Hacker Makes Off with 1.6 Million 'Clash of Kings' Records

Written by

A hacker has set his sights on the official forum of the extremely popular mobile game "Clash of Kings”, making off with almost 1.6 million accounts.

That’s according to new reports that surfaced on Friday, which claim that on 14 July the nameless attacker was able to exploit outdated or lax security being run on the forum (such as a failure to use basic HTTPS website encryption) before giving a copy of the leaked database to breach notification site LeakedSource.com.

It is believed said database contains information such as usernames, email addresses, IP addresses, device indentifiers along with Facebook data access and tokens (among other things). Passwords stored in the database are hashed and salted.

LeakedSource has now added the total 1,597,717 stolen records to its systems.

Ryan Wilk, director at NuData Security, said this hack is just another example that highlights the need for the industry, as a whole, to stay vigilant because PII data continues to be targeted wherever it may live and hackers aren’t taking the summer off.

“We’ve pointed out time and time again that data breaches don't occur in a vacuum. Hackers are making a living by selling this data on the Dark Web, they do it because they can pay the bills doing it, and what everyone should be asking themselves is why are folks buying it? Because, that data – your data, my data and everyone’s data, gets bought for pennies, bundled up into bigger packages (identity sets) called ‘fullz’, and used as fuel.”

Whilst breaches may not be 100% preventable, continued Wilk, it is possible to prevent cyber-criminals from being able to use the data they steal in these incidents, effectively making it worthless. 

“At the very least, behavioral biometrics and analysis would prevent fraudsters from taking the Clash of King’s data and leveraging it elsewhere.

“Using this intelligence, fraud can be stopped at any point where there is an authentication test because the software is so good at determining who’s a real user and who is a fraudster. Companies using these tools have a much more accurate understanding of the user, and a lot more options. Fraudsters logging in with your valid credentials just don’t get through because they don’t behave like you."

What’s hot on Infosecurity Magazine?