ESEA hacked, 1.5 million records leaked after alleged failed extortion attempt

E-Sports Entertainment Association (ESEA), one of the largest competitive video gaming communities on the planet, was hacked last December. As a result, a database containing 1.5 million player profiles was compromised.

On Sunday, ESEA posted a message to Twitter, reminding players of the warning issued on December 30, 2016, three days after they were informed of the hack. Sunday’s message said the leak of player information was expected, but they’ve not confirmed if the leaked records came from their systems.

Late Saturday evening, breach notification service LeakedSource announced the addition of 1,503,707 ESEA records to their database. When asked for additional information by Salted Hash, a LeakedSource spokesperson shared the database schema, as well as sample records pulled at random from the database.

The leaked records include registration date, city, state (or province), last login, username, first and last name, bcrypt hash, email address, date of birth, zip code, phone number, website URL, Steam ID, Xbox ID, and PSN ID.

However, in all, there are more than 90 fields associated with a given player record in the ESEA database. While the passwords are safe, the other data points in the leaked records could be used to construct a number of socially-based attacks, including Phishing.

Players on Reddit have confirmed their information was discovered in the leaked data. A similar confirmation was made Twitch’s Jimmy Whisenhunt on Twitter.

The LeakedSource spokesperson said that the ESEA hack was part of a ransom scheme, as the hacker responsible demanded $50,000 in payment. In exchange for meeting their demands, the hacker would keep silent about the ESEA hack and help the organization address the security flaw that made it possible.

In their previous notification, ESEA said they learned about the incident on December 27, but make no mention of any related extortion attempts. The organization reset passwords, multi-factor authentication tokens, and security questions as part of their recovery efforts.

Salted Hash has reached out to press contacts at ESEA, as well as those for Turtle Entertainment, the parent company listed on the ESEA website. We’ve reached out to confirm the extortion attempt claims made by the hacker, as well as the total count for players affected by the data breach.

This story will be updated as new information emerges.

Update:

In an emailed statement, a spokesperson for ESL Gaming (parent company to Turtle Entertainment) confirmed that the hacker did in fact attempt to extort money, but the sum demanded was “substantially higher” than the $50,000 previously mentioned.

The company refused to give into the extortion demands, and went public with details before the hacker could publish anything.

The statement also confirms the affected user count of 1.5 million, and stressed the point that ESEA passwords were hashed with bcrypt. When it comes to the profile fields, where more than 90 data points are listed, ESL Gaming says those are optional data points for profile settings. Not everyone took advantage of them however.

“We take the security and integrity of customer details very seriously and we are doing everything in our power to investigate this incident, establish precisely what has been taken, and make changes to our systems to mitigate any further breaches. The authorities (FBI) were also informed and we will do everything possible to facilitate the investigation of this attack,” the message from ESL Gaming concluded.

Update 2:

In an official statement posted to their website, ESEA says that the hacker demanded a $100,000 ransom.

“Based on the proof provided to us by the threat actor of possession of the stolen data, we were able to identify the scope of the data that was accessed. While the primary concern and focus was on personal data, some of ESEA’s internal infrastructure including configuration settings of game server hardware specifications, as well as game server IPs was also accessible. Due to the ongoing investigation, we prioritized customer user data first,” the statement explains.

In the days that followed that initial contact, ESEA worked to secure their systems, and the hacker kept making demands. On January 7, ESEA learned the hacker also exfiltrated intellectual property from the compromised servers.

As mentioned, the full timeline of events has been posted to the ESEA website.