E Sports entertainment Association suffers data breach which results in publication of personal information when it refuses extortion demand
January 9, 2017 |
Sometimes a data breach is just the beginning of a company’s problems. As reported in ESEA hacked, 1.5 million records leaked after alleged failed extortion attempt the theft of personal information can be used to make extortion demands. As E Sports Entertainment Association discovered correctly refusing to pay can result in those records being published on line. The reputational damage can be severe, especially where the data can be used for identity theft or clearly locate individuals. When this happens the question is how data can be stored so poorly and key issues not separately siloed. In this case the damage is ongoing because the ESEA advised of the hack and now have to advise on the publication of data which permits identity theft.
The article provides:
E-Sports Entertainment Association (ESEA), one of the largest competitive video gaming communities on the planet, was hacked last December. As a result, a database containing 1.5 million player profiles was compromised.
On Sunday, ESEA posted a message to Twitter, reminding players of the warning issued on December 30, 2016, three days after they were informed of the hack. Sunday’s message said the leak of player information was expected, but they’ve not confirmed if the leaked records came from their systems.
Late Saturday evening, breach notification service LeakedSource announced the addition of 1,503,707 ESEA records to their database. When asked for additional information by Salted Hash, a LeakedSource spokesperson shared the database schema, as well as sample records pulled at random from the database.
The leaked records include registration date, city, state (or province), last login, username, first and last name, bcrypt hash, email address, date of birth, zip code, phone number, website URL, Steam ID, Xbox ID, and PSN ID.
However, in all, there are more than 90 fields associated with a given player record in the ESEA database. While the passwords are safe, the other data points in the leaked records could be used to construct a number of socially-based attacks, including Phishing.
Players on Reddit have confirmed their information was discovered in the leaked data. A similar confirmation was made Twitch’s Jimmy Whisenhunt on Twitter.
The LeakedSource spokesperson said that the ESEA hack was part of a ransom scheme, as the hacker responsible demanded $50,000 in payment. In exchange for meeting their demands, the hacker would keep silent about the ESEA hack and help the organization address the security flaw that made it possible.
In their previous notification, ESEA said they learned about the incident on December 27, but make no mention of any related extortion attempts. The organization reset passwords, multi-factor authentication tokens, and security questions as part of their recovery efforts.
Salted Hash has reached out to press contacts at ESEA, as well as those for Turtle Entertainment, the parent company listed on the ESEA website. We’ve reached out to confirm the extortion attempt claims made by the hacker, as well as the total count for players affected by the data breach.
This story will be updated as new information emerges.
[…] E Sports entertainment Association suffers data breach which results in publication of personal info… […]