About four months ago free-to-play publisher and gaming site Gamigo warned users about a potential hacker breach of their databases, and last week that warning came to fruition: over 8 million usernames, e-mail addresses, and encrypted passwords have been published to the web from that hack. Forbes contacted the data breach alert service PwndList about the leak and learned that the totality of the data weighs in about half a gigabyte and was posted to the password-cracking forum Inside Pro earlier this month.
According to PwndList founder Steve Thomas, the file was uploaded to the forums earlier this month and was removed sometime last week. This means that numerous users of Gamigo’s free-to-play gaming service now have their user information exposed to potential hackers—the passwords were encrypted, but with enough time and energy (and simple enough passwords) grinding through the locks on those hashes they will be revealed to interested parties.
Gamigo users can check on PwnedList’s site whether their email address is included in the leak.
Gamigo, a free gaming site owned by German publishing firm Axel Springer AG, forced all users to change their passwords after it announced it had been hacked in March of this year, so the exposed passwords likely won’t give anyone access to user accounts on Gamigo.com itself. But given that users very often re-use passwords between sites, the breached passwords could offer access to more sensitive accounts on email or banking sites. Anyone who has had an account with Gamigo prior to its March breach should be sure to change their passwords on any accounts where they used the same credentials as on Gamigo.com.
According to PwnedList’s analysis, the spilled data includes 3 million American accounts including Hotmail, Gmail, and Yahoo! mail addresses, 2.4 million German accounts, and 1.3 million French accounts. The company found dozens of email addresses from corporations including IBM, Allianz, Siemens, Deutsche Bank, and ExxonMobil.
As always with these sorts of breaches the mantra is the same: change your password immediately, do not use the same password across multiple services, and be certain to rotate your passwords on a regular basis (yearly should be enough for most people.)
Gamigo responds to news of the leak with a statement
Data taken from the accounts in the leak shows strong evidence that it came from Gamigo’s servers. The gaming company has released a statement that this is probably a leak from the March breach of their servers and does not appear to contain any additional data—users who changed their passwords after the warning when it occurred should be safe.
“All necessary measures to minimize the impact of the attack were initiated immediately at that time,” the statement continues. “This included notification of all affected users, resetting of passwords, taking the hacked database offline, a thorough review of the company’s IT security policies, removal of a portion of the company’s offerings from the Internet, notification of the relevant civil authorities and a clarification of the ensuing legal questions.”
And Gamigo signs off with the usual good advice, “The republication of the stolen data serves as a strong reminder of the need for vigilance and ongoing critical review of our procedures and policies.”
To those who might have been affected, check your passwords, change them, and keep your online presence sanitary. Breaches will happen, leaks will spill, and in the end you’ll come out on top as long as you practice safe passwording.