The Town of Salem was hacked, exposing the personal information of more than 7.6 million people
Town of salem data breach : BlankMediaGames (BMG) has announced that more than 7.6 million players of the popular browser-based role-playing game Town of Salem were affected by a data breach.
On December 28th, the breach was originally revealed in an anonymous email to security firm DeHashed, which provided evidence of the server penetration as well as access to the whole player database.
According to DeHashed, the database’s overall row count is 8,388,894, with 7,633,234 unique email addresses.
Email addresses, usernames, IP addresses, game and forum activity, passwords (phpass, WordPress, and phpBBstolen), and payment information were among the data hacked, according to the DeHashed expose.
BlankMediaGames has rejected the claim that “some of the users who paid for specific premium features had their billing information/data compromised as well.”
A representative named ‘Achilles’ confirmed the breach in a message posted to the official Town of Salem gaming forum on January 2nd “We don’t deal with cash.
Not at all. All of this is taken care of by third-party payment processors.
We never view your credit card number, payment details, or any other sensitive information. That information is not available to us.”
However, the breach confirmation statement did indicate that “Your username/hashed password, IP address, and email address will be the only sensitive information exposed.
Everything else is merely information about the game.” To be safe, BMG also encouraged customers to replace their Town of Salem passwords.
The passwords were hashed rather being stored in plain text, which does not guarantee that weaker passwords are safe because threat actors can use rainbow tables to decode common hashed passwords.
If these have been reused across various sites and services, they could enable further compromise when combined with usernames that are also regularly utilised, so all such logins should be replaced immediately.
If the encryption for these passwords was a mix of phpass and MD5 (both of which are utilised by phpBB), the suggestion to change your passwords becomes even more urgent, regardless of how weak your choice was.
The rainbow tables I cited are ridiculously big for MD5 hashes, and MD5 hashes have long been known to be vulnerable to brute force attacks.
Because phpass encryption is known to be incredibly weak, you can pretty well assume that your passwords will be exposed regardless of which method was employed.
Indeed, more than two million passwords from the hacked database have already been encrypted and are available online, according to a poster named ‘lleti’ in a reddit thread about the attack.
This looked to be limited to a few 0Day forums on the dark web at first, but now these encrypted, plaintext passwords can be found via a Google search (which I am not going to reveal here.)
According to lleti, these publicly accessible passwords do not contain any further information, such as connected accounts, and hence have little use for harmful purposes.
Town of Salem players were quick to comment to the BMG news by querying why the game developers had taken so long to reply to the DeHashed revelation on December 28th.
DeHashed had indicated that it had sent many emails to BMG in an attempt to notify them of the breach, but that no confirmation had been received.
“No game producer ever wants to be in this scenario,” Achilles from BMG said, adding that “having it happen over the holiday break when everyone was gone was bad timing.”
Despite Town of Salem’s fame, BMG is a small development firm with only a few employees.
BMG defended the delay in notifying subscribers about the attack by claiming that the emails from DeHashed were filtered into a spam folder and thus went unnoticed.
Another BMG spokesperson, PyromonkeyGG, said the firm has “discovered and remedied one breach” and is working with Rackspace to “help find any other potential breaches or vulnerabilities on our servers.”
BMG plans to send a mass email to all Town of Salem users affected by the hack soon, but says its top priority right now is “ensuring that our systems are safe” and adding “support in our code for forced password resets.”
In a conversation with Ian Trump, head of cyber security at AMTrust International, about the importance of incident response strategies for businesses of all sizes, he suggested that this could be a good test case for negligence under the EU General Data Protection Regulation (GDPR), which applies to companies outside of the EU that store and process data from EU citizens.
“We care about your personal data only during business hours, only if it doesn’t go to spam, and only if we aren’t on vacation” isn’t good enough, Trump claims, adding that “GDPR does not have a ‘we were on vacation’ exception.” Do a better job.”
I reached out to BlankMediaGames for a comment on this storey yesterday, but as of the time of writing, I had not received a response.