Gamers are soft targets for credential-thieving hackers who see them as young, naive and playing it fast and loose with security.
“A 14-year-old kid’s gaming credentials are worth more than you think,” said Mike Wilson, CTO at Enzoic. He said credentials tied to Fortnite, Minecraft and RuneScape are particularly prime targets right now, earning a hacker as much as $40 per active username and password.
“These kids are more interested in the next challenge or high score, not their security,” he added in an interview with Threatpost.
A March report from Akamai revealed the gaming industry remains a juicy target for security breaches. Hackers have carrying out 12 billion credential stuffing attacks against gaming websites since November 2017, according to the study.
Enzoic, which specializes in credential protection, said it sees more lists of compromised gaming credentials than any other industry. That’s because the credentials are easy to come by, and, thanks to sloppy security practices, such as password reuse, the credentials typically are good for multiple services.
Wilson doesn’t just place the blame on young gamers. He notes the gaming companies themselves, fan forums and grassroots gaming sites are huge contributing factors as well.
Popular gaming communities built on DIY platforms such as vBulletin, IPBoard, MyBB, PHPBB and PunBB are often ripe for SQL injection attacks, for instance. “A lot of these sites are running outdated software and and are poorly maintained. Nearly any have the latest patches,” Wilson said.
He said 83 percent of the gaming-related compromised credentials in Enzoic’s database are in cleartext or have a weak, easily cracked, hashing algorithm. According to breach database directory Vigilante, the most recent gaming forums compromised are ArmorGames.com, SurviveTheARK.com and HBGames.com – representing a combined 11.4 million credentials
Enzoic said gaming sites themselves bear some of the responsibility. “Currently, gaming companies use low-friction authentication measures because increasing friction drives customer attrition and decreased revenue,” Wilson told Threatpost in an interview.
Wilson said he knows of large gaming companies, which are well-aware their users’ credentials have been compromised in the past, who refuse to force password resets or bother users with verification requirements such as validating an account with a credit card’s card verification value (CVV) number.
“It surprises me that [gaming sites] make a calculation where they know their users’ credentials are compromised, yet they still don’t require a password reset,” Wilson said. “The calculation is, if they make it harder for people to log into their accounts, then they won’t. And that’s not good for their business.”