A rash of hacks in the past two months has left the usernames, emails and passwords from at least twelve gaming forums compromised, including those of Unreal creator Epic Games and Secret World developer Funcom. Other breaches include a GTA fansite and, as previously reported, the official forums of Dota 2. All the attacks involved an exploit in the forum's software, which the hackers used to hoover up details of members. And while the passwords are encrypted, they can often be easily cracked. In total, over 9 million user accounts have had their details stolen.
The websites affected are:
- Funcom’s forums on TheSecretWorld.com, AgeofConan.com, Anarchy-Online.com and LongestJourney.com – 1,037,622 accounts
- Epic Games forum and the Unreal Engine forum - 808,000 users
- Clash of Kings official forums – 1,597,717 users
- Dota 2’s official forums – 1,923,972 users
- DLH.net, a PC gaming and ‘cheats’ website with a forum of trading Steam keys – 3,137,199 users
- Gamesforum.com – 109,135 users
- GTAgaming.com – approx 197,000 users
- PPCGeeks.com – 490,004 users
In all, just over 9.3 million user accounts have been nabbed in these hacks, although it’s hard to tell how many of these accounts contain useful information to the criminals involved. Some accounts are likely to be dummies, and many will be set up for a one-off use. But this will be of little consolation to genuine members.
Many of the hacks have been discovered at different times over the past few weeks. Epic Games owned up to the breach on Monday last week, for example, while Funcom posted an announcement on Wednesday. The official Dota 2 forums were hacked on July 10, according to Leaked Source. But we didn’t learn about it until August 10. Given that the forum software in question - vBulletin - is still widely used by other games sites, there may be other victims who have yet to discover a security breach.
vBulletin is a package of forum software used by many sites, not only in gaming. The problem is that a new exploit has been discovered in the software, allowing hackers to wiggle in (that's our technical term). Not only that but another exploit still exists on older, unpatched versions of the forums. In 2013, security firm Imperva found that 35,000 websites had been breached thanks to this software flaw. If the companies were using older versions of vBulletin, it’s possible that this same flaw was used in the new spate of hacks.
Nevertheless, vBulletin remains a popular way for games companies to host their communities – in fact, we use it ourselves at RPS. Meanwhile Square Enix, Namco Bandai, Sega and Frontier all use the same software, as do others. This doesn’t mean those companies have been a victim of an undetected hack, nor does it mean the version they're using is vulnerable. But we hope that they are double-checking their own systems, if they haven't already. We called in the Nerd Squad to patch our own forums too, so hopefully there'll be no embarrassment awaiting us.
It’s not known who is behind the hacks, nor if they are being committed by the same attacker(s). Targeting websites using vBulletin might have suddenly become en vogue among cyber criminals newly knowledgeable about the old exploit, or they may have been happening for years and we are only learning about it now. What is clear is that developers and publishers who are still operating on the flawed versions of the forum software need to give themselves a health check to see if they have been a victim, while also patching any vulnerabilities out.
Gaming websites are not the only targets, however. So far it seems like the hackers are going after sites with particularly high member counts. Other sites hosted by Mail.ru, such as freeadvice.com and expertlaw.com, have also had their forums leeched of personal data.
What should you do if you think you’re one of those 9 million? Check your email addresses by typing them into Leaked Source and HaveIBeenPwned.com, and change your passwords. You can also use a password manager like LastPass to keep your passwords complex and ever-changing without having to remember them all, which should be safe so long as you can remember a strong master password and don’t click on any of the bad things.