More than 1.5 million usernames and passwords from popular competitive gaming community ESEA have leaked online following an attempted ransom by a hacker who managed to steal the data from the website.
According to a statement from ESEA, leaked account information includes usernames, email addresses, passwords, security question answers and forum posts. It also, more troublingly, includes private and personally identifying information like private messages, IP addresses and phone numbers.
The situation started late last year, when ESEA was contacted by a hacker claiming they had obtained access to the site’s user data. The message came via the site’s bug bounty program, which offers a reward in exchange for reported bugs.
While ESEA offers compensation in the form of points or money, the hacker demanded a payment of $100,000 and threatened to release the user information if the ransom wasn’t met.
According to an account provided by ESEA, the service remained in touch with the hacker as it patched the vulnerability that led to the exploit. Community members received notification to change their passwords on Dec. 30, 2016—three days after the initial contact was made by the hacker.
The hacker once again breached the service on Jan. 7, managing to modify the karma levels of players—a system that allows community feedback— to -1337. Intellectual property belonging to ESEA that was hosted on the server may have also been accesed, but no additional user information was implicated in the second incident.
User information from the hack found its way to LeakedSource, a massive searchable database of hacked accounts. While the hacker threatened to sell the data stolen from ESEA, LeakedSource confirmed to IBTimes that it didn’t pay for the data.
“We didn't and don't pay for any data. In exactly every single case where someone has asked us to pay for data, we got it for free shortly after from other sources,” a representative for LeakedSource said. “Data spreads really fast regardless.”
ESEA said the passwords stored on its server are encrypted and “hashed,” meaning the passwords were converted to unreadable strings of characters designed to be impossible to convert back into plain text. Security question answers were likewise hashed.
LeakedSource confirmed this, stating the passwords were protected by six rounds of bcrypt, a popular and trusted security algorithm that hashes information.
However, given the amount of information stolen in the hack, it may still be possible for users to have their accounts compromised, either through brute force or social engineering. Former Counter Strike: Global Offensive player Chad Burchill—known by his gamer moniker Spunj— reported his account was compromised following the release of the information.
Users with ESEA are encouraged to change their password to ensure their account isn’t compromised. Those who think their account may have been a part of the ESEA hack—or a number of other previous, high profile data leaks—can check if their username or email address associated with an ESEA account on LeakedSource.