Connect with us

Hi, what are you looking for?



Hacker Grabs Data on 1.5 Million ESEA Gamers, Demands 100k Ransom

E-Sports Entertainment Association (ESEA) Becomes the Latest Data Breach Victim With Data of 1.5 Million Users Stolen

E-Sports Entertainment Association (ESEA) Becomes the Latest Data Breach Victim With Data of 1.5 Million Users Stolen

Online gaming is big business — about $30 billion per year of big business. It collects much of its revenue online, together with large amounts of personal information from its users. It has become such an attractive target that, according to figures from Shape Security, at least 11 gaming organizations suffered credential leaks last year.

E-Sports Entertainment Association (ESEA) has become the latest games entertainment company to suffer — with systems breached in 2016, and user credentials spilled in January 2017. The organization learned of the breach on Dec. 27, and announced it via Twitter on Dec. 30. Over the last weekend, it emerged that 1.5 million player profiles had been stolen and leaked online.

The additional details came from breach notification service LeakedSource which stated that it had added 1,503,707 ESEA records to its database of stolen credentials. These records appear to include the entire user profile, with up to 90 fields in each record, including name, email address, date of birth, phone number, and IDs for Steam, Xbox and PSN. The user password is also included, but hashed with bcrypt.

LeakedSource also claimed that the breach was accompanied by a demand for $50,000 from ESEA. A statement said that in exchange for this ransom, the hacker would keep quiet about the hack, and would help the organization fix the associated vulnerability. This was confirmed yesterday by ESEA, although it said the ransom was $100,000. “The threat actor contacted ESEA early Eastern Standard Time on December 27 through our bug bounty program to inform us that they had obtained access to user data and demanding a ransom payment of $100,000 to not release or sell the user data.”

ESEA’s first comment on the breach was Sunday, when it tweeted , “Recently news has been made that ESEA’s user data has been leaked online. We expected something like this could happen but have not confirmed this is ESEA’s data.” This is consistent with first learning of the breach from the hacker himself, and subsequently declining to pay the ransom demand — but note that the actual breach could have occurred long before the hacker made it known.

ESEA subsequently published a FAQ  on the incident. It confirmed the breach but makes no mention of the number of accounts compromised nor any ransom demand. It stated that “a large portion of the ESEA community members’ information including usernames, emails, private messages, IPs, mobile phone numbers (for SMS messages), forum posts, hashed passwords, and hashed secret question answers could all have been exposed.”

Advertisement. Scroll to continue reading.

The passwords and secret answers have been hashed. This doesn’t guarantee that they cannot be cracked, but should keep ‘strong’ passwords safe. One concern comes from the extent of additional personal information available to the hacker, and apparently in plain text. This would enable compelling phishing attacks to be crafted since names, ages, geolocation and email addresses are all available. “Tailored phishing emails referring to specific Steam/XBox/PSN IDs (since the attacker has the victim’s email address), asking the user to change their passwords would probably be effective,” comments Andy Patel, ‘Cyber Gandalf’ with F-Secure.

ESEA confirms this in its FAQ, and advises users to, “Change your passwords and security questions/answers for any other accounts on which you used the same or similar information used for your ESEA account, and review any such accounts for any suspicious activity. Additionally, be cautious of any unsolicited communications that ask you for personal information or refer you to a website asking for personal information.”

SecurityWeek has asked ESEA if it will take any special measures to reduce the likelihood of users reusing existing or previously stolen credentials, and will update this post with any response.

ESEA, like many games organizations, collects revenue by way of online subscriptions from its users. It does not, however, store any sensitive payment information (credit card, bank account, etc.); so any payments made on the ESEA website have not been compromised.

Nevertheless, the personal data stolen is of high value. “Account names and password hashes were included in the leaked data; although the password hashes are based on bcrypt, so they’re not brute-force-searchable. However,” F-Secure’s Patel told SecurityWeek, “with an account name, an attacker could attempt to brute force or at least guess commonly used passwords (which probably gets them access to some accounts, considering 1.5 million records were leaked). From there, an attacker can try the same credentials in Steam, Xbox Live, PSN, etc (since people often use the same login/password in many places). Luckily a lot of gaming services use two-factor authentication, so there’s added protection for those gamers who enable that.

“What’s interesting,” he added, “is that the attacker chose to publicize the leaked data in return for a ransom, instead of the threat of sabotage. As it is, the ESEA decided that a public leak of their customer database wasn’t worth a $100,000 payout. Had the attacker threatened to disrupt a high-profile tournament (ESEA’s latest tournament was co-sponsored by Mountain Dew, for instance), ESEA might have approached the threat in a different way, and the attacker might have received his payout.”

ESEA claims to have located and fixed the vulnerability that was used by the hacker; and the incident is being investigated by the FBI.

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...