Wuh Oh: PlaySpan Got Hacked, World Of Tanks Affected

Tanks: like aggessive safes

You’re familiar with the routine by now. If you’ve got a World Of Tanks account and bought anything, to be sure change your password, and any passwords associated with it. And if you’re still not using unique passwords per account, go change all the others too. PlaySpan, the software World Of Tanks uses for financial transactions in WoT and a thousand other games, has been compromised, with two million account details put online. That’s usernames, email addresses, and encrypted passwords. Credit card details are believed not to have been accessed, but obviously keep an eye on your bills.

Of the two million leaked accounts, PlaySpan told Polygon that 117,000 of them are active. But it means that anyone who’s used the system in any game needs to go make sure they’ve cleared up after this. There’s some confusion about exactly which portion of PlaySpan was compromised, and what exactly has been effected, but just be on the safe side.

Wargaming.net, they behind World Of Tanks, issued a statement explaining that the PlaySpan Marketplace is separate from the VISA PlaySpan payment system, and it was only the former that was hacked. But they also make it clear that their own servers were not compromised in any way.

Currently PlaySpan have shut down their marketplace, and all accounts have been locked, to ensure no further naughty business can take place. That’ll likely be the case until they’ve figured out how it happened to ensure it can’t again.

Apparently a few other sites initially reported that EVE, Runescape and Guild Wars 2 were affected by the breach, but it has been made clear this isn’t the case.


  1. Duckee says:

    So that is how someone in the Wuhan province in China tried to access my Guildwars 2 account the other day. Bastards.

  2. Davee says:

    But from what I can gather; only having used the PlaySpan payment system through other games (like APB or WoT) one is not necessarily registered on the affected site (‘Marketplace’) and thus not in jeopardy? Then what is the ‘Marketplace’ used for?

    • Mattressi says:

      Yep, from what I’ve read, most people who’ve bought WoT gold probably don’t have to worry – it’s only those who specifically created a Playspan account (which is not necessary to buy WoT gold). I never used the Marketplace, so I’ve got no idea what it’s for.

  3. Koozer says:

    I have no idea what this marketplace thing is, but I’ve changed passwords anyway. I liked that password :(

  4. ElvisMZ says:

    Use Lastpass everyone!

  5. 1Life0Continues says:

    I use KeePass with the optional KeeFox plugin. Little bit fiddly, but I feel a bit safer having my password database encrypted and secured locally rather than online, with a backup database on a USB key, updated weekly.

    • frightlever says:

      I use those but keep the Keepass database in a Dropbox folder – yes yes I know, but the database is protected with a long nonsense passphrase. Some passwords for banks etc are only kept in my head.

      • 1Life0Continues says:

        I like the extra layer/s of security. My database is protected with a random file on my computer and a passphrase, so the database can’t be compromised even if you get a hold of it.

        So that makes it a little safer to store online, I guess I just like to serve my paranoia about it and prefer not to.

        But KeePass is fantastic. And free and Open Source too, which is a big bonus.

    • SominiTheCommenter says:

      I used this setup too, and sync the password file to SpiderOak, which encrypts the info before uploading to the cloud. Paranoia doesn’t hurt me when it comes to security.

  6. VeliV says:

    Correct me if I am wrong but doesn’t this mean that only if you registered to playspan, you are affected? That’s the usernames, email addresses, and encrypted passwords of playspan marketplace, not WoT.

    • Deadfast says:

      Correct. Unless you used PlaySpan to pay for WoT stuff (or any other stuff) the hack does not affect you.

  7. plugmonkey says:

    In other news, the Version 8 update with the new physics appears to have gone live without me noticing.

    Downloading it now.

  8. Dozer says:

    Obligatory video.

    link to youtube.com

  9. 4th Dimension says:

    If you are a WOT player and haven’t ever registred at PlaySpan you are safe. Official response: link to forum.worldoftanks.eu

  10. Gundato says:

    As I always say:

    Go download and start using Keepass
    Go use an online backup service like Spideroak

    The former creates an encrypted file where you can store all your passwords. The latter encrypts the files and stores them in the magic cloud.

    • Gurrah says:

      Care to explain the process? I don’t understand how saving an entire database full of your passwords, albeit encrypted, on a cloud-server is helping security. Sure the cloud-provider tells you it’s all safe and dandy, but that’s what all the companies that have been hacked in the last couple of months told us as well. Wouldn’t it be better to store it on a USB device? I’m genuinely interested here, because it’s getting more and more difficult to come up with new passwords that are safe and at the same time easy to remember.

      • Zunt says:

        Well I use LastPass, but the principle is the same (cloud storage).

        You get an extension that sits in Chrome, Firefox, etc, that handles all the normal detecting webpages that are asking for usernames and passwords, and filling them in. This stores all your password details in an encrypted file on your local device, and you need a (preferably huge) passphrase to get at it. It’s the encrypted file that’s uploaded to the cloud so it’s available to your other computers, phones, etc. All the cloud storage people ever see is that file which is usually encrypted with a military grade cipher (e.g. AES).

        I started using LastPass about a month ago and am finding it very useful. Features such as having it (locally) rootle through your passwords to find duplicates is extremely useful.

      • SominiTheCommenter says:

        That’s because SpiderOak store its files encrypted, and only you have the key, so if they are hacked and files are obtained, the hacker still doesn’t have the key to decrypt the file neither the key to enter the Password file. It’s two layer of encryption.

  11. oddshrub says:

    This is the lamest headline ever.

    I mean world of tanks wasn’t anymore affected than your gmail, your hellokittyonline account or whereever else you used your exact playspan login information.

    But thanks for scaring me over absolutely nothing.

    • Mattressi says:

      You should see PC Gamer’s headline then! “World of Tanks market system hacked, account details leaked online”. I saw that headline and freaked out. At least RPS acknowledge that it was Playspan and that World of Tanks was simply affected (it would probably be too big a headline to say “World of Tanks affected in some cases” or, the more accurate, “World of Tanks has warned players in a statement, saying that some people who play World of Tanks may have been affected if they chose to make a Playspan account”). PC Gamer, on the other hand, make no mention of a third party and clearly state that it is WoT’s market system (when it is Playspan’s entirely separate market system) which was affected.

  12. Josh W says:

    World of Tanks does financial transactions in other games? And I thought eve would be the first game to start a tentacled shadow economy.

  13. Hathore says:

    We’d like to clarify this situation. The Wargaming payment services have not been compromised in any way. Playspan Marketplace (which is a service we don’t utilize) emails and encrypted passwords were compromised. For more information, please visit this link: link to worldoftanks.com