Dual Data Leaks of Blur, Town of Salem Impact Millions | Threatpost | The first stop for security news

The new year has started off with the disclosure of two high-profile data breaches exposing the personal and password data of millions of people.

Popular role-playing game Town of Salem saw the email addresses and passwords of more than 7.6 million players hacked; while a separate database issue with password-manager Blur exposed personal data of approximately 2.4 million users.

While 2018 was crazy year for data breaches –  Marriott to Quora and everything in-between- these latest breaches disclosed just in the first few days of 2019 show that the pace of hacks won’t be slowing anytime soon.

“Breaches will inevitably occur all around and it is important for companies to be as transparent as possible when they happen, in order to allow researchers and reporters to do their job at communicating the downstream implications of such breaches,” Jarrod Overson, director of engineering at Shape Security, told Threatpost.

The data breach of Town of Salem –  a popular browser-based game owned by BlankMediaGames –  was first discovered on Dec. 28 when the compromised database was anonymously sent to DeHashed, a hacked database search engine.

According to DeHashed, 7,633,234 unique email addresses were exposed – the most-represented of the email providers being Gmail, Hotmail and Yahoo.com.

Also exposed were usernames, hashed passwords, IP addresses, and some payment information (including full names, billing and shipping addresses, IP information and payment amount). Credit-card numbers were not exposed.

A Town of Salem developer addressed the security incident Wednesday on the game’s online forum. According to the developer, three separate, malicious PHP files, which render HTML content for viewing in the browser, were the point of entry.

“We have found and removed three different PHP files from our web server that allowed the hacker to have a backdoor into the server,” the developer said. “Rackspace is also running a malware check on all of our servers. We believe we have stopped their ability to continue gathering data, but we are in the process of contacting security auditing firms and potentially discussing reinstalling all of our servers from scratch just to be 100 percent sure.”

The developer advised game players to change their passwords – especially if they use the same credentials on any other site. It will also change up its password-hashing approach: “We are making plans to replace PHPBB with a more secure forum such as Vanilla, and moving to a more secure hashing algorithm,” according to the developer. “Since we didn’t store plaintext passwords, we can’t easily update everyone’s hashes to a new algorithm, but we are investigating our options.”

BlankMediaGames did not respond to a request for comment from Threatpost.

Video game services are a hot target for attackers because in the gaming industry, user experience overpowers security measures, which add friction and can cost the game users, said Shape Security’s Overson.

“Combine this with the increasing value of digital goods in games like Fortnite and you have incredibly attractive targets with comparatively weak defenses,” Overson told us. “It appears that the Town of Salem’s database was hashing passwords with the PHPBB3 algorithm, which is relatively weak and presents little barrier to cracking. It should be assumed that all passwords are exposed and all users who have reused passwords should change them across all services ASAP to limit their vulnerability to the credential-stuffing attacks that will likely occur in the future.”

A separate data exposure of password-manager Blur, discovered on Dec. 13  and disclosed Dec. 31, disclosed an array of personal information for millions of users.

An spokesperson with parent company Abine told Threatpost that approximately 2.4 million users were potentially affected. The issue was a misconfigured Amazon S3 storage bucket that was being used for data processing, the spokesperson told us.

Exposed information includes unique email addresses, first and last names, password hints, user’s last and second to last IP addresses and encrypted Blur passwords for users who registered their accounts before Jan. 6, 2018.

“These encrypted passwords are encrypted and hashed before they are transmitted to our servers, and they are then encrypted using bcrypt with a unique salt for every user,” according to a security notice by Abine, the owner of Blur. “The output of this encryption process for these users was potentially exposed, not actual user passwords.”

Abine stressed there is no evidence that user’s critical data – including payment information or usernames stored in Blur – was compromised. The company also stressed that user’s should change their Blur password as well as on any other service if they’ve reused it.

“These two data breaches illustrate that no website or app is entirely immune to cyber crooks always on the alert for vulnerabilities that they can exploit,” Mike Bittner, digital security and operations manager at The Media Trust, told Threatpost. “If you have an app or a website, you are constantly under threat of an attack–getting hacked is just a matter of time. Since many attacks involve third parties who support these digital assets and have weak security measures, companies should revisit the complex web of third through nth parties they work with and take a verify-first-trust-later approach.”