Town of Salem hack exposes details of 7.6 million gamers

Just before Christmas, hackers managed to break into a database belonging to a popular online game and steal the details of over seven million players.

BlankMediaGames, makers of the browser-based game “Town of Salem”, has sent an email to players warning that personal information stolen by the hackers may include email addresses, full names, postal addresses, usernames, encrypted passwords, forum activity, IP address, and game activity.

Fortunately, BlankMediaGames uses a third-party to handle payments and so does not have access to payment information, ridding the hackers of their ability to directly monetise the hack.

Nonetheless, there’s plenty of opportunity for the hackers to still exploit the stolen data. For instance, phishing campaigns could be sent out to players pretending to come from the game, using gamers’ names and email address to make the message look more convincing.

And you shouldn’t think that just because your “Town of Salem” was “encrypted” that it hasn’t been compromised. In a forum post, BlankMediaGames reveals that the passwords “were stored as a salted MD5 hash”.

MD5 is considered to be a relatively weak algorithm for hashing passwords, and the lack of stronger protection may open easy opportunities for hackers to crack some of the passwords.

In short, you would be wise to reset your Town of Salem password *and* also ensure that you are not reusing the same password anywhere else on the internet.

BlankMediaGames says it has removed three suspicious PHP files from its server that allowed the hackers to gain access, and has asked its hosting provider to run a malware check across all of its servers.

Furthermore, it says it has put in place additional security measures to protect players better in future, and is liaising with law enforcement.

Whether that will be enough to ally the fears of gamers remains to be seen.

One clear lesson that all companies could learn from this incident is the need to recognise that a security breach can happen at any time.

It appears that despite emails and calls to BlankMediaGames between Christmas and New Year from individuals who knew about the breach, nothing has been said publicly until now.

BlankMediaGames is, of course, a small company. But online firms cannot afford to rest when it comes to security issues. There’s a reason why hackers often like to strike during the holidays or at the weekend.

*** This is a Security Bloggers Network syndicated blog from HOTforSecurity authored by Graham Cluley. Read the original post at: