Compromise Reports, Security

Gamigo Database Hacked & User Data Compromised

July 23 2012: Last March I posted an article about the Gamigo system compromise that happened on March 2 2012. I wasn’t too happy since I have a Gamigo account as well.

Since the compromise happened there has been no news about the compromised information, but it looks like the people responsible haven’t given up causing problems for Gamigo players.

Initially the compromised data was not published by those responsible, but now the full list of 8.2 million email addresses, user-names, and 11 million encrypted passwords (thankfully still hashed) has been published on a hacking site.

Gamigo did force a password reset for all accounts after the event in March, but hackers are likely to try tracking down and compromising related user accounts on different sites, so it’s definitely a good idea to change one’s passwords anywhere one might have re-used one’s Gamigo user-name/password combination.

March 2 2012: The latest news is that in the past day(s) Gamigo user accounts have been compromised and information has been stolen by unknown attackers. The details of the attack are not yet known, but Gamigo assures users that payment information is safe. However the other information, possibly including user passwords has been compromised.

It’s my understanding that the compromise happened March 2 2012, and the Gamigo account login functionality was down for several days afterwards.

Background Rant

In the past years the number of online system compromises has been skyrocketing. 2011 in particular saw what only could be termed a hacking spree with millions of user accounts compromised and user data falling into malicious hands. Now more than ever the importance of maintaining tight system security has become a key issue to maintaining a Web-based business presence.

So what Happened?

I received a notification email yesterday (March 2 2012) from Gamigo that their systems had been attacked and user data compromised. I’m including the notification below. Based on information from several sources it appears that the attack happened Thursday (March 1) and in response Gamigo had to shut down its account servers to deal with the attack. Although their initial forum post indicated that passwords are encrypted and so were not compromised, the email I received a day later seems to say that passwords were indeed compromised.

Update: I checked the Gamigo login section again today (March 4 2012), and they are still down.

Update: The Gamigo account management section appears to be up and running again (March 5 2012) and I was able to reset my password.

The Dangers of all of These Systems Getting Compromised

This is a big problem in my opinion. Most Internet users have to juggle too many passwords to easily remember and for convenience often resort to re-using the same password across several sites. If one site is compromised, then the attackers will be able to use that user’s information to try to gain access to other systems for that user, which can be quite damaging if any of these systems hold more personal information. Basically an attacker can build up a detailed user profile for each account that can then be sold ie to online marketing companies or even identity thieves. In a worst case scenario the user will have re-used their password/username for a banking system, which the attackers will happily compromise and loot.

The sad thing is that this isn’t even really scaremongering. With automated tools freely available to anyone with malicious intentions sites can be attacked or brought down. The attacker requires very little technical expertise since the software will handle the attack itself. This seems to be becoming the norm these days as organized crime is more and more involved in online activities.

Even worse is a report I recently read that says that attacks are increasing against mobile devices as smartphones become more integrated with our lives and banks promote phone-based banking and purchase services.

Getting back to the subject of this article, the attack on Gamigo is one of hundreds that have happened in the past year. The amount of data stolen is definitely significant if one combines the data loss across all of the compromises. The potential for money loss or identity theft is huge at this point.

The benefit of F2P games providers like Gamigo is that one does not have to submit financial information. Likewise, at this point I think it is wise to never provide real personal information other than name to a non-essential online application. I’m not saying that it’s inevitable that the information will be compromised, but I am saying that it is wise to hedge one’s bets and to not unnecessarily give out information that could be mis-used in the wrong hands.

Here is the letter I received from Gamigo:

Dear gamigo User,
We regret to inform you that our database was subject to an attack in the last few days. The intruder(s) managed to acquire (alias) user names and gamigo user passwords. An excerpt from these was published in the gamigo forums.
We detected the attack and are working to the utmost of our resources to repair the damage and to determine how it happened. We are leaving no stone unturned in our efforts.
Your character data, including items, is safely stored on the backup and remains available to you.
We cannot rule out that the intruder(s) is/are still in possession of additional personal data, although to date we have received no report of any fraudulent use.
To prevent any unauthorized access to your account, we have reset all passwords for the gamigo Account System and for all gamigo games!
There are 3 steps to recovering access to your gamigo accounts and getting back to playing again:
Step 1:
Go to the gamigo account system and set up a new password for the gamigo account system. Please make certain that the new password is not the same as the old one!
Step 2:
Log in to the gamigo account system with the new password and go to "My Games." Please select a new, secure password for each of your games.
Step 3:
Important: Please also immediately change the passwords for all game forums you visit, to ensure that your data is safe there as well.
A detailed set of instructions on changing your password can be found in our guidelines. If you have problems, please contact our Support team.
We greatly regret this incident and any inconvenience it has caused to you.
The gamigo Team

Some information on the Company:

Gamigo is based in Hamburg, Germany and provides a number of F2P client and browser-only games including MMORPGs. They were founded in 2000 and rely on a micropayment system to sell advantages to gamers who enjoy a particular game.

Here is a list of the current Gamigo games:

  • Black Prophecy
  • Cultures Online
  • Dungeon Empires
  • Fiesta Online
  • Golfstar
  • Heroes in the Sky
  • King of Kings 3
  • Last Chaos
  • Level R
  • Loong: The Power of the Dragon
  • Magic Campus
  • Martial Empires
  • Patrician Online
  • Pirate Galaxy
  • Regnum Online
  • Shot Online
  • The Witcher: Versus
  • War of Angels

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s