According to a statement released yesterday, ESEA learned on December 27, 2016 that its website database had been breached, potentially exposing user names, emails, private messages, IPs, mobile phone numbers, forum posts, bcrypt hashed passwords and hashed answers to secret questions.
"The threat actor contacted ESEA early Eastern Standard Time on December 27 through our bug bounty program to inform us that they had obatined access to user data and demanding a ransom payment of $100,000 to not release or sell the user data," the company stated.
On December 28 and 29, ESEA identified the attack vector and began patching the vulnerability involved. On December 30, the company notified users and the FBI, and implemented a password reset for all users.
On January 7, the company says, the attacker used information obtained from ESEA's game server infrastructure database to gain access to a game server and steal intellectual property not associated with user data.
On January 8, the attacker provided the stolen data to LeakedSource.
"We apologize that this theft has taken place," the company said in a statement. "ESEA takes the security and integrity of customer emails and information very seriously and we are doing everything in our power to investigate this attack and attempted extortion and are making changes to our systems to mitigate any potential further breaches."
Tim Erlin, senior director of IT security and risk strategist at Tripwire, told eSecurity Planet by email that many people may not be aware that video games are a more than $30 billion industry. "Profit motivated criminals target industries that deliver financially," he said. "Cyber criminals don’t just target credit card information and bank accounts."
"All kinds of personal information has value on the black market, and the video gaming industry collects plenty of personal information," Erlin added. "Collecting all that data on users makes the industry a target."
And Seclore CEO Vishal Gupta said by email that the ESEA breach exposed a trove of both traditional and non-traditional personally identifiable information (PII). "While hackers were able to make off with commonly exposed information such as name, email address, and location, they also stole IDs associated with gamers' accounts," he said.
"Initially, having a user’s PlayStation or Xbox ID might not seem as dangerous as having their credit card information, but in reality, these non-traditional data points can be used to carry out highly effective phishing campaigns," Gupta added. "Until all PII is protected with the same data-centric security measures used to defend mission critical information, hackers will continue to find a way to use our stolen data against us, regardless of what form it comes in."
Photo courtesy of Shutterstock.