[BreachExchange] Armor Games admits all its users' deets slurped in database mega-hack as site moves to repair chink
Destry Winant
destry at riskbasedsecurity.com
Wed Mar 6 09:59:58 EST 2019
https://www.theregister.co.uk/2019/03/04/armor_games_breach_disclosure/
Armor Games (AG) has confirmed that 100 per cent of its users were
caught up in February's mega-leak that saw the details of 617 million
online accounts hacked from 16 hacked websites being sold on the dark
web.
As exclusively revealed by The Register last month, the haul included
account databases for Dubsmash (162 million), MyFitnessPal (151
million) and MyHeritage (92 million) among others.
Some 1.8GB worth of Armor Games data was found by us on sale for
0.2749 BTC ($988) via Dream Market, located in the Tor network.
The company, which runs a portal for a bunch of browser-based games,
did not speak to El Reg but cited our article in a confessional email
to customers to say it was told on 29 January of a breach that
occurred "around" the start of the month.
"This appears to be part of a larger breach affecting 16 companies
(see this new article for more information). We are one of the smaller
companies affected, apparently holding less than 2 per cent of the
total accounts affected between the 16 companies," said AG.
Nevertheless, "the database affected primarily stores all our website
users' public profiles, login data (usernames, email addresses, IP
addresses, and hashed passwords), birthdays of our administrative
accounts, and information about our password protection processes at
the time (including the password salt)," the email continued.
Thankfully, the data haul did not include first or last names, credit
card data, addresses or phone numbers. But only because AG didn't hold
that information in the database.
The advice to users was to "update" passwords on all websites they
use, as AG makes "changes on our side to harden our security and
fixing any weaknesses found by our audit, including updating our
password protection and methods".
AG said it had "started" to notify the relevant authorities and would
work with the cops and any of the other 15 corporate victims of the
breach.
"Armor Games sincerely apologies for the inconvenience and concern
this incident may cause, and remains committed to safeguarding the
personal information in its care," it said.
The company claimed none of the data, part of the trove put up for
sale in the Dream Market cybersouk, had been misused. ®
More information about the BreachExchange
mailing list