Tweet
[ATTACH=CONFIG]10211[/ATTACH]
You should probably be aware that details for over 1.5 million ESEA user accounts was leaked today from a hacker after he failed to extort $100,000 from the ESEA. The ESEA is a company that is mainly known for running a fairly popular Counter-Strike league.The leak first showed up back on January 7, 2017 when LeakedSource said that they have added over 1.5 million ESEA records to their database. The confirmation came from the ESEA today along with a timeline of the events that dates back to December 27, 2016.
December 27 (first contact) - The threat actor contacted ESEA early Eastern Standard Time on December 27 through our bug bounty program to inform us that they had obtained access to user data and demanding a ransom payment of $100,000 to not release or sell the user data. We exchanged emails with the threat actor through the bug bounty program, in order to validate the claim and understand the attack vector being used and, in parallel, to further harden our sustainable security programs.
Based on the proof provided to us by the threat actor of possession of the stolen data, we were able to identify the scope of the data that was accessed. While the primary concern and focus was on personal data, some of ESEA’s internal infrastructure including configuration settings of game server hardware specifications, as well as game server IPs. Due to the ongoing investigation, we prioritized customer user data first.
December 28 - 29 - We identified the vector of the attack and started to isolate that system and patch the vulnerability. We continued to exchange emails with the threat actor through the bug bounty program, in order to confirm the identified vulnerability and mitigate the threat. In parallel, we engaged with external legal counsel and security resources to understand the scope of the attack and potential impact for users, and to develop a plan for notifying all stakeholders. Security and development teams combed through the codebase to isolate the attack vector and make additional security improvements in preparation for notifying the community.
December 30 - With the vulnerability identified and patched, we continued the process to notify the community of the incident and to require a password reset to re-secure individual account credentials. ESEA notified the authorities (the FBI) of the breach and continue our assistance with any on-going investigations.
December 31 - January 6 - We continued to work around the clock to strengthen our security. During this period we also received several more emails from the threat actor escalating threats and demands, but we focused on our on-going security efforts.
January 7 - Through information obtained from our game server infrastructure database, the threat actor was able to gain access to a game server. With that game server’s restrictive access, the threat actor was able to edit karma (community feedback system) of users, but not able to view, access or modify any personal information.
Several pieces of intellectual property that were stored on our game servers (game server plugins for CSGO) were exfiltrated from the compromised game server. This is how we operate our game servers and NOT associated with user data. In order to further secure the game servers, we moved up planned maintenance and security updates for our infrastructure. We were able to verify that no personal identifying information had been compromised from this incident. Karma was restored while we performed other updates to the ESEA network, which resulted in service outages.
January 8 - We continued to experience service downtime as security upgrades were made but with no system intrusions. The threat actor released the stolen data on LeakedSource and various media outlets reported the theft, extortion attempt and publication of the stolen customer data.
January 9 - We updated the external authorities (the FBI), responded to media and community enquiries and posted this update.
Based on the proof provided to us by the threat actor of possession of the stolen data, we were able to identify the scope of the data that was accessed. While the primary concern and focus was on personal data, some of ESEA’s internal infrastructure including configuration settings of game server hardware specifications, as well as game server IPs. Due to the ongoing investigation, we prioritized customer user data first.
December 28 - 29 - We identified the vector of the attack and started to isolate that system and patch the vulnerability. We continued to exchange emails with the threat actor through the bug bounty program, in order to confirm the identified vulnerability and mitigate the threat. In parallel, we engaged with external legal counsel and security resources to understand the scope of the attack and potential impact for users, and to develop a plan for notifying all stakeholders. Security and development teams combed through the codebase to isolate the attack vector and make additional security improvements in preparation for notifying the community.
December 30 - With the vulnerability identified and patched, we continued the process to notify the community of the incident and to require a password reset to re-secure individual account credentials. ESEA notified the authorities (the FBI) of the breach and continue our assistance with any on-going investigations.
December 31 - January 6 - We continued to work around the clock to strengthen our security. During this period we also received several more emails from the threat actor escalating threats and demands, but we focused on our on-going security efforts.
January 7 - Through information obtained from our game server infrastructure database, the threat actor was able to gain access to a game server. With that game server’s restrictive access, the threat actor was able to edit karma (community feedback system) of users, but not able to view, access or modify any personal information.
Several pieces of intellectual property that were stored on our game servers (game server plugins for CSGO) were exfiltrated from the compromised game server. This is how we operate our game servers and NOT associated with user data. In order to further secure the game servers, we moved up planned maintenance and security updates for our infrastructure. We were able to verify that no personal identifying information had been compromised from this incident. Karma was restored while we performed other updates to the ESEA network, which resulted in service outages.
January 8 - We continued to experience service downtime as security upgrades were made but with no system intrusions. The threat actor released the stolen data on LeakedSource and various media outlets reported the theft, extortion attempt and publication of the stolen customer data.
January 9 - We updated the external authorities (the FBI), responded to media and community enquiries and posted this update.
That page also includes a brief FAQ, including the reason why the ESEA did not pay the $100,000 that the hacker demanded.
Q: Why didn’t ESEA pay the ransom demand of $100k?
A: We do not give in to ransom demands and paying any amount of money would not have provided any guarantees to our users as to what would happen with their stolen data. The most responsible course of action was to share the incident with the authorities and our community so each individual could take steps to secure their accounts. At the same time, we have worked around the clock to isolate the attack vector, patch the vulnerability and further upgrade our security program.
A: We do not give in to ransom demands and paying any amount of money would not have provided any guarantees to our users as to what would happen with their stolen data. The most responsible course of action was to share the incident with the authorities and our community so each individual could take steps to secure their accounts. At the same time, we have worked around the clock to isolate the attack vector, patch the vulnerability and further upgrade our security program.
The information leaked includes: usernames, emails, private messages, Ips, mobile phone numbers, forum posts, hashed passwords, and hashed secret question answers." Payment information is not stored by the ESEA and is thus still secure.
However, it would still be a wise idea to change your password with the ESEA and any other site where you may have reused that password. Moving forward, I suggest that you use a unique password at every site you belong to. This is made easier by using something like KeePass, 1Password, or LastPass.
