Information from a recent breach of a competitive video gaming community surfaced over the weekend online.
Data purportedly belonging to 1.5 million members of video gaming community ESEA, the E-Sports Entertainment Association League, was added to LeakedSource’s list of “Hacked Sites” on Saturday. According to the site, a repository of breached data, it has information on 1,503,707 users of the ESEA site.
Esea (dot) net was hacked recently, all user data has been leaked online today.
— News About Security (@BigSecurityNews) January 8, 2017
ESEA said on Twitter Sunday while it hadn’t confirmed data leaked online belonged to its users, it said that it “expected something like this could happen.”
ESEA Outage and Security Update
— ESEA (@ESEA) January 8, 2017
“We notified the community on December 30th, 2016 about the possibility this could happen,” ESEA said. “The type of data and storage standards was disclosed. We have been working around the clock to further fortify security and will bring our website online shortly when that next round is complete. This possible user data leak is not connected to the current service outage.”
In a blog post, published Dec. 30, Craig Levine, E-Sports Entertainment co-founder, said ESEA became aware of a security breach on Dec. 27. Levine couldn’t confirm it at the time, but said there was a possibility that a variety of user data might have been taken including usernames, emails, private messages, IP addresses, mobile phone numbers, any forum posts they published, hashed passwords and hashed secret question answers.
Levine said that only the phone numbers of users who set their accounts up to receive SMS messages were likely taken. He added that account passwords were encrypted with the password hashing function bcrypt. Levine says the company doesn’t store payment information, so user credit card data wasn’t compromised by the incident.
In wake of the hack, the community claims it forced a password reset, multi-factor authentication reset, and a security question reset for all accounts. ESEA said it was investigating the incident and trying to determine what exactly had been taken at the end of December.
It’s unclear what the company’s investigation has turned up over the past week though. On Twitter, ESEA directed users on Monday to the community’s Dec. 30 memo. Neither ESEA, nor Turtle Entertainment Online, an entertainment conglomerate based in Germany that owns the community, responded to requests for comment on Monday.
Can someone explain why a site with 1.5m users getting hacked (ESEA) is causing such a ruckus on the internet? 1.5m is tiny, not even top100
— News About Security (@BigSecurityNews) January 9, 2017
A breach of 1.5 million users is relatively small potatoes, especially in the wake of Yahoo’s disclosure last month that data from one billion accounts was stolen, but the news has still gotten the attention of ESEA’s fervent following.
@ESEA sad attempt to cover your own asses instead of offering transparency and an apology for this second breach – seriously pathetic
— trig (@trig8787) January 8, 2017
@ESEA Hopefully your password encryption is as good as your anticheat!
— ★ 404 (@MegaShenster) January 8, 2017
The service, which bills its software as being anti-cheat proof, counts many active users of the multiplayer first-person shooter video game Counter-Strike among its subscribers. News of the hack also came as ESEA was winding down a publicized competition it was running with Mountain Dew and ESL dubbed League Champions.
It’s not the first time that the ESEA has run into an issue with its security. In November 2013 it settled with the state of New Jersey after the attorney general there claimed the community was infecting users’ machines with malware to mine Bitcoin. ESEA reportedly mined $3,500 in Bitcoin from more than 14,000 machines. ESEA disagreed with the charge but agreed to pay the state $325,000 of the $1 million penalty.