E-Sports Entertainment Association (ESEA) has confirmed that it has been subject to an attempted extortion after a hacker successfully infiltrated one of its game servers. The incident enabled the hacker to steal the player profiles and other data of 1.5 million users. The hack was carried out on the 27th of December 2016. The attacker accessed an ESEA game server, then exfiltrated date, and ultimately issued a demand for $100,000 ransom to the company.
The hacker indicated that if payment of the ransom was made, the incident would not be made public and the that the stolen data would not be sold on to another party or parties nor published in any form. It was threatened, however, that should ESEA fail to pay the ransom requested, the data be published online.
ESEA was contacted via its bug bounty program. ESEA got hold of the attacker’s email address and then requested proof that a data theft had occurred. ESEA was able to quickly clarify from the supplied data that a breach had indeed taken place.
It is ESEA policy, however, that it does not comply with extortion demands. Although the security of customer data is taken extremely seriously, there was never any guarantee that paying the ransom would result in the data being returned and and copies permanently deleted by the attacker. Instead ESEA decided to go public.
In the aftermath of the ESEA hacking attack, the company managed to identify the attack vector that was used and action was immediately taken to correct the exploited vulnerability.
The data from the attack has been now been forwarded to LeakedSource, the database of which now totals 1,503,707 records. Included in the information that was stolen, was intellectual property together with a variety of users’ game data. Among the information stolen by the hacker were usernames, registration dates, city and state, first and family names, email addresses, birth-dates, telephone numbers, postal codes, Steam, Xbox, and PSN IDs, plus bcrypt hashed passwords. CSO indicates that at least 90 different user data fields were present in the database schema that was supplied by LeadedSource.
The data might be utilised by the attacker or alternatively could sold on to another party or parties. Although the passwords are currently secured, the remaining data could potentially be used in phishing attacks on players. ESEA reacted to the hack by ordering an obligatory reset of their users’ passwords, security questions, together with multi-factor authentication tokens.
ESEA made an immediate response to the hacking incident. Users were notified of it within 4 days of the attack having occurred, therefore allowing them to take the necessary precautions to minimise their risk. In a statement ESEA indicated that it was doing everything in its power to investigate the attack and was making changes to its systems to mitigate any potential further breaches.