9.3 Million Accounts Compromised In Epidemic Of Forum Hacks: Funcom, Epic, And More

A rash of hacks in the past two months has left the usernames, emails and passwords from at least twelve gaming forums compromised, including those of Unreal creator Epic Games and Secret World developer Funcom. Other breaches include a GTA fansite and, as previously reported, the official forums of Dota 2. All the attacks involved an exploit in the forum’s software, which the hackers used to hoover up details of members. And while the passwords are encrypted, they can often be easily cracked. In total, over 9 million user accounts have had their details stolen.

The websites affected are:

  • Funcom’s forums on TheSecretWorld.com, AgeofConan.com, Anarchy-Online.com and LongestJourney.com – 1,037,622 accounts
  • Epic Games forum and the Unreal Engine forum – 808,000 users
  • Clash of Kings official forums – 1,597,717 users
  • Dota 2’s official forums – 1,923,972 users
  • DLH.net, a PC gaming and ‘cheats’ website with a forum of trading Steam keys – 3,137,199 users
  • Gamesforum.com – 109,135 users
  • GTAgaming.com – approx 197,000 users
  • PPCGeeks.com – 490,004 users

In all, just over 9.3 million user accounts have been nabbed in these hacks, although it’s hard to tell how many of these accounts contain useful information to the criminals involved. Some accounts are likely to be dummies, and many will be set up for a one-off use. But this will be of little consolation to genuine members.

Many of the hacks have been discovered at different times over the past few weeks. Epic Games owned up to the breach on Monday last week, for example, while Funcom posted an announcement on Wednesday. The official Dota 2 forums were hacked on July 10, according to Leaked Source. But we didn’t learn about it until August 10. Given that the forum software in question – vBulletin – is still widely used by other games sites, there may be other victims who have yet to discover a security breach.

vBulletin is a package of forum software used by many sites, not only in gaming. The problem is that a new exploit has been discovered in the software, allowing hackers to wiggle in (that’s our technical term). Not only that but another exploit still exists on older, unpatched versions of the forums. In 2013, security firm Imperva found that 35,000 websites had been breached thanks to this software flaw. If the companies were using older versions of vBulletin, it’s possible that this same flaw was used in the new spate of hacks.

Nevertheless, vBulletin remains a popular way for games companies to host their communities – in fact, we use it ourselves at RPS. Meanwhile Square Enix, Namco Bandai, Sega and Frontier all use the same software, as do others. This doesn’t mean those companies have been a victim of an undetected hack, nor does it mean the version they’re using is vulnerable. But we hope that they are double-checking their own systems, if they haven’t already. We called in the Nerd Squad to patch our own forums too, so hopefully there’ll be no embarrassment awaiting us.

It’s not known who is behind the hacks, nor if they are being committed by the same attacker(s). Targeting websites using vBulletin might have suddenly become en vogue among cyber criminals newly knowledgeable about the old exploit, or they may have been happening for years and we are only learning about it now. What is clear is that developers and publishers who are still operating on the flawed versions of the forum software need to give themselves a health check to see if they have been a victim, while also patching any vulnerabilities out.

Gaming websites are not the only targets, however. So far it seems like the hackers are going after sites with particularly high member counts. Other sites hosted by Mail.ru, such as freeadvice.com and expertlaw.com, have also had their forums leeched of personal data.

What should you do if you think you’re one of those 9 million? Check your email addresses by typing them into Leaked Source and HaveIBeenPwned.com, and change your passwords. You can also use a password manager like LastPass to keep your passwords complex and ever-changing without having to remember them all, which should be safe so long as you can remember a strong master password and don’t click on any of the bad things.


  1. whizzedoutwoz says:

    password = passwordabc123

    • GenialityOfEvil says:

      That’s amazing! I’ve got the same combination on my luggage.

    • Vacuity729 says:

      Damnit! Don’t post my online-banking password in an open forum! In fact, how did you find it out?

    • AskForBarry says:

      Actually, at last years International Data Security Conference, they discovered the worlds most secure password.
      It is: b!$8jUakRvdAe98
      You should all change to that right away.

  2. Malcolm says:

    Troy Hunt (Security Researcher and proprietor or HaveIBeenPwned.com makes a strong argument against self-hosting forum software.

    Having been stung a couple of times I always assume with forums and the like its a matter of when rather than if they get hacked and choose my login details appropriately.

    • John Gooch says:

      You have the right idea. Never covers an awfully long time. I would not put any stake into a security measure that says it will never be cracked.

  3. gwathdring says:

    Well I lucked out. I play several of these games but haven’t happened to use the forums. :)

  4. hamburger_cheesedoodle says:

    Looks like no passwords were compromised on the Epic forums, unless you were in the legacy game forums and active after 2015, and those are still salted at least.

  5. zeep says:

    So what is this “Leaked Source” site? It just seems bad to go there and enter your email. So they can check if they have your info? Ffs.

  6. aircool says:

    I just don’t bother having passwords anymore. I have Robodogs!

  7. cloudnein says:

    indiegala.com has been down all day, related?

  8. John Gooch says:

    This isn’t as serious an event as it would have been 5 years ago. People have gotten very good at using password managers to generate unique passwords for each site. Another layer of security is to provide false information for things such as birthday, mother’s maiden name, unique per-site security q&a where required, and so on. It does add management overhead, but some who stole my information will never get into my Facebook or bank account with a name like Ludwig Von Beethoven who was born in 1900. They might get into Ludwig’s ( sorry Ludwig! ) but not mine. Which is the point. :)

    • Llewyn says:

      Unfortunately you and I are very much in the minority on this, Ludwig.

    • MajorLag says:

      Trust me, this is painful untrue of most people. I’d bet good money you could break into millions of executives’ corporate email accounts if you just happen to know a significant date in their lives.

    • Ragnar says:

      Talk to anyone who’s ever worked with users in IT and you’ll get a completely different picture.

      People are lazy, most are not security savvy or mindful, and executives laugh at password policy requirements.

  9. DanMan says:

    Warframe has had accounts hacked a few months ago as well.

  10. satan says:

    Just as well I got out of the forum game years ago.

  11. Xzi says:

    Indeed one of my accounts was pwned. Thanks a lot Wildstar and Warframe. Combined playtime of probably less than half of what I’ve put into Rocket League.

    Oh well. I don’t think I used the same password with those accounts as I did for my e-mail. Changed e-mail password none the less, of course.

  12. kael13 says:

    Make sure you use a password generator and password storage, like Keychain, KeePass or 1Password with a very strong master password for all online accounts.

    My preferred setup is KeePass with the database kept in cloud storage and an extension to pull passwords into Chrome.

  13. Freud says:

    This is why I have junkmails I use on any big forum. I’d never mix the emails I use for important things for that.

  14. Thurgret says:

    Someone stole my Rockstar Games account about six weeks ago, despite that I’d never used it for a forum thing, and hadn’t used it in over a year. Got it back though. And two days ago, I got a password reset request on a spare Origin account I have (I have two, and cannot recall why. The second has barely anything on it).

  15. geldonyetich says:

    Probably the best protection I have against these hacks is just how successful the hackers have been: unless they singled me out, it would take them a long, long time to ever get around to hijacking my account. Not that I have anything of particular value on a vBulletin board anyway.

    Most likely outcome of this hack: they’ll try to sell it to marketers and spam bot farms. Marketers already know everything they can about me from previous breaches, and spam bot farms don’t worry me much when they’ll get my account banned on sites I never visit anymore.

  16. Jalan says:

    Having formerly policed a few forums in the past, I began to notice a pattern among the spam registrations. While no longer having access to do actual numbers assessments, a general guess would be that over 85% of them used mail domains like .ru, or yandex and so on. Toward the end, right before I hung up the hat, Gmail was becoming more and more popular and widely used for crap registration as well.

    Even the junk that skips through onto the comment sections here is miles ahead of the bizarre word vomit that it originally was. Almost makes me miss the days when there was some humor in spotting it, where an account would be set up and make a post that seemed innocuous at first, only to then reply to its own thread to advertise something fifteen different times.

  17. lomaxgnome says:

    So, does anyone have a source for this story other than LeakedSource.com? Because dlh.net is denying it, and HaveIBeenPwned.com doesn’t seem to have the data from it, and yet somehow this other site does? This other site that just happens to want you to pay as soon as you put in your email to see what “real info” they have? The whole thing is very fishy honestly.