Months after Gamigo warned its users of a server breach, 8,243,809 user account credentials (e-mail addresses and encrypted passwords) have made their way online. If you've never heard of it, Gamigo is a German online games publisher that focuses on Massively Multiplayer Online Role-Playing Games (MMORPGs) and has so far released 14 client games as well as five browser games. To check whether your account was one of the 8 million that have been compromised, head over to PwnedList, which tells me just recently finished adding this release to its databases.
So, how did this all start? Sometime in late February 2012, Gamigo was hacked by someone who calls him or herself "8in4ry_Munch3r." The company's website was taken down for an extended period of "maintenance." On March 1, Gamigo sent out the following e-mail to its users:
As you have all already noticed, our game servers, websites and forums are partially unreachable at the moment. We would like to explain to you what happened and what has been done on our side.
There was an attack on the gamigo database in which user information, such as alias usernames and encrypted passwords were stolen. An excerpt from these was published in the gamigo forums. We detected the attack and are working to the utmost of our resources to repair the damage and determine how it happened.
Your character data, including items, is safely stored on the backup! We cannot rule out that the intruder(s) is/are still in possession of additional personal data, although to date we have received no report of any fraudulent use.
To prevent any unauthorized access to your account, we have reset all passwords for the gamigo account system and for all gamigo games!
The gaming site also offered its users guidance on what to do in the aftermath of the hack.
Please follow the following steps to recover access to your gamigo accounts and get back to playing again:
Step 1: Go to the gamigo Account System https://en.gamigo.com/showlayer/resetpassword and set up a new password for the gamigo aAccount System. Please make certain that the new password is not the same as the old one!
Step 2: Log in to the gamigo Account System with the new password and go to "My Games." Please select a new, secure password for each of your games.
Step 3: Important: Please also immediately change the passwords for all game forums you visit, to ensure that your data is safe there as well.
A detailed set of instructions on changing your password can be found in our guidelines at http://assets.cdn.gamigo.com/marketing/portal_en/password-help.pdf.
If you have problems, please contact our Support team at https://ticket.gamigogames.de/index.php?languageid=1.
We greatly regret this incident and any inconvenience it has caused to you.
Gamigo then returned to business as usual, and all was well. The hackers behind the attack, however, were far from done. They were hard at work compiling all the pilfered user accounts and passwords.
On July 6, a forum topic on InsidePro titled "11М md5 hashlist to dump" was posted by a user "-=lebed=-":
Please test your dictionaries
OOPS!, the list should lead to a common mind, and that there is only a first hash, and then type E-mai: hash
That was at the beginning of July, but we're almost at the end. So, what took so long? Well, the leak was only spotted by PwnedList after they saw the following message from _Laz3r_ on July 16:
@gattaca Also http://gamigo.com got popped back in March, hashes dumped 7/6 on insidepro. About 8m email+hashes. http://bit.ly/LsEjUh
Here we are, a week later, and the breach is now fully public. This means we can take a closer look at what exactly was obtained by the hackers.
The SendSpace link pointed to a 478MB file called "ALL.txt" with over 11 million account credentials. Some 6 percent were duplicates, but the rest were new. The link is dead now (Update on July 25 - A new one is up), but PwnedList managed to download and index it before it went down. The company gave me this quick analysis of the leak:
- German accounts: .de: 2.4 million
- t - online.de accounts: 100,000
- US accounts: .com: 3 million
- French accounts: .fr: 1.3 million
The e-mail addresses affect the usual big guys: Microsoft's Windows Live Hotmail, Google's Gmail, and Yahoo Mail. That being said, domains pointing to corporations such as Allianz, Deutsche Bank, ExxonMobil, IBM, and Siemens were also found among the list of compromised user credentials.
The good news is that more than 5,000 e-mail addresses included the name Gamigo, suggesting that they were created specifically to register for the gaming site. Still, that number only represents 0.0006 percent of the total number of e-mail addresses and passwords that were leaked.
While the compromised accounts are unlikely to be useful on Gamigo's sites, since the gaming publisher forced a password reset for all its users, that doesn't mean it can't be used elsewhere. If you use the same e-mail address and password combination elsewhere, make sure to change it there as well.
This breach is bigger than anything we've seen so far this year. In the last few months, there have been a slew of attacks against the following sites: LinkedIn, eHarmony, Last.fm, , , , , and , among others.
The largest one was against LinkedIn, which saw the leak of 6.46 million passwords. Gamigo now tops the list.
I have contacted Gamigo about this leak and will update you if I hear back.