Witcher dev, XBOX 360 ISO & PSP ISO forums hacked: Over 4.4 million accounts exposed

Three forums were hacked, CD Projekt Red, XBOX 360 ISO, PSP ISO, exposing over 4.4 million gamer accounts. Good news? Hacks are old. Bad news? People are just finding out about the breaches.

Well it’s bad news for some gamers and modders, about 4.5 million of them, as three different forums were hacked. If you are looking for the silver lining in the dark breach cloud, then none of the hacks were recent; the flipside? The email addresses, usernames and passwords have been “out there” since as far back as September 2015.

The Witcher fans started receiving breach notifications from Have I Been Pwned, but the CD Projekt Red forum was compromised in March 2016.

Nearly 2 million CD Projekt RED forum accounts exposed Have I Been Pwned

Nearly 1.9 million CD Projekt Red accounts were exposed; Have I Been Pwned numbered the burned accounts at 1,871,373.

Security researcher Troy Hunt wrote on Have I Been Pwned,

In March 2016, Polish game developer CD Projekt RED suffered a data breach. The hack of their forum led to the exposure of almost 1.9 million accounts along with usernames, email addresses and salted SHA1 passwords.

Compromised data: Email addresses, Passwords, Usernames

The company did post an “unauthorized access” notification on its site back in December on The Witcher Series forum, Gwent news and Cyberpunk 2077, but it likely flew under the radar of thousands of affected users.

According to the game developer, the compromised accounts were from “the now-obsolete cdprojektred.com forum database.” The unauthorized access occurred “sometime in March 2016.” In December, forum users were told, “If any passwords had been downloaded, they would have also been encrypted. However, we strongly encourage every user to change their password as a precautionary measure.”

Yesterday after people who signed up to receive HIBP notifications started receiving emails about the breach, CD Projekt Red added:

At the time of the event, the database was not in active use, as forum members had been asked to create better-secured GOG.com accounts almost a year earlier. The forum engine has also been upgraded since then to the newest and most secure version, fixing the exploit that allowed said access.

It is our understanding that the obsolete forum database contained usernames, email addresses and salted MD5 passwords (MD5 is an encryption algorithm we used to encrypt your data). This means your old passwords were secured and not directly accessible by anyone.

Please note there is a difference in how the game developer and HIBP said the passwords were stored; HIBP said salted SHA1 passwords were exposed. The company has only now decided to start notifying affected users via email about the March 2016 breach.

When 5,915,013 accounts were exposed on Nexus Mods, the news came out in December 2015 when the actual compromised database was from July 2013. That might have spurred some people to sign up for HIBP notifications, since Hunt told IT Pro that a “high” number – 8,110 HIBP subscribers – received CD Projekt Red forum breach alerts.

XBOX 360 ISO &  PSP ISO forums hacked

But that’s not all, as nearly 1.3 million XBOX 360 ISO forum accounts and another 1.3 million PSP ISO forum accounts were exposed back in 2015. Have I Been Pwned puts the exact numbers at 1,296,959 for XBOX 360 ISO and 1,274,070 for the PSP ISO forums.

If you are not familiar with the sites, then browsing shows it’s a way to get hold of pirated copies of console games and the like.

Over 1 million accounts exposed on XBOX 360 ISO forum Have I Been Pwned
Over 1 million accounts exposed on PSP ISO forum Have I Been Pwned

Under XBOX 360 ISO, Hunt noted:

In approximately September 2015, the XBOX 360 forum known as XBOX360 ISO was hacked and 1.2 million accounts were exposed. Along with email and IP addresses, the vBulletin forum also exposed salted MD5 password hashes.

Compromised data: Email addresses, IP addresses, Passwords, Usernames

Under PSP ISO, Hunt wrote:

In approximately September 2015, the PlayStation PSP forum known as PSP ISO was hacked and almost 1.3 million accounts were exposed. Along with email and IP addresses, the vBulletin forum also exposed salted MD5 password hashes.

Compromised data: Email addresses, IP addresses, Passwords, Usernames

In summary, old hacks but millions of gamers – a total of 4,442,402 of them – should be prepared for the possibility of being phished. Surely the compromised passwords were not used elsewhere, but if so, then it would be wise to do something about that such as start using a password manager.

Copyright © 2017 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)