernames, phone numbers, Facebook ID’s (if connected) and passwords. The Words with Friends team used SHA-1 (Secure Hash Algorithm 1) encryption algorithm to store user information, unfortunately it didn’t take long for the clear text file to appear on the dark web hacking forums. Read more in our article.
2. Armorgames.com:11 013 617 and 2 817 432 hacked accounts in 2019
The first breach compromised 11 million accounts containing usernames, email addresses, IP addresses, hashed passwords, and birthdays of administrator accounts. The second leak contained login credentials, birth dates, email addresses, and decrypted passwords.
3. 17173.com: 9 755 600 hacked accounts in 2018
More than 18M accounts were compromised. The leaked file contains email addresses, usernames, plaintext passwords, and MD5 hashes of passwords.
4. BlankMediaGames.com: 7 787 467 hacked accounts in December 2018
Compromised data included email addresses, usernames, passwords, IP addresses, purchase histories, and other user specific information.
5. StrongholdKingdoms.com: 5 817 649 hacked accounts in July 2018
The breach compromised 5 million accounts containing email addresses, SHA-1 hashed passwords, and usernames.
6. Roll20.net: 4 007 580 hacked accounts in 2018
The breach in February compromised around 4 million accounts consisting of usernames, first and last names, email addresses, last four digits of credit cards, IP addresses, bcrypt salted and hashed passwords and gaming data. Accounts were found for sale on the dark web.
In December that year, a file surfaced on the web with 1,115,650 user accounts containing usernames, email addresses, and decrypted passwords.
7. 2Games.com: 3 427 139 hacked accounts in December 2018
The breach exposed email addresses and plaintext passwords.
8. Stalker.so:1 418 580 hacked accounts in May 2020
The attack compromised email addresses and a combination of plaintext, and MD5 and bcrypt hashed passwords.
9. FlashGames.it: 1 056 702 hacked accounts in April 2020
The leaked data includes email addresses and plain text passwords.
10. Gamesalad.com in February 2019
The incident exposed email addresses, IP addresses, and passwords stored as SHA-256 hashes.
Gaming forums are also regularly targeted:
1. Xbox360.com: 1 935 458 hacked accounts in September 2015
Xbox360 gaming forum powered by Microsoft suffered a data breach. The attack compromised email and IP addresses, and passwords.
2. dev.dota2.com: 1 487 875 hacked accounts in July 2016
The attack on Dota 2 Developer Forum, one of the largest MOBA games on the market. The hacker exploited the vulnerability of the forum and got access to users' emails, passwords, usernames, IP addresses, and user IDs. Passwords were hashed with the MD5 algorithm, and researchers were able to convert approximately 80% of the passwords to plaintext form.
3. WoWProgress.com: 1 208 710 hacked accounts in October 2018
A file belonging to the website on World of Warcraft surfaced on the web compromising emails and plaintext passwords.
5. forums.capitalgames.com: 645 820 hacked accounts in 2019
The site about Heroes of Dragon Age was hacked exposing usernames, IP addresses, email addresses, and salted hashed passwords.
6. InvisionGames.org: 649 966 hacked accounts in 2020
Hackers compromising email addresses and plaintext passwords.
Even if the games you play haven’t been mentioned above or in this catalog, it doesn’t mean you are safe. New databases are offered regularly in the darknet. Also, criminals widely use credential stuffing, automated injection of previously breached usernames and passwords to gain access to other user accounts, including financial services. This is why data leaked some time ago is still in demand in the darkweb. The number of accounts featured in those files may be compared to a population of a megapolis. And passwords are often decrypted because the hackers had enough time to do it. For example, in April 2020 such thing happened to a gaming service OMGPOP.com which was bought by Zynga Inc in 2013. The file leaked consisted of 7,052,110 email addresses and decrypted passwords.
Don’t remember all the sites you’ve signed up on? Check if your account was ever breached here.
If you have been hacked:
IMMEDIATELY change the password of the compromised email address.
Change the password of the compromised account at the hacked game or other sites.
If you used the same password on other sites, make sure to update those passwords as well.
Find the rest of our security tips here.
Even if you haven’t been found hacked, it would be a good practice to change your login password regularly, and ideally to update the password for your email address used to register/sign-up to the game.
In any case we recommend subscribing to Breach Report monitoring in your personal dashboard on our site. We will notify you if your credentials are compromised, which will allow you to quickly react to the breach.
Play safe with Breach Report!