A new massive data breach reported that online role-playing game platform Town of Salem by BlankMediaGames(BMG) was hacked and the data of 7,633,234 unique email addresses and player’s user data accounts were deducted. The hack was discovered on December 28, 2018 when a copy of Town of Salem’s hacked database was anonymously sent to DeHashed, a commercial data breach indexing service.
DeHashed suggested that Town of Salem’s server had been compromised and hackers had access to entire gamer database which contains Usernames, Emails, Passwords (phpass, MD5(WordPress), MD5(phpBB3)), IP Addresses, Game & Forum Activity and Payment Information. With some of the users who paid for certain premium features having their billing information/data breached as well. The total row count is: 8,388,894, with 7,633,234 unique email addresses. No credit card information has been obtained, according to reports.
I come bearing bad news today. It seems that over the break we experienced a data breach. We are very sorry this happened, and are working with Rackspace to make sure it doesn’t happen again. Thest… https://t.co/9UVwU3cTQU
— Town Of Salem (@townofsalemgame) January 2, 2019
Below is the most recent update post by Achilles, one of the BMG developer:
We have found and removed 3 different php files from our webserver that allowed the hacker to have a backdoor into the server. Rackspace is also running a malware check on all of our servers. We believe we have stopped their ability to continue gathering data but we are in the process of contacting security auditing firms and potentially discussing reinstalling all of our servers from scratch just to be 100% sure.
We are in the process of starting to email users but as you can imagine it takes some time to process and send out 8 million emails.
The community and mods have been helping us look into websites that have the data to see what is being done with it. Passwords were stored as a salted MD5 hash and not plaintext, but it appears that these hashes can still be brute forced to get the plain text password if it wasn’t a very secure password. We have seen passwords as long as 10 characters being cracked.
If your Town of Salem password was the same on any other site you should change your passwords immediately to be safe.
No credit card/payment info or personal identifying information outside of your email/IP was stored.
As long as users who had a shared password update it on other sites they should be safe. Emails are starting to go out soon so that everyone will know about this.
We are making plans to replace phpbb with a more secure forum such as vanilla and moving to a more secure hashing algorithm. Since we didn’t store plaintext passwords we can’t easily update everyones hashes to a new algorithm but we are investigating our options.
Town of Salem Game Forums: Data Breach Update
Steam: Town of Salem: Data Breach Update
reddit: TownofSalemgame: Data Breach – WHAT ACTUALLY HAPPENED [EDITED]
DeHashed: TOWN OF SALEM: BLANKMEDIAGAMES – HACKED