Albion Online, a free medieval fantasy massively multiplayer online role-playing game, has suffered a data breach.

The site and game were established in 2017 and has a user base of about 2.36 million players. The data breach allegedly occurred not in the game itself but the game’s forum.

Albion Online uses forum software called WoltLab Suite. WoltLab is an evolved variant of the MyBB forum software, which has been notorious over the years for how easy it is to hack.

“The intruder was able to access forum user profiles, which include the email addresses connected to those forum accounts,” Sandbox Interactive GmbH, the company behind Albion Online said in a forum post Saturday. “On top of that, the attacker gained access to encrypted passwords… these can NOT be used to log in to Albion Online, the website or the forum, nor can they be used to learn the passwords themselves. However, there is a small possibility they could be used to identify accounts with particularly weak passwords.”

The post warns that users who reuse their emails and passwords for both the game and forum should change their password as a precaution.

Officially Albion Online says that only its forum was breached, but there is some suggestion that the hack may have involved the game as well. According to security research Alon Gal, the hacker is claiming to have gained access to the main game’s database and other databases that contain sensitive information.

Threat actor claims he hacked Albion Online, a large MMORPG with over 180,000 daily players.

The actor is claiming he has access to the main game's database, the payment database, and other databases containing sensitive information. pic.twitter.com/M8Qk3pI2rK

— Alon Gal (Under the Breach) (@UnderTheBreach) October 17, 2020

“The breach of Albion Online’s forum, including email addresses and hashed passwords, puts hundreds of thousands of users at risk of being victimized for fraud,” Robert Prigge, chief executive officer of identity verification company Jumio Corp., told SiliconANGLE. “As hashed passwords can be easily deciphered, cybercriminals can leverage bots and credential stuffing to try these login credentials across countless websites (including banking portals, social media accounts, healthcare sites and more) in search of an opening.”

Saryu Nayyar, CEO of security and analytics firm Gurucul Solutions Pvt Ltd A.G., noted that attacks against web forums are nothing new. “While forum attacks may lead to more serious consequences, the data acquired is often limited to email address, forum User I and password hash for the affected users,” she said. “That appears to be the case here with the Albion Online breach. Unfortunately, the attackers may be able to leverage their stolen data to engage in email-based Cast Netting or Spear Phishing attacks against Albion’s user base, even if they gained nothing else of value.”

Image: Albion Online