ESEA hacked, 1.5 million records leaked after failed extortion attempt (UPDATED)

Further to our previous security update on December 30, 2016, the stolen ESEA user data was published on LeakedSource on January 8, 2017. Please read the following update carefully.

The security breach that we were made aware of on December 27, 2016 resulted in the theft of user data by a threat actor. This threat actor demanded a ransom payment and threatened to sell or publish the customer data. We do not give into extortion and ransom demands and we take the security of customers’ data very seriously. In addition to investigating the incident and reporting it to the authorities, we have been working to isolate the vector attack and secure the vulnerability. This has led to some recent system downtime, for which we apologize and which we aim to keep to a minimum in the coming days.

The timeline below provides a chronology of events since we were first approached by the threat actor.

December 27 (first contact) – The threat actor contacted ESEA early Eastern Standard Time on December 27 through our bug bounty program to inform us that they had obtained access to user data and demanding a ransom payment of $100,000 to not release or sell the user data. We exchanged emails with the threat actor through the bug bounty program, in order to validate the claim and understand the attack vector being used and, in parallel, to further harden our sustainable security programs.

Based on the proof provided to us by the threat actor of possession of the stolen data, we were able to identify the scope of the data that was accessed. While the primary concern and focus was on personal data, some of ESEA’s internal infrastructure including configuration settings of game server hardware specifications, as well as game server IPs. Due to the ongoing investigation, we prioritized customer user data first.

December 28 – 29 – We identified the vector of the attack and started to isolate that system and patch the vulnerability. We continued to exchange emails with the threat actor through the bug bounty program, in order to confirm the identified vulnerability and mitigate the threat. In parallel, we engaged with external legal counsel and security resources to understand the scope of the attack and potential impact for users, and to develop a plan for notifying all stakeholders. Security and development teams combed through the codebase to isolate the attack vector and make additional security improvements in preparation for notifying the community.

December 30 – With the vulnerability identified and patched, we continued the process to notify the community of the incident and to require a password reset to re-secure individual account credentials. ESEA notified the authorities (the FBI) of the breach and continue our assistance with any on-going investigations.

December 31 – January 6 – We continued to work around the clock to strengthen our security. During this period we also received several more emails from the threat actor escalating threats and demands, but we focused on our on-going security efforts.

January 7 – Through information obtained from our game server infrastructure database, the threat actor was able to gain access to a game server. With that game server’s restrictive access, the threat actor was able to edit karma (community feedback system) of users, but not able to view, access or modify any personal information.

Several pieces of intellectual property that were stored on our game servers (game server plugins for CSGO) were exfiltrated from the compromised game server. This is how we operate our game servers and NOT associated with user data. In order to further secure the game servers, we moved up planned maintenance and security updates for our infrastructure. We were able to verify that no personal identifying information had been compromised from this incident. Karma was restored while we performed other updates to the ESEA network, which resulted in service outages.

January 8 – We continued to experience service downtime as security upgrades were made but with no system intrusions. The threat actor released the stolen data on LeakedSource and various media outlets reported the theft, extortion attempt and publication of the stolen customer data.

January 9 – We updated the external authorities (the FBI), responded to media and community enquiries and posted this update.

General recommendation:
As a standard security best practice, we encourage users to consider the following measures if not already done since the December 30th security update:

  • Change your passwords and security questions/answers for any other accounts on which you used the same or similar information used for your ESEA account, and review any such accounts for any suspicious activity
  • Use passwords specific to each website you hold accounts at
  • Be cautious of any unsolicited communications that ask you for personal information or refer you to a website asking for personal information

We apologize that this theft has taken place. ESEA takes the security and integrity of customer details and information very seriously and we are doing everything in our power to investigate this attack and attempted extortion and are making changes to our systems to mitigate any potential further breaches.

Q: Was ESEA the subject of an extortion attempt?
A: Yes. The threat actor who stole the data demanded money not to sell or publish the customer information.

Q: Where has the stolen user data been published?
A: To our knowledge, just on LeakedSource at this time.

Q: Why didn’t ESEA pay the ransom demand of $100k?
A: We do not give in to ransom demands and paying any amount of money would not have provided any guarantees to our users as to what would happen with their stolen data. The most responsible course of action was to share the incident with the authorities and our community so each individual could take steps to secure their accounts. At the same time, we have worked around the clock to isolate the attack vector, patch the vulnerability and further upgrade our security program.

Q: Was the system downtime over the weekend due to further hacker intrusion?
A: Only as much as it was due to security upgrades and patching.

Q: As reported, was more than 90 lines of user information stolen?
A: We disclosed the personally identifiable information in our announcement to the community on December 30, which included “usernames, emails, private messages, IPs, mobile phone numbers (for SMS messages), forum posts, hashed passwords, and hashed secret question answers. All ESEA user account passwords are using bcrypt, an industry best practice for securing passwords. ESEA does not store any sensitive payment information (credit card, bank account, etc.), so any payments made on the ESEA website, or through third parties, have not been compromised.”

There are additional optional fields of data for user profiles which make up a larger percent of the data stolen, which ESEA users can enter to further complete their publicly viewable profile page. Such data points include favorite drink, favorite food, favorite esports player, their computer hardware specifications, Xbox gamer tag, and PlayStation Network ID to allow other users to interact with them through those platforms, etc. All users add those data fields knowing that it is publicly viewable on their profile page, and may include different amounts of completion for these optional profile fields.


Original story from CSOonline

E-Sports Entertainment Association (ESEA), one of the largest competitive video gaming communities on the planet, was hacked last December. As a result, a database containing 1.5 million player profiles was compromised.

On Sunday, ESEA posted a message to Twitter, reminding players of the warning issued on December 30, 2016, three days after they were informed of the hack. Sunday’s message said the leak of player information was expected, but they’ve not confirmed if the leaked records came from their systems.

Late Saturday evening, breach notification service LeakedSource announced the addition of 1,503,707 ESEA records to their database. When asked for additional information by Salted Hash, a LeakedSource spokesperson shared the database schema, as well as sample records pulled at random from the database.

The leaked records include registration date, city, state (or province), last login, username, first and last name, bcrypt hash, email address, date of birth, zip code, phone number, website URL, Steam ID, Xbox ID, and PSN ID.

However, in all, there are more than 90 fields associated with a given player record in the ESEA database. While the passwords are safe, the other data points in the leaked records could be used to construct a number of socially-based attacks, including Phishing.

Players on Reddit have confirmed their information was discovered in the leaked data. A similar confirmation was made Twitch’s Jimmy Whisenhunt on Twitter.

The LeakedSource spokesperson said that the ESEA hack was part of a ransom scheme, as the hacker responsible demanded $50,000 in payment. In exchange for meeting their demands, the hacker would keep silent about the ESEA hack and help the organization address the security flaw that made it possible.

In their previous notification, ESEA said they learned about the incident on December 27, but make no mention of any related extortion attempts. The organization reset passwords, multi-factor authentication tokens, and security questions as part of their recovery efforts.