"It has come to light," said Konami in an open letter to all customers, "that 35,252 cases of unauthorized logins to the Konami ID Portal Site have occurred using IDs and passwords that appear to have been leaked from an external service provider."
The logins apparently started around 13 June, leading some commentators to wonder why it took the company so long to make its announcement. It would seem, however, that Konami didn't detect the logins until "on July 8th, a large number of access errors were detected, and a survey was commenced." If this can be taken at face value, there may be some question over why the earlier attempts weren't detected, but that once they were, Konami responded with laudable speed.
"One has to wonder if they decided to take a look at what was happening on their customer portal after the widely-reported month-long hack against fellow Japanese video game makers Nintendo," comments Graham Cluley. "The timing of the two brute-force attacks against users’ login accounts can hardly be a coincidence."
"No changes to customers' personal information, or unauthorized usage of paid services, have been detected," says Konami. However, names, addresses, date of birth, telephone numbers and email addresses were exposed. Since Konami is 'blaming' the incident on passwords leaked from another site (it could be any one of many since there have been so many major and minor hacks over the last year), it reinforces the need for users to maintain separate passwords for each different account.
“There is definitely a trend in hacking gaming companies, which means that there is value in that," warns Barry Shteiman, senior security strategist at Imperva. “In the last decade, with the introduction of the pay-to-play games such as World of Warcraft and others, the digital economy of gaming has become a target for hackers. This is due to the fact that by stealing an account, or hacking into the system – one can potentially convert digital money to real money. There have been talks in hacker forums about money laundering through that mechanism as well," he explained.
In this particular instance the hackers had only limited success. Nevertheless, personal information did leak. "This kind of information can be used for identity theft, or for a phishing campaign, which is the most common account-takeover method in online gaming nowadays," he adds. He points out that preventing phishing at a commercial organization with professional and educated adults is difficult; so "convincing a kid to 'get more gold if you click here' is like taking virtual-candy from a child."