UPDATED Jan. 7 with news that many of the passwords had been cracked.
Millions of teenagers may be in for a nasty surprise. BlankMediaGames, creator of the massively popular online role-playing game Town of Salem, has suffered a data breach. Screenshot: Monica Chin/BlankMediaGames
Cybersecurity firm DeHashed said in a blog posting Tuesday (Jan. 1) that it had received a copy of BlankMediaGames' full database of user information, which the person contacting DeHashed said had been stolen. The breach exposes more than 8 million users and 7.6 million unique email addresses.
The attacker or attackers used a Local File Execution/Remote File Execution (LFI/RFI) attack that injects malicious code into a web server running PHP, DeHashed said.
The exposed user information includes usernames, email addresses, passwords, IP addresses, game and forum activity, and payment and billing information for any users who purchased premium content (such as character clothing or game skins).
A BlankMediaGames developer said Wednesday (Jan. 2) on the Town of Salem forums that no credit-card numbers were stolen. But if you have a BlankMediaGames account, change your password now.
"We have found and removed 3 different php files from our webserver that allowed the hacker to have a backdoor into the server," the developer said. "We are in the process of contacting security auditing firms and potentially discussing reinstalling all of our servers from scratch just to be 100% sure."
The developer said that each passwords was stored in the database as a "salted MD5 hash."
In other words, what was actually stored was the digital representation of each password after it had been run through a one-way algorithm that, in this case, resulted in a unique 128-bit number -- the "hash." To further foil attempts to crack, or reverse, the hash, each password was "salted" with random additional data before the hash was generated.
But that's not all good news. The MD5 hash function is widely considered to be insecure. The original author of the algorithm urged users to abandon it in 2012, following the leaking of more than 6.4 million LinkedIn passwords (which later turned out to be 117 million passwords) that had been hashed in a similar manner.
It's likely that despite the salting, whoever attacked the Town of Salem database has cracked, or will soon crack, many of the exposed passwords. [UPDATE: As of Jan. 7, nearly 28 percent of the password hashes had been cracked, according to Hashes.org.]
If you've played Town of Salem, you should change your password immediately. Additionally, make sure to do the same for any other accounts that use the same email and password -- and make sure that you create new passwords for all those accounts.