The War Z, a zombie-centric, first-person shooter game, has 600,000 users, making it relatively small fry as far as gaming targets go. However, the damage is extensive. The data accessed included email addresses used to log-in to the forum, encrypted forum passwords, email addresses used to log-in to the game, encrypted game passwords as well as in-game character names and the IP addresses from which players log-in to both the forum and the game.
“We are sorry to report that we have discovered that hackers gained access to our forum and game databases and the player data in those databases,” said The War Z creator OP Productions, in a security alert. “We have launched a thorough investigation covering our entire system to determine the scope of the intrusion. This investigation is ongoing and is our top priority. As part of the remediation and security enhancement process we will be taking the game and forums down temporarily.”
The good news is that billing and credit card information was not part of the data theft. All payments for The War Z are made through a third party and not the OP system, and not exposed to the breach.
“If you posted other information to the forum it is likely that such data was accessed as well,” OP said. “We do not collect the names or addresses of our gamers so that information was not impacted unless you posted it on the forum. We are investigating whether additional information may have been obtained.”
The company counseled gamer “Survivors” to change their passwords immediately, and if the same password is used for accounts on other services, users should change those passwords as well.
For its part, OP said that it was taking “a number of steps to increase security” and is continuing to work with external advisors and investigators to identify and implement measures to minimize the chance of something similar happening in the future.
“We are undertaking a full review and update of our servers and the services we use and adding additional security mechanisms,” OP said. “In addition to this post, we are emailing all of our players just to make certain that everyone is informed and has been advised to change their passwords.”
It added, “This has been a humbling experience for us. While we all know that there is no guarantee of security on the internet, our goal is to try our very best to protect your data. We sincerely apologize.”
From a user perspective, the password changes are critical. Consider last year’s case where 11 million hashed Gamigo passwords were leaked onto the internet. After de-duping, it still left more than 8 million email addresses and passwords belonging to Gamigo users floating around on the net, 94% of which were nearly immediately cracked by an enterprising hacker, despite the passwords being hashed and salted – a common security practice for login credentials.