Many die-hard gamers out there may be familiar with ‘Town of Salem’. For those who are ignorant, this is a browser-based game by BlankMediaGames (BMG), where players are challenged on their deception skills. As the makers say; it is “a game of murder, deception, lying and mob hysteria”. It is well-loved by its millions of users and has fans situated around the globe. A portion of these millions of users — about 7.6 million, to be near exact — had their personal details stolen after a data breach.
An alert which hinted at the hack was first seen on December 28 2018. As reported by DeHashed blog, an anonymous sender emailed them and showed evidence of the breach in the form of a complete database of hacked accounts as well as proof of server access. It is believed a Local File Inclusion (LFI) / Remote File Inclusion (RFI) vulnerability was exploited to gain server access. Accessed information includes:
- Passwords (phpass, MD5(WordPress), MD5(phpBB3) formats)
- Internet Protocol addresses
- Game & forum activity
- Billing information for premium users
- Payment information: This is limited to billing & shipping addresses, IP details, payment amount, and other minor info. Credit card numbers are not included. As emphasized by ‘Achilles‘, a spokesperson for the company;
“…we do not handle money. At all. The third party payment processors are the ones that handle all of that. We never see your credit card, payment information, anything like that. We don’t have access to that information.”
On January 2nd, BlankMediaGames confirmed that the data breach happened in an official forum announcement. However, it was emphasized that because the company does not store credit card numbers, payment is done using third-party software, so such data was not exposed. Another point made pertains to the fact that passwords are encrypted as hashes and will therefore be unknown to the hacker unless he/she can decrypt it. The flawless execution of the attack is partly blamed on the absence of BMG staff as the hack was carried out in the heat of the Christmas/New Year vacation period. This does not offer comfort to some users, as can be depicted by their replies on the forum announcement post.
BlankMediaGames are working towards preventing any possible future issues by removing several server backdoors. Users are advised to change their account passwords, just to be on the safe side.
Let us know your thoughts in the comments section.