Feeds

Months later, Gamigo hacker takes dozy dump, exposes 8 million

Slow post-breach leak for login credentials file

Security for virtualized datacentres

More than eight million email addresses, usernames and password hashes from German gaming website Gamigo have been dumped online, months after the site was hacked.

A 500MB file containing 8.2 million Gamigo user login credentials was uploaded and publicised via a post to password-cracking forum Inside Pro, according to the data breach alert service PwnedList. The file was pulled last week but the damage may already have been done.

The gaming site has been around since 2001, and focuses on free-to-play massively multiplayer online role-playing games, offering about 20 games which are published all across Europe and "since 2010, also in North America", according to its website. Some of its more popular titles include the Civilization-esque Cultures Online and battle epic Last Chaos.

Tim “TK” Keanini, chief technology officer at network security firm nCircle and avid online gamer, said Gamigo made the mistake of using a weak encryption algorithm, leaving password open to brute force attacks.

“Gamigo is the new poster child for bad password security for two reasons: this is largest leak this year in terms of number of hashes, and they used MD5 Digest, a very weak encryption algorithm," Keanini said. "MD5 has been known to be ineffective since 1996. There’s no excuse for using encryption this weak; it’s just bad security.

"For all practical purposes, MD5 is almost as bad as storing passwords in clear text. Given rainbow tables and other crypto-analysis techniques, breaking this encryption is child’s play. This should never be an option for password encryption," he added.

Gamigo, which is owned by German publishing firm Axel Springer AG, applied a password reset after it told users about a password security breach that took place in late February. The danger remains that since the weak password hashes were exposed, many users are likely to have used their Gamigo password credentials on other more sensitive websites, such as webmail or e-banking.

The spilled data included 3 million US accounts, 2.4 million German accounts, and 1.3 million French accounts. Although the hacker who uploaded the password data claimed to have credentials from 11 million user accounts, the list contained a substantial proportion of duplicate email addresses, so 8.2 million is a more accurate figure, Forbes reports.

It's unclear why the person who uploaded the list waited so long to spill the goodies after the original breach. It may be that the hacker and the dumper are two different individuals, and the dumper only recently came into possession of the leaked data, but this is only one of several possible explanations.

The original breach was pulled off by a hacker using the moniker 8in4ry_Munch3r, while the notice of the upload was posted to Inside Pro by "-=lebed=-", Zdnet's ZeroDay blog notes.

The security snafu joins the growing list of password security breaches this year from organisations including LinkedIn, eHarmony, Last.fm, Yahoo! Voices, Formspring, and Nvidia, among many others. ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
NASTY SSL 3.0 vuln to be revealed soon – sources (Update: It's POODLE)
So nasty no one's even whispering until patch is out
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Forget passwords, let's use SELFIES, says Obama's cyber tsar
Michael Daniel wants to kill passwords dead
FBI boss: We don't want a backdoor, we want the front door to phones
Claims it's what the Founding Fathers would have wanted – catching killers and pedos
Kill off SSL 3.0 NOW: HTTPS savaged by vicious POODLE
Pull it out ASAP, it is SWISS CHEESE
Facebook slurps 'paste sites' for STOLEN passwords, sprinkles on hash and salt
Zuck's ad empire DOESN'T see details in plain text. Phew!
Admins! Never mind POODLE, there're NEW OpenSSL bugs to splat
Four new patches for open-source crypto libraries
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.