E-Sports Entertainment Association, popularly known as ESEA is a well-known video gaming community. In fact, it is one of the largest of all video gaming communities across the globe. It is, therefore, not surprising that malicious cyber-criminals would look for a way to attack this particular platform. According to reports, ESEA website was hacked on 27th December 2016 and hackers managed to compromise profiles of around 1.5 million players.
The hacked records include username, first name, last name, last login date/time, registration date, city/state/province, e-mail ID, date of birth, zip code, bcrypt hash, phone number and URL address of the website. Additionally, the Steam, Xbox and PSN IDs of the players have also been part of the hacked database. The sensitivity of this database is quite evident.
It is worth noting that the ESEA registration form contains 90 fields, which actually is the entire player record of the customer. None of the information is protected except for the passwords. This means hackers can use the leaked data to carry out social engineering bases attacks such as phishing attacks.
On December 30th, the association informed its players, approx. three days after the attack actually happened, about the hack attack and subsequent data breach. The warning was posted on Twitter. However, the association didn’t announce the number of players’ profiles compromised or the nature of the attack.
This information was made public on Saturday by none other than LeakedSource, the famous breach notification service. LeakedSource stated that there has been an addition of over 1.5 million (1,503,707 to be precise) ESEA records on their database.
Can someone explain why a site with 1.5m users getting hacked (ESEA) is causing such a ruckus on the internet? 1.5m is tiny, not even top100
— News About Security (@BigSecurityNews) January 9, 2017
The spokesperson for LeakedSource shared the database sample with Salted Hash and also provided some random records from the ESEA database as a proof. Salted Hash also stated that this hack was part of a ransom plan where the hacker demanded $50,000 as ransom amount and promised to remain silent if the ESEA pays the demanded sum as well as help out the association in identifying the security flaw that encouraged the hack attack. This was surprise news because when ESEA notified its players about the data breach, it didn’t mention anything about the ransom demand.
The latest update posted by the ESEA clarifies this confusion:
“Recently news has been made that ESEA’s user data has been leaked online. We expected something like this could happen but have not confirmed this is ESEA’s data. We notified the community on December 30th, 2016 about the possibility this could happen. The type of data and storage standards was disclosed. We have been working around the clock to further fortify security and will bring our website online shortly when that next round is complete. This possible user data leak is not connected to the current service outage.”