[BreachExchange] Albion Online game maker discloses data breach
Destry Winant
destry at riskbasedsecurity.com
Mon Oct 19 10:34:39 EDT 2020
https://www.zdnet.com/article/albion-online-game-maker-discloses-data-breach/
A hacker has breached the forum of Albion Online, a popular free
medieval fantasy MMORPG, and stole usernames and password hashes, the
game maker disclosed on Saturday.
"The intruder was able to access forum user profiles, which include
the email addresses connected to those forum accounts," said Sandbox
Interactive GmbH, the company behind Albion Online.
The attacker also harvested encrypted passwords. Sandbox Interactive
said the passwords were hashed with the Bcrypt password-hashing
function and then salted with random data to make it harder for
attackers to reverse and crack the password.
"These can NOT be used to log in to Albion Online, the website
or the forum, nor can they be used to learn the passwords themselves,"
the German game maker said.
"However, there is a small possibility they could be used to identify
accounts with particularly weak passwords."
Users who reused emails and passwords for both their game and forum
account are at particular risk.
As a result of the unauthorized intrusion, the game maker asked forum
users to reset passwords via a forum post on Saturday, and emails
delivered to all impacted users.
The company did not disclose the size of the breach.
Sandbox Interactive said the intrusion took place on Friday, October
16, and the attacker utilized a vulnerability in its forum platform,
known as WoltLab Suite.
The vulnerability is now patched, the game maker said.
Sandbox Interactive said it's compiling a report on the attack to
provide to authorities.
"So far we have prioritized fixing vulnerabilities and informing
players about this incident," it said.
Albion Online was launched in July 2017 and is available as a
free-to-play game for Windows, macOS, Linux, iOS, and Android.
The game is believed to have more than 2.5 million players, while the
Albion Online forum lists 293,602 registered members at the time of
publishing.
More information about the BreachExchange
mailing list