clock menu more-arrow no yes

Filed under:

Hacker publishes 1.5M users’ information after esports site refuses ransom demand

New, 10 comments

Information could be used in phishing, breaching other accounts

CS:GO Valve Corp.

Personal information for more than 1.5 million accounts maintained by the E-Sports Entertainment Association was stolen and published online after the company refused the cyber-ransom demands of hackers, the ESEA confirmed yesterday.

ESEA has been updating its community in a timeline of events dating back to Dec. 27, and recommends that users change passwords and security questions in all other accounts where they used the same credentials. The information was published on Saturday, apparently after the ESEA refused a demand for $100,000.

Over the weekend, the breach notification service LeakedSource announced the addition of 1.5 million records, from ESEA, to their database. In this FAQ, the ESEA says the compromised information associated with those accounts includes "usernames, emails, private messages, IPs, mobile phone numbers (for SMS messages), forum posts, hashed passwords, and hashed secret question answers."

The ESEA is one of the oldest esports associations, founded in 2003. It operates the ESEA League.

The ESEA says the FBI has been notified and is investigating. It also advises account holders to "be cautious of any unsolicited communications that ask you for personal information or refer you to a website asking for personal information." The information exposed by the breach could be used to create a convincing phishing attack.

In the timeline, published yesterday, the ESEA says it was contacted Dec. 27 with a demand of $100,000 to not release or sell user data that a hacker or hackers had breached.

As the ESEA worked to isolate and patch the vulnerability that the hacker used, it consulted with its legal representatives to evaluate the scope of the attack and its potential for impact. On Dec. 30, satisfied that the vulnerability had been identified and patched, the ESEA notified its community of the attack, required a password reset of all of its members, and brought in the FBI.

Over the next week the hacker increased the threats. When the ESEA didn't pay up, the data was published on Jan. 8.

Afterward, the ESEA discovered that the attacker had breached a game server and made off with ESEA intellectual property, but no user information was compromised.