BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

Eight Million Email Addresses And Passwords Spilled From Gaming Site Gamigo Months After Hacker Breach

This article is more than 10 years old.

Updated with a statement from Gamigo below.

Call it a slow leak. Four months after the gaming site Gamigo warned users about a hacker intrusion that accessed some portions of its users' credentials, more than 8 million usernames, emails and and encrypted passwords from the site have been published on the Web, according to the data breach alert service PwnedList. The half-gigabyte collection of stolen user data was posted to the password-cracking forum Inside Pro earlier this month, where it remained online until late last week.

PwnedList founder Steve Thomas downloaded the file prior to its removal from the Web and has shared it with me, and I can confirm that it appears to be an enormous list of user emails with passwords obscured by cryptographic hashes.

"It's the largest leak I've ever actually seen," says Thomas, whose startup seeks to track data breaches and alert users when their information is published. "When this breach originally happened, the data wasn't released, so it wasn't a big concern. Now eight million email addresses and passwords have been online, live data for any hacker to see."

Gamigo users can check on PwnedList's site whether their email address is included in the leak.

Though the passwords weren't posted in a readable form initially, they may still be compromised. Within a half hour, another user in the Inside Pro forum thread responded to the post of the file with a message reading "found 94%," implying that the passwords may have been easily derived from their hashed form.

Gamigo, a free gaming site owned by German publishing firm Axel Springer AG, forced all users to change their passwords after it announced it had been hacked in March of this year, so the exposed passwords likely won't give anyone access to user accounts on Gamigo.com itself. But given that users very often re-use passwords between sites, the breached passwords could offer access to more sensitive accounts on email or banking sites. Anyone who has had an account with Gamigo prior to its March breach should be sure to change their passwords on any accounts where they used the same credentials as on Gamigo.com.

According to PwnedList's analysis, the spilled data includes 3 million American accounts including Hotmail, Gmail, and Yahoo! mail addresses, 2.4 million German accounts, and 1.3 million French accounts. The company found dozens of email addresses from corporations including IBM, Allianz, Siemens, Deutsche Bank, and ExxonMobil.

Though the user who posted the file to Inside Pro counted 11 million hashed passwords, PwnedList's Thomas says he found only 8,244,o00 unique email addresses in the file. More than five thousand of the email addresses included the word "gamigo," a sign that they were created specifically to register for Gamigo and strong evidence that the stolen database was in fact taken from Gamigo's servers.

In early March, Gamigo warned users that its "database was subject to an attack in the last few days," and that "the intruder(s) managed to acquire (alias) user names and encrypted gamigo user passwords." A few hundred of those credentials were posted in Gamigo forums.

"We cannot rule out that the intruder(s) is/are still in possession of additional personal data, although to date we have received no report of any fraudulent use," read the message. "To prevent any unauthorized access to your account, we have reset all passwords for the gamigo Account System and for all gamigo games!"

I've contacted Gamigo for comment, and will add any update from the company when I hear back.

Update: Gamigo has responded in a statement that while it did experience a breach in March, it has not confirmed that all 8 million passwords were in fact taken from Gamigo, and that as far as it can tell, "the published records contain no new data."

Its statement continues:

All necessary measures to minimize the impact of the attack were initiated immediately at that time. This included notification of all affected users, resetting of passwords, taking the hacked database offline, a thorough review of the company's IT security policies, removal of a portion of the company's offerings from the internet, notification of the relevant civil authorities and a clarification of
the ensuing legal questions.

The republication of the stolen data serves as a strong reminder of the need for vigilance and ongoing critical review of our procedures and policies.

PwnedList's Steve Thomas says he believes Gamigo hasn't acted irresponsibly in responding to the breach, despite not warning users to change any passwords they reused across other accounts. But he emphasizes that users who do reuse passwords should act now to change them immediately. "Now that these full details are out there, we can expect more attempts for accounts to be taken over or used maliciously," he says.