Following an extortion attempt, information from a recent breach of a competitive video gaming community surfaced over the weekend online.
Data purportedly belonging to 1.5 million members of video gaming community ESEA, the E-Sports Entertainment Association League, was added to LeakedSource’s list of “Hacked Sites” on Saturday. According to the site, a repository of breached data, it has information on 1,503,707 users of the ESEA site.
Esea (dot) net was hacked recently, all user data has been leaked online today.
— News About Security (@BigSecurityNews) January 8, 2017
ESEA said on Twitter Sunday while it hadn’t confirmed data leaked online belonged to its users, it said that it “expected something like this could happen.”
ESEA Outage and Security Update
— ESEA (@ESEA) January 8, 2017
“We notified the community on December 30th, 2016 about the possibility this could happen,” ESEA said. “The type of data and storage standards was disclosed. We have been working around the clock to further fortify security and will bring our website online shortly when that next round is complete. This possible user data leak is not connected to the current service outage.”
In a blog post, published Dec. 30, Craig Levine, E-Sports Entertainment co-founder, said ESEA became aware of a security breach on Dec. 27. Levine couldn’t confirm it at the time, but said there was a possibility that a variety of user data might have been taken including usernames, emails, private messages, IP addresses, mobile phone numbers, any forum posts they published, hashed passwords and hashed secret question answers.
Levine said that only the phone numbers of users who set their accounts up to receive SMS messages were likely taken. He added that account passwords were encrypted with the password hashing function bcrypt. Levine says the company doesn’t store payment information, so user credit card data wasn’t compromised by the incident.
In wake of the hack, the community said it forced a password reset, multi-factor authentication reset, and a security question reset for all accounts. ESEA said it was investigating the incident and trying to determine what exactly had been taken at the end of December.
It’s unclear what the company’s investigation has turned up over the past week though. On Twitter, ESEA directed users on Monday to the community’s Dec. 30 memo. Neither ESEA, nor Turtle Entertainment Online, an entertainment conglomerate based in Germany that owns the community, responded to requests for comment on Monday.
Can someone explain why a site with 1.5m users getting hacked (ESEA) is causing such a ruckus on the internet? 1.5m is tiny, not even top100
— News About Security (@BigSecurityNews) January 9, 2017
A breach of 1.5 million users is relatively small potatoes, especially in the wake of Yahoo’s disclosure last month that data from one billion accounts was stolen, but the news has still gotten the attention of ESEA’s fervent following.
@ESEA sad attempt to cover your own asses instead of offering transparency and an apology for this second breach – seriously pathetic
— trig (@trig8787) January 8, 2017
@ESEA Hopefully your password encryption is as good as your anticheat!
— ★ 404 (@MegaShenster) January 8, 2017
The service, which bills its software as being anti-cheat proof, counts many active users of the multiplayer first-person shooter video game Counter-Strike among its subscribers. News of the hack also came as ESEA was winding down a publicized competition it was running with Mountain Dew and ESL dubbed League Champions.
It’s not the first time that the ESEA has run into an issue with its security. In November 2013 it settled with the state of New Jersey after the attorney general there claimed the community was infecting users’ machines with malware to mine Bitcoin. ESEA reportedly mined $3,500 in Bitcoin from more than 14,000 machines. ESEA disagreed with the charge but agreed to pay the state $325,000 of the $1 million penalty.
An ESEA spokesperson confirmed to Threatpost late Monday that the breach was part of an extortion demand. The attacker contacted the company through its bug bounty program on Dec. 27 and told the company that if it didn’t pay $100,000, the data would either be sold or released.
The company posted a lengthy blog post Monday night that helps break down the last two weeks or so.
According to the post, ESEA refused to give into the attackers’ demands and contacted the authorities as soon as it discovered the leak. It spent the next few days scrambling to identify the vulnerability that led to the attack and patching it.
ESEA claims that while in its system, the attacker managed to get access to a game server and edit the “karma” of some users. ESEA’s karma system allows users to rank other users based on their experience in games. The attacker also managed to glean non-user data as well, including game server plugins for Counter-Strike: Global Offensive. ESEA claims the theft of that data had nothing to do with the stolen user data however.
The company been spending the first several days of 2017, as it suggested in its original blog post in late December, fortifying its security. It continues to investigate the attack and the attempted extortion.
This article was updated Jan. 9 to include information on the attempted extortion attempt and additional details supplied by ESEA.