Security Experts:

Hacker Grabs Data on 1.5 Million ESEA Gamers, Demands 100k Ransom

E-Sports Entertainment Association (ESEA) Becomes the Latest Data Breach Victim With Data of 1.5 Million Users Stolen

Online gaming is big business -- about $30 billion per year of big business. It collects much of its revenue online, together with large amounts of personal information from its users. It has become such an attractive target that, according to figures from Shape Security, at least 11 gaming organizations suffered credential leaks last year.

E-Sports Entertainment Association (ESEA) has become the latest games entertainment company to suffer -- with systems breached in 2016, and user credentials spilled in January 2017. The organization learned of the breach on Dec. 27, and announced it via Twitter on Dec. 30. Over the last weekend, it emerged that 1.5 million player profiles had been stolen and leaked online.

The additional details came from breach notification service LeakedSource which stated that it had added 1,503,707 ESEA records to its database of stolen credentials. These records appear to include the entire user profile, with up to 90 fields in each record, including name, email address, date of birth, phone number, and IDs for Steam, Xbox and PSN. The user password is also included, but hashed with bcrypt.

LeakedSource also claimed that the breach was accompanied by a demand for $50,000 from ESEA. A statement said that in exchange for this ransom, the hacker would keep quiet about the hack, and would help the organization fix the associated vulnerability. This was confirmed yesterday by ESEA, although it said the ransom was $100,000. "The threat actor contacted ESEA early Eastern Standard Time on December 27 through our bug bounty program to inform us that they had obtained access to user data and demanding a ransom payment of $100,000 to not release or sell the user data."

ESEA's first comment on the breach was Sunday, when it tweeted , "Recently news has been made that ESEA's user data has been leaked online. We expected something like this could happen but have not confirmed this is ESEA's data." This is consistent with first learning of the breach from the hacker himself, and subsequently declining to pay the ransom demand -- but note that the actual breach could have occurred long before the hacker made it known.

ESEA subsequently published a FAQ  on the incident. It confirmed the breach but makes no mention of the number of accounts compromised nor any ransom demand. It stated that "a large portion of the ESEA community members' information including usernames, emails, private messages, IPs, mobile phone numbers (for SMS messages), forum posts, hashed passwords, and hashed secret question answers could all have been exposed."

The passwords and secret answers have been hashed. This doesn't guarantee that they cannot be cracked, but should keep 'strong' passwords safe. One concern comes from the extent of additional personal information available to the hacker, and apparently in plain text. This would enable compelling phishing attacks to be crafted since names, ages, geolocation and email addresses are all available. "Tailored phishing emails referring to specific Steam/XBox/PSN IDs (since the attacker has the victim's email address), asking the user to change their passwords would probably be effective," comments Andy Patel, 'Cyber Gandalf' with F-Secure.

ESEA confirms this in its FAQ, and advises users to, "Change your passwords and security questions/answers for any other accounts on which you used the same or similar information used for your ESEA account, and review any such accounts for any suspicious activity. Additionally, be cautious of any unsolicited communications that ask you for personal information or refer you to a website asking for personal information."

SecurityWeek has asked ESEA if it will take any special measures to reduce the likelihood of users reusing existing or previously stolen credentials, and will update this post with any response.

ESEA, like many games organizations, collects revenue by way of online subscriptions from its users. It does not, however, store any sensitive payment information (credit card, bank account, etc.); so any payments made on the ESEA website have not been compromised.

Nevertheless, the personal data stolen is of high value. "Account names and password hashes were included in the leaked data; although the password hashes are based on bcrypt, so they're not brute-force-searchable. However," F-Secure's Patel told SecurityWeek, "with an account name, an attacker could attempt to brute force or at least guess commonly used passwords (which probably gets them access to some accounts, considering 1.5 million records were leaked). From there, an attacker can try the same credentials in Steam, Xbox Live, PSN, etc (since people often use the same login/password in many places). Luckily a lot of gaming services use two-factor authentication, so there's added protection for those gamers who enable that.

"What's interesting," he added, "is that the attacker chose to publicize the leaked data in return for a ransom, instead of the threat of sabotage. As it is, the ESEA decided that a public leak of their customer database wasn't worth a $100,000 payout. Had the attacker threatened to disrupt a high-profile tournament (ESEA's latest tournament was co-sponsored by Mountain Dew, for instance), ESEA might have approached the threat in a different way, and the attacker might have received his payout."

ESEA claims to have located and fixed the vulnerability that was used by the hacker; and the incident is being investigated by the FBI.

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.