Feeds

Months later, Gamigo hacker takes dozy dump, exposes 8 million

Slow post-breach leak for login credentials file

Choosing a cloud hosting partner with confidence

More than eight million email addresses, usernames and password hashes from German gaming website Gamigo have been dumped online, months after the site was hacked.

A 500MB file containing 8.2 million Gamigo user login credentials was uploaded and publicised via a post to password-cracking forum Inside Pro, according to the data breach alert service PwnedList. The file was pulled last week but the damage may already have been done.

The gaming site has been around since 2001, and focuses on free-to-play massively multiplayer online role-playing games, offering about 20 games which are published all across Europe and "since 2010, also in North America", according to its website. Some of its more popular titles include the Civilization-esque Cultures Online and battle epic Last Chaos.

Tim “TK” Keanini, chief technology officer at network security firm nCircle and avid online gamer, said Gamigo made the mistake of using a weak encryption algorithm, leaving password open to brute force attacks.

“Gamigo is the new poster child for bad password security for two reasons: this is largest leak this year in terms of number of hashes, and they used MD5 Digest, a very weak encryption algorithm," Keanini said. "MD5 has been known to be ineffective since 1996. There’s no excuse for using encryption this weak; it’s just bad security.

"For all practical purposes, MD5 is almost as bad as storing passwords in clear text. Given rainbow tables and other crypto-analysis techniques, breaking this encryption is child’s play. This should never be an option for password encryption," he added.

Gamigo, which is owned by German publishing firm Axel Springer AG, applied a password reset after it told users about a password security breach that took place in late February. The danger remains that since the weak password hashes were exposed, many users are likely to have used their Gamigo password credentials on other more sensitive websites, such as webmail or e-banking.

The spilled data included 3 million US accounts, 2.4 million German accounts, and 1.3 million French accounts. Although the hacker who uploaded the password data claimed to have credentials from 11 million user accounts, the list contained a substantial proportion of duplicate email addresses, so 8.2 million is a more accurate figure, Forbes reports.

It's unclear why the person who uploaded the list waited so long to spill the goodies after the original breach. It may be that the hacker and the dumper are two different individuals, and the dumper only recently came into possession of the leaked data, but this is only one of several possible explanations.

The original breach was pulled off by a hacker using the moniker 8in4ry_Munch3r, while the notice of the upload was posted to Inside Pro by "-=lebed=-", Zdnet's ZeroDay blog notes.

The security snafu joins the growing list of password security breaches this year from organisations including LinkedIn, eHarmony, Last.fm, Yahoo! Voices, Formspring, and Nvidia, among many others. ®

Choosing a cloud hosting partner with confidence

Whitepapers

Go beyond APM with real-time IT operations analytics
How IT operations teams can harness the wealth of wire data already flowing through their environment for real-time operational intelligence.
Why CIOs should rethink endpoint data protection in the age of mobility
Assessing trends in data protection, specifically with respect to mobile devices, BYOD, and remote employees.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Protecting against web application threats using SSL
SSL encryption can protect server‐to‐server communications, client devices, cloud resources, and other endpoints in order to help prevent the risk of data loss and losing customer trust.