Millions of Tower of Salem Gamers Hit by Breach

Written by

Over 7.5 million players of online game Tower of Salem have been affected by a data breach at developer BlankMediaGames (BMG) over the Christmas holidays.

Hacked database search engine provider DeHashed explained in a blog post on Tuesday that it was approached by email last week by someone with a full trove of newly breached data.

The incident stemmed from a local file inclusion/remote file inclusion vulnerability, according to the firm.

“The data affected, includes but is not limited to: Usernames, Emails, Passwords (phpass, MD5(WordPress), MD5(phpBB3)), IP Addresses, Game & Forum Activity, & Payment Information,” it explained. “The total row count is: 8,388,894, with 7,633,234 unique email addresses.”

The firm doesn’t store payment/card information but the above info could be used to launch follow-on phishing attempts. MD5 is also theoretically crackable.

Although BlankMediaGames took a few days to respond to the incident, it apologized in an update on Wednesday, blaming the “terrible timing” of the hack.

“The BMG staff is just coming back from Christmas/New Years vacation and we were informed that there may have been a breach of our database. I am currently in contact with Rackspace to figure out what happened and prevent it from happening again,” noted an official statement on the Tower of Salem forum.

“We don't store any credit card or payment info. At all. All passwords were hashed and not plain text. This means they do not know what your password is unless they run a program to attempt to guess it against the hashed password. Any reasonably strong password will take a very long time to be guessed.”

Users would still be advised to change their passwords, especially if these credentials are reused on other sites like online banking.

BMG has “removed multiple backdoors on their server” as it looks to remediate the incident, according to DeHashed. The latter also said it had shared the database of breached information with HaveIBeenPwned.

What’s hot on Infosecurity Magazine?