Feeds

Months later, Gamigo hacker takes dozy dump, exposes 8 million

Slow post-breach leak for login credentials file

The Power of One eBook: Top reasons to choose HP BladeSystem

More than eight million email addresses, usernames and password hashes from German gaming website Gamigo have been dumped online, months after the site was hacked.

A 500MB file containing 8.2 million Gamigo user login credentials was uploaded and publicised via a post to password-cracking forum Inside Pro, according to the data breach alert service PwnedList. The file was pulled last week but the damage may already have been done.

The gaming site has been around since 2001, and focuses on free-to-play massively multiplayer online role-playing games, offering about 20 games which are published all across Europe and "since 2010, also in North America", according to its website. Some of its more popular titles include the Civilization-esque Cultures Online and battle epic Last Chaos.

Tim “TK” Keanini, chief technology officer at network security firm nCircle and avid online gamer, said Gamigo made the mistake of using a weak encryption algorithm, leaving password open to brute force attacks.

“Gamigo is the new poster child for bad password security for two reasons: this is largest leak this year in terms of number of hashes, and they used MD5 Digest, a very weak encryption algorithm," Keanini said. "MD5 has been known to be ineffective since 1996. There’s no excuse for using encryption this weak; it’s just bad security.

"For all practical purposes, MD5 is almost as bad as storing passwords in clear text. Given rainbow tables and other crypto-analysis techniques, breaking this encryption is child’s play. This should never be an option for password encryption," he added.

Gamigo, which is owned by German publishing firm Axel Springer AG, applied a password reset after it told users about a password security breach that took place in late February. The danger remains that since the weak password hashes were exposed, many users are likely to have used their Gamigo password credentials on other more sensitive websites, such as webmail or e-banking.

The spilled data included 3 million US accounts, 2.4 million German accounts, and 1.3 million French accounts. Although the hacker who uploaded the password data claimed to have credentials from 11 million user accounts, the list contained a substantial proportion of duplicate email addresses, so 8.2 million is a more accurate figure, Forbes reports.

It's unclear why the person who uploaded the list waited so long to spill the goodies after the original breach. It may be that the hacker and the dumper are two different individuals, and the dumper only recently came into possession of the leaked data, but this is only one of several possible explanations.

The original breach was pulled off by a hacker using the moniker 8in4ry_Munch3r, while the notice of the upload was posted to Inside Pro by "-=lebed=-", Zdnet's ZeroDay blog notes.

The security snafu joins the growing list of password security breaches this year from organisations including LinkedIn, eHarmony, Last.fm, Yahoo! Voices, Formspring, and Nvidia, among many others. ®

Designing a Defense for Mobile Applications

More from The Register

next story
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
Putin: Crack Tor for me and I'll make you a MILLIONAIRE
Russian Interior Ministry offers big pile o' roubles for busting pro-privacy browser
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.