BlankMediaGames (BMG) has confirmed that it suffered a data breach impacting more than 7.6 million players of popular browser-based role playing game Town of Salem. The breach was first disclosed on December 28th in an anonymous email to security firm DeHashed that included evidence of the server compromise and access to the complete player database. DeHashed state that the total row count of that database is 8,388,894 which included some 7,633,234 unique email addresses.
According to the DeHashed disclosure, the compromised data contained email addresses, usernames, IP addresses, game and forum activity, passwords (phpass, WordPress and phpBBstolen) as well as payment information. It also stated "some of the users who paid for certain premium features having their billing information/data breached as well" although this has been disputed by BlankMediaGames. In a January 2nd announcement posted to the official Town of Salem game forum, a spokesperson called 'Achilles' confirmed the breach but stated "We do not handle money. At all. The third party payment processors are the ones that handle all of that. We never see your credit card, payment information, anything like that. We don't have access to that information."
The breach confirmation statement did, however, confirm that "The only important data compromised would be your Username/hashed password, IP and email. Everything else is just game related data." BMG also advised users to update their Town of Salem passwords to be safe. The passwords were not stored in plain text but were hashed, which doesn't mean weaker passwords are safe as threat actors can use rainbow tables to decipher common hashed passwords. If these have been reused across multiple sites and services, when coupled to usernames which are also commonly reused they could enable further compromise so all such logins should be updated immediately. If, as it would appear, the encryption used for these passwords was a mix of phpass and MD5 (both used by phpBB) then the change your passwords advice becomes even more urgent regardless of how weak your choice was. MD5 has long been known to be susceptible to brute force attacks and the rainbow tables I mentioned are stupidly large in size for MD5 hashes. The phpass encryption is also known to be extremely weak so whichever was used you can pretty much consider your passwords will be exposed in my opinion.
Indeed, according to a poster called 'lleti' in a reddit discussion about the breach more than two million passwords from the compromised database have already been decrypted and are available online. Initially this appeared to be restricted to some 0Day forums on the dark web, but now it is possible to find these decrypted, plaintext, passwords using an appropriate Google search (which I am not going to reveal here.) lleti says that these publicly searchable passwords do not have any additional information such as linked accounts, so the actual value of them for malicious purposes is negligible.
Town of Salem players were quick to respond to the BMG announcement by asking why it had taken so long for the game developers to react to the DeHashed disclosure on December 28th? DeHashed had stated it had sent numerous emails in an attempt to inform BMG of the breach but without confirmation being forthcoming. "Sorry that this happened" Achilles from BMG stated, adding "no game creator ever wants to be in this situation and having it happen over the holiday break when everyone was away was terrible timing." Despite the popularity of Town of Salem, BMG is a small development company with just a handful of employees. In a further defense of the delay in confirming the breach to users, BMG said that the emails from DeHashed were filtered into a spam folder and so did not get seen. Another BMG spokesperson, by the name of PyromonkeyGG, posted that the company has now "identified one breach and have fixed it" and is working with Rackspace to "help identify any other potential leaks or vulnerabilities on our servers." BMG is expected to be sending a mass email announcement to all Town of Salem users impacted by the breach soon but says the number one priority currently is "to ensure that our servers are secure" and to add "support in our code for forced password resets."
In a conversation with Ian Trump, head of cyber security at AMTrust International, about the importance of incident response strategies for companies of all sizes he told me that this could be a good test case for negligence under the EU General Data Protection Regulation (GDPR) which applies to companies outside of the EU if they store and process EU citizen data. "We care about your personal data only during business hours, only if it does not go to spam and only if we are not on holiday" isn't good enough, Trump says, concluding "GDPR does not have a 'we were on holiday' exception. Do Better."
I did reach out to BlankMediaGames for a comment on this story yesterday but no reply to my request had been received at the time of publication.