350,000 people exposed in Capcom data breach — what to do now

A screenshot of Resident Evil 2.
(Image credit: Capcom)

As many as 350,000 Capcom players and employees are at risk of spam, phishing attacks and identity theft due to a ransomware attack and data breach involving the Japanese publisher of such classic video games as Street Fighter, Resident Evil, Mega Man, Devil May Cry and Phoenix Wright: Ace Attorney. 

Passwords and credit cards don't seem to have been compromised, but you'll want to change your Capcom account password if you have one and check your credit-card statements if you've ever bought something from Capcom's online store.

Earlier this month, Capcom announced that it had been attacked by the Ragnar Locker cybercrime gang, who had gotten into the company network and encrypted and stolen data, but Capcom reassured customers that none of their data seemed to have been accessed by the thieves.

That's no longer the case. The company said yesterday (Nov. 16) that it had "verified that some personal information ... has been compromised" and that other personal data might also have been accessed. (Some of the stolen data has already been posted online, per Bleeping Computer and the BBC.)

Data known to have been stolen includes the names, addresses, signatures and passport information of current and former employees. Data suspected to have been stolen includes the names, addresses, dates of birth, email addresses and telephone numbers of customers, shareholders and former employees. 

All told, Capcom says, up to 350,000 people in Japan and North America may have had their personal data compromised.

No credit cards, no passwords, but bad enough

The company said no credit-card data had been stolen, and it did not mention passwords. But the types of data stolen put affected Capcom customers and employees at greater risk of seeing more spam as well as phishing emails trying to fool recipients into giving up passwords. 

The theft of the names, dates of birth and addresses also raises the risk of identity theft. In North America, you might often need only the individual's U.S. Social Security number or Canadian Social Insurance Number to be able to open a bank account, get a driver's license or perform other operations as that person.

If you're a U.S. resident and a Capcom customer or account holder, consider instituting a credit freeze to lock down your accounts and using one of the best identity-theft-protection services.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.