Modernizing Authentication — What It Takes to Transform Secure Access
Several months after gaming site Gamigo was breached, more than 8 million e-mail addresses and passwords were posted online. The file has since been removed.
"Gamigo warned users in early March that an 'attack on the gamigo database' had exposed hashed passwords and usernames and possibly other, unspecified 'additional personal data,'" writes Ars Technica's Dan Goodin. "The site required users to change their account passwords. The ... leak four months later raises the possibility that users who chose the same passwords to secure other site accounts may remain at risk, since the dump contained e-mail addresses from Gmail, Yahoo, Hotmail, IBM, Siemens, ExxonMobil, and Allianz, to name a few."
"PwnedList founder Steve Thomas downloaded the file prior to its removal from the Web and has shared it with me, and I can confirm that it appears to be an enormous list of user emails with passwords obscured by cryptographic hashes," writes Forbes' Andy Greenberg. "'It’s the largest leak I’ve ever actually seen,' says Thomas, whose startup seeks to track data breaches and alert users when their information is published. 'When this breach originally happened, the data wasn’t released, so it wasn’t a big concern. Now eight million email addresses and passwords have been online, live data for any hacker to see.'"
"While the compromised accounts are unlikely to be useful on Gamigo's sites, since the gaming publisher forced a password reset for all its users, that doesn't mean it can't be used elsewhere," writes ZDNet's Emil Protalinski. "If you use the same e-mail address and password combination elsewhere, make sure to change it there as well."