The records of over 1.5 million E-Sports Entertainment Association (ESEA) users, one of the world’s largest competitive gaming communities, have been leaked.
The leak follows an initial threat made on December 27, in which the perpetrator approached ESEA via its bug bounty program to reveal that he had obtained users’ data, which he threatened to publish or sell if he did not receive a payment of $100,000. ESEA was able to verify that the information was legitimate, but chose not to pay the ransom.
“We do not give in to ransom demands and paying any amount of money would not have provided any guarantees to our users as to what would happen with their stolen data,” an ESEA spokesperson said in a statement. “The most responsible course of action was to share the incident with the authorities and our community so each individual could take steps to secure their accounts. At the same time, we have worked around the clock to isolate the attack vector, patch the vulnerability and further upgrade our security program.”
The statement claims that the attack vector was identified by the next day, and within the next few days the vulnerability had been patched and additional security improvements had been made. The site implemented a required password reset for users, and users and authorities were notified of the breach on December 30.
The threat actor remained in contact and continued to make demands, and later in the week was able to gain access to a game server and change users’ ‘karma’ scores (a feedback/ratings system) to ‘-1337’. He also used this exploit to steal several pieces of intellectual property from the server. However, ESEA assured users that he was not able to view, modify or exfiltrate any personal information.
Following several additional security upgrades carried out over the next few days, the hacker finally followed through on his threat and uploaded the stolen user data to LeakedSource.
The stolen data included usernames, email addresses, hashed passwords, hashed security question answers, and forum posts, as well as some private messages, IP addresses and phone numbers.
ESEA stressed that the passwords, which were hashed using bcrypt, should be difficult or impossible to decrypt, though former pro gamer “Spunj” Burchill tweeted: “they must have gotten the passwords from that ESEA hack as my password has been changed :)”
It’s unclear whether this reflects a lucky guess, a combination of information gained through phishing and/or other leaks, or that the hacker (or a different threat actor) was able to decrypt the passwords. However, there have so far been no widespread reports of account takeovers in the wake of the incident, so it is possible that Burchill experienced an isolated incident.
ESEA recommended that users who have not already done so ensure that no passwords or security answers which may have been leaked (hashed or not) were reused on other websites, and advised them to be aware of phishing schemes and fraudulent use of their accounts/details.