Millions of game accounts exposed in data breach, responsibility thrown to the wind

If vendor data breach apathy has set in, we're all in trouble.
Written by Charlie Osborne, Contributing Writer

(Image: file photo)

New day, different breach.

It never seems to end. We've seen every service from LinkedIn to Tumblr being successfully targeted by attackers who then tried to sell millions of user accounts online, hotel chains admit to malware infections which lead to customer card details being swiped, and social media networks are fighting a constant battle to keep valuable user data out of the wrong hands.

In yet another example of a data breach, eyes have recently turned to a fashion gaming website which appears to have either ignored or is completely unaware of compromise.

Fashion Fantasy Game is an online game and social network for fashion lovers. The platform, developed by fashion designer Nancy Ganz, allows users to design and sell virtual fashion items in their own online fashion businesses, manage currency and market them to other virtual retailers.

Over 15,000 people follow the game on Facebook, but the community does not appear to be very active. However, despite this, the information of both past and present users has been exposed in a data breach.

As noted by Troy Hunt, operator of breach notification website Have I Been Pwned, a data breach which at the time of writing appears to have gone unnoticed by Fashion Fantasy Game has resulted in millions of user account credentials being leaked on the web.


According to Vigilante.pw, a database breach recorder, over 2.4 million accounts from the website were stolen in 2016.

Hunt has verified the data samples he has acquired as legitimate and said that the records contain the email addresses of subscribers secured with the MD5 hash algorithm -- which is now easy to crack -- without salt.

Stolen password checker Breach Alarm suggests that the file was leaked by a member of AnonSquad.

Researchers have also suggested on Twitter that the data breach took place due to website vulnerabilities which still exist, despite the leak occurring over a year ago.

In addition to the suspected website vulnerabilities, the front-facing domain has SQL injection security flaws. When querying the website's database, you can see user communication, caused by a simple syntax error.

"This is simply an apostrophe appended to the query string value and will cause an exception that shows an internal SQL statement, a very strong indicator that they have a SQL injection vulnerability that would easily enable this data to be extracted," Hunt told ZDNet.

This is not the first time Fashion Fantasy Game has been linked to data breaches and poor security.

Three years ago, a file dump was spotted online by Reddit contributors which, reportedly released as a collection of database SQL inserts, included usernames, first names, email addresses and simple passwords which could be easily guessed or brute-force attacked.

Fashion Fantasy Game has not acknowledged any kind of data breach or compromise on the firm's website or social media channels, despite requests for comment.

In a way, it doesn't matter if the company responds, as Hunt has verified some of the data. The damage is already done, with yet another file dump available for download or sale in the underground areas of the Internet.

So why does this data breach matter, occurring through a relatively small fashion website, when you have other more major companies -- such as Intercontinental Hotels and Neiman Marcus -- scrabbling to resolve their own security breaches?

"It seems to be one of those cases where lots of people know about the incident except for the site it happened to," Hunt said. "I had all sorts of people say 'Yeah, we know about that' and there are a number of public references available too."

In other words, the data breach encompassed a few million accounts with poorly-secured passwords, which as Hunt describes is "bad, but a common story," and the vendor appears to be away on vacation.

The problem is not just that the breach occurred in the first place, but that the vendor appears to be unaware -- or perhaps is unwilling to engage, respond, and admit to the issue.

When large-scale operations dealing with vast volumes of financial data belonging to customers suffer from cyberattacks and lose control of information, this can have serious consequences not only for their reputations but due to the financial cost of rectifying security systems and repairing any damage caused.

When smaller vendors, such as small-scale gaming websites experience the same kinds of attack and compromise, there is the danger of a 'mental shrug' accompanying the news, as it doesn't seem quite as important.

It is this kind of apathy towards data breaches which is a dangerous concept. No matter where the information stems from, whether it be Google or Fashion Fantasy Game, vendors have a responsibility to keep this information as safe as possible.

While the average consumer generally does not take as much responsibility for their own security and privacy as they should -- such as using a fresh password for each online service which is changed often and implementing two-factor authentication whenever possible -- vendors cannot expect users to maintain basic security levels if they do not.

It is one thing to lose information due to your own negligence. However, if vendors do not use modern encryption techniques to protect user data, prevent easily-cracked passwords from being used for accounts and leave security holes ripe for exploit in their domains, and then fail to keep tabs on their own data, then there needs to be a rapid re-think of what companies legally must do to protect their users -- especially if communication is not forthcoming.

Apathy and ignorance, in the end, can be just as dangerous -- if not far more -- than the leaked information itself. Once the information is online, it is there for good.

ZDNet has reached out to Fashion Fantasy Game through multiple channels and will update if we hear back.

5 things you should know about VPNs

Editorial standards