Town of Salem

Late last night, word broke that over 7.6 million accounts were leaked as part of a BlankMediaGames data breach. BlankMediaGames is the studio that develops and operates the popular browser based role-playing game Town of Salem. The news first broke at the data mining and search database site DeHashed. They were sent an email on December 28, 2018 from an anonymous source. The email provided evidence of server access and provided the complete database to DeHashed for verification.

The breach was the later confirmed at Have I Been Pwned. Here is what the initial report from DeHashed had to say about this breach.

Here’s an analysis of what we found. This is the first time the company has ever seen any kind of breach, ironically it was caused by a entree-level vulnerability known as “LFI” / “RFI”.

The data affected, includes but is not limited to:

Usernames, Emails, Passwords (phpass, MD5(WordPress), MD5(phpBB3)), IP Addresses, Game & Forum Activity, & Payment Information. With some of the users who paid for certain premium features having their billing information/data breached as well.

The total row count is: 8,388,894, with 7,633,234 unique email addresses.
DeHashed goes on to say that they have made numerous attempts to contact BlankMediaGames but have not yet received a response. The forms of contact include three separate emails and two calls between December 28 through December 30.

As of this writing, the only official statement comes from the Town of Salem forums from a developer that goes by the name of "Achilles" on their site. Achilles says that this breach was not addressed sooner because the team was off work due to the holidays. They also go on to note that BlankMediaGames does "not handle money." They say that they have a third party handle all payments for them.

Hey everyone,

The BMG staff is just coming back from Christmas/New years vacation and we were informed that there may have been a breach of our database. I am currently in contact with Rackspace to figure out what happened and prevent it from happening again. You should update your Town of Salem passwords to be safe.

Important Notes:
We don't store any credit card or payment info. At all.
All passwords were hashed and not plain text. This means they do not know what your password is unless they run a program to attempt to guess it against the hashed password. Any reasonably strong password will take a very long time to be guessed.
Your accounts should all be safe still if they used the same password, but you can change that as well if you are worried.

The only important data compromised would be your Username/hashed password, IP and email. Everything else is just game related data.

Sorry that this happened, no game creator ever wants to be in this situation and having it happen over the holiday break when everyone was away was terrible timing.

Update: To clarify, we do not handle money. At all. The third party payment processors are the ones that handle all of that. We never see your credit card, payment information, anything like that. We don't have access to that information.
While it is good to hear that the user passwords were hashed, there may still be a small problem with that. According to some users, including DeHashed, the version of phpBB that was being used predates the addition of additional security features. That is to say, they used an "outdated version of the current phpBB algorithm" for securing passwords. The version of phpBB that BlankMediaGames uses for their site is roughly five years out of date. They also do not use any form of SSL to protect communications between a user and the server. This omission also includes their Town of Salem store page.