E-Sports Entertainment Association (ESEA) has announced it has been the victim of an extortion attempt after a hacker infiltrated one of its game servers. The ESEA hacking incident resulted in the theft of 1.5 million player profiles and other user data. The hack occurred on December 27, 2016. Access was gained to an ESEA game server, data were exfiltrated, and a $100,000 ransom demand was issued by the attacker.
The hacker said that if the ransom was paid, no mention of this incident would be made and the data would not be sold on or published. Failure to pay the ransom would result in the data being published online.
Contact was made with ESEA through its bug bounty program. ESEA obtained the attacker’s email address and requested proof of data theft. ESEA was able to rapidly confirm from the supplied data that a breach had occurred.
However, ESEA has a policy of not giving in to extortion demands. While the security of customer data is taken very seriously, there was no guarantee that payment of the ransom would result in data being returned and permanently deleted by the attacker. Instead ESEA went public.
In the days following the ESEA hacking attack, the company was able to determine the attack vector that was used and action was rapidly taken to plug the exploited vulnerability.
The data from the attack has been disclosed to LeakedSource, which has now added 1,503,707 records to its database. The stolen information included intellectual property and a range of users’ game data. Personal information stolen in the attack included usernames, registration dates, city and state, first and last names, email addresses, dates of birth, phone numbers, zip codes, Steam, Xbox, and PSN IDs, and bcrypt hashed passwords. CSO reports that 90 different user data fields were present in a database schema supplied by LeadedSource.
The data may be used by the attacker or sold on to other parties. While the passwords are currently secured, the other data could be used in phishing attacks on players. ESEA responded to the hack by forcing a reset of users’ passwords, security questions, and multi-factor authentication tokens.
There was a prompt response to the ESEA hacking incident, with users warned of the incident within four days of the attack occurring, thus allowing them to take precautions to mitigate risk. ESEA said “we are doing everything in our power to investigate this attack and attempted extortion and are making changes to our systems to mitigate any potential further breaches. “