E-Sports Entertainment Association (ESEA), one of the biggest video gaming communities, was hacked last December, with a database containing 1.5 million player profiles being compromised.
On Sunday, ESEA Tweeted: “Recently news has been made that ESEA’s user data has been leaked online. We expected something like this could happen but have not confirmed this is ESEA’s data. We notified the community on December 30th, 2016 about the possibility this could happen. The type of data and storage standards was disclosed. We have been working around the clock to further fortify security and will bring our website online shortly when that next round is complete. This possible user data leak is not connected to the current service outage.”
The Guru reached out to several cybersecurity experts to hear their view on the breach.
Giovanni Vigna, co-founder, Lastline:
“Any community can be a target. Whenever a substantial amount of personal information is stored in one location, that location becomes a possible target for a breach.
“Users tend to have similar username (and, unfortunately, passwords) across communities and applications. It is therefore possible that the records will be used as a basis for identity theft or additional breaches.
“Cybercriminals have always been creative in finding ways to monetise the data that resulted from a breach. Asking for a ransom is not new, and it might be motivated by the fact that the records could not immediately be sold for a profit in underground forums.”
Tim Erlin, Sr. Director, Product Management, Tripwire:
“If you’re not part of the video game industry, you might not realise that it’s a more than $30B industry. Profit motivated criminals target industries that deliver financially.
“Cyber criminals don’t just target credit card information and bank accounts. All kinds of personal information has value on the black market, and the video gaming industry collects plenty of personal information. Collecting all that data on users makes the industry a target.
“Modern gaming is all about collecting money from consumers, and gaming companies have plenty of credit card data to make them an attractive target.
“Ransomware isn’t a new phenomenon at all. We’ve seen this particular technique for parting businesses and individuals from their money move through industries.
“Organisations can defend from ransomware, but they often don’t do so until too late.”
Tyler Reguly, Manager of Software Development, Tripwire:
“There is a lot of money in video games and the in-game items associated with them. There are several websites that provide exchange rates for in game currency or items to real world dollars. Assuming credential reuse, gaining access to one set of credentials could allow you to gain access to various game accounts which would allow you to trade away or sell the in-game items. The concept of exchanging in-game assets for real currency is known as RMT (real money trading) and can be very lucrative. Some items can translate into thousands of dollars and, among the rarest of these items, are often the rewards for winning report tournaments. It is not unheard of for gamers to “retire” and pay for some, or even all, of their post secondary education by selling off entire accounts. Combine all of this with slow response rates from gaming company customer support and the fact that they often only punish the buyer rather than catching the seller, this is a very lucrative method of illegally making money.”
Mark James, IT security specialist at ESET:
“Gaming entities and online profiles can be worth “real life” money, not to mention in some games the ability to sell in-game items for actual money can reap large payloads for some unscrupulous individuals. Gaining access to those accounts can be achieved by many ways, using malware to harvest login credentials or phishing scams to either trick the user into entering their details to “keep their account safe” or trying to validate a scam email by including something they can relate too. The details leaked from this breach could enable someone to do just that. The leaked records included the usual personal information – registration date, city, state (or province), username, email address, date of birth etc. It’s the Steam ID, Xbox ID, and PSN ID that are more likely to be used for further scams. You should always be extra vigilante of any emails or even calls you receive that want you to validate your login or any other personal information, check your financial statements and of course change any affected passwords from this breach.”
Alex Mathews, Lead Security Evangelist of Positive Technologies:
“The gaming community is quite a target for hackers because these people hold “convenient” values: game attributes and virtual property what could go to a new owner on the other side of the planet with just a click (almost the same way as electronic money). Many gamers invest more money in virtual worlds than they spent buying a car, and it could be lost in a second as a result of cyber-attacks.
“Even though passwords are said to be safe in this case, the rest of personal data leaked is rather sensitive as well, when you get all of it an once (login, username, first and last name, email address, date of birth, zip code, phone number, Steam ID, Xbox ID, PSN ID). First, some online services allow a simplified authorization with some subscriber’s personal data from that list (phone number and date of birth, for example). So it could be used by impostors for dirty tricks.
“Second, this data can help the attackers to guess your passwords or the answer to the question in the recovery form: many people still use simple passwords based on, for example, their names. Besides, people often use the same password for many services, or one mailbox is used for password recovery for other services. So, if one of your passwords is guessed it can be used to steal other accounts.
“Another problem is social engineering. A common phishing scheme is an e-mail letter “from support” asking you to login to some fake site; this way your password goes to fraudsters. The leaked personal data provide an easy way for these tricks: the fraudsters will know the exact services they have to fake for a targeted person. If tomorrow all these people will get an e-mail from ESEA, or Steam, or some Xbox related services, it could be phishing already.
“Finally, the leak of real names could also be harmful for those gamers who wanted to stay anonymous. “