ESEA confirmed that personal information from an estimated 1.5 million people was compromised in a December 27 data breach.
The company hosts competitive leagues for CS: GO, Team Fortress 2, and other games. It said an unidentified hacker reached out via its bug bounty program to say they had managed to break in to the company's systems and demanded a $100,000 ransom in exchange for keeping the information private. ESEA declined--it said that its policy is not to comply with any ransom demands--and the hacker published that user data on January 8.
ESEA said it doesn't store any banking information on its servers. But it did store plenty of other information--the hacker was able to steal "usernames, emails, private messages, IPs, mobile phone numbers (for SMS messages), forum posts, hashed passwords, and hashed secret question answers." That was just the information ESEA required from its users; the company explained that many people choose to share more about themselves on the service:
There are additional optional fields of data for user profiles which make up a larger percent of the data stolen, which ESEA users can enter to further complete their publicly viewable profile page. Such data points include favorite drink, favorite food, favorite esports player, their computer hardware specifications, Xbox gamer tag, and PlayStation Network ID to allow other users to interact with them through those platforms, etc. All users add those data fields knowing that it is publicly viewable on their profile page, and may include different amounts of completion for these optional profile fields.
It's one thing to share information with other forum members, and another thing entirely to have that information bundled up with other data and published online. Besides the usual risk associated with data breaches--namely, attackers breaking into other accounts by exploiting the fact that people reuse login credentials--the inclusion of all that other data could make the 1.5 million people affected by this hack vulnerable to phishing attacks.
Phishing works best when attackers know something about their victims. This is called spear-phishing: Instead of just casting a wide net and hoping for someone to bite, attackers carefully select their targets and focus their energy on duping them. Which seems more likely to work, a generic email with a malicious link inside, or a custom-tailored message that appeals directly to one person? Most experts agree that the latter poses more of a problem.
ESEA advised its users to change their passwords on other services, to stop reusing login credentials across multiple sites, and to "be cautious of any unsolicited communications that ask you for personal information or refer you to a website asking for personal information." The company said it's been in touch with the FBI about the incident, and it made a series of security upgrades between December 28 and January 8 to prevent similar intrusions.
Stay on the Cutting Edge
Join the experts who read Tom's Hardware for the inside track on enthusiast PC tech news — and have for over 25 years. We'll send breaking news and in-depth reviews of CPUs, GPUs, AI, maker hardware and more straight to your inbox.
Nathaniel Mott is a freelance news and features writer for Tom's Hardware US, covering breaking news, security, and the silliest aspects of the tech industry.
Yay Russian hackers! I hope you all die of gonorrhea and rot in hell. <3Reply
Wonders if it was worth saving 100k.... After all the possible lawsuits from not having there stuff secured. Then there is the tarnished name and reputation! I agree that paying wasn't the best way to handle the situation but at the same time. The article make it sound like going to the FBI was a after thought also!. How was there security? Guessing not really up to snuff! I really think companies that house important data should have to meet minimal security standards are dump that data daily. One or the other.Reply
John, this is no doubt was done by American hackers.Reply
"Wonders if it was worth saving 100k"Reply
If they gave him 100k, there was nothing to stop him from releasing the information anyway or then knowing they're willing to say, "Oh, make it 500k" or more. It would also make them a target in the future since they would be known to pay.