Best Security Search
Security News

ESEA Breached, 1.5 Gamer Records Leaked

ESEA (E-Sports Entertainment Association) which is one of the largest gaming communities has been breached by hackers. As a result of the incident records containing information about 1.5 million players has been leaked on the Internet.

ESEA Records Leaked After Hackers Breached The Community

Another major security incident was reported in the specialist security media. We have confirmed that the E-Sports Entertainment Association (ESEA) was hacked by computer criminals and details about 1.5 million gamers has been leaked on the Web. The attack was carried in December last year and the leaked records include information about 1,503,707 registered individuals. The datasets contain information such as the first and last name of the gamers, their hashed password (using bcrypt), email address, registration date, city, state or province, last login, date of birth, phone number, zip code, phone number, website URL, Steam ID, XBox ID and their associated PSN ID.

The effects of this incident could likely result in new waves of direct social engineering attacks that are going to be personalized using the harvested information from the breach. Many players have already confirmed that such campaigns are already being performed. ESEA has publicly disclosed the incident on their Twitter profile by posting the following message:

Recently news has been made that ESEA’s user data has been leaked online. We expected something like this could happen but have not confirmed this is ESEA’s data. We notified the community on December 30th, 2016 about the possibility this could happen. The type of data and storage standards was disclosed. We have been working around the clock to further fortify security and will bring our website online shortly when that next round is complete. This possible user data leak is not connected to the current service outage.

The security alerts indicate that the ESEA breach is a part of a larger ransom scheme. Computer hackers have even demanded a payment of 50 000 US Dollars to avoid disclosing the hack. The company has forced a mandatory password reset of all account credentials, associated authentication tokens and the security questions.

ESEA has also posted a notice on their website titled Important Security Update that warns the public about the breach:

Following an incident that took place earlier this week, ESEA hereby issues an important security update for all users. Please read this carefully.

What happened?
On Tuesday, 27 December, 2016 we were made aware of a security breach of the ESEA website database and the potential theft of certain user account information. It appears that the user data that might have been taken included usernames, emails, private messages, IPs, mobile phone numbers (for SMS messages), forum posts, hashed passwords, and hashed secret question answers. All ESEA user account passwords are using bcrypt, an industry best practice for securing passwords.

ESEA does not store any sensitive payment information (credit card, bank account, etc.), so any payments made on the ESEA website, or through third parties, have not been compromised. No ESEA Client and anti-cheat systems have been impacted in this incident. Neither the ESEA Client itself, nor data related to the ESEA Client, was accessed through this incident.

What are we doing to protect your account?
We are enforcing the following procedures with all accounts to make sure any compromised user data is no longer being used:
Password reset
MFA reset
Security question reset

General recommendation: what can you as a user do to protect your account?
As a standard security best practice, we encourage users to consider the following measures:
Change your passwords and security questions/answers for any other accounts on which you used the same or similar information used for your ESEA account, and review any such accounts for any suspicious activity
Use passwords specific to each website you hold accounts at
Be cautious of any unsolicited communications that ask you for personal information or refer you to a website asking for personal information

We apologize that this incident has taken place. ESEA takes the security and integrity of customer details and information very seriously and we are doing everything in our power to investigate this incident, establish precisely what has been taken, and make changes to our systems to mitigate any further breaches.

Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.