'Town of Salem' game suffers data breach exposing 7.6 million user details

Game maker has yet to alert users outside a short forum post.

town-of-salem.png

Image: BMG, ZDNet

A hacker has stolen the personal details of 7.6 million users of browser-based game the "Town of Salem," BlankMediaGames (BMG) admitted yesterday in a blog post.

The hack came to light after a mysterious person sent a copy of the stolen data to DeHashed, a commercial data breach indexing service.

DeHashed says it spent all the Christmas and New Year holiday trying to contact BMG and alert the game maker of the hack and its still-compromised server.

The hacked servers were finally secured and "multiple backdoors removed" this week. According to an analysis of the stolen user data received by DeHashed, the following information appears to have been exfiltrated from Town of Salem servers:

  • Usernames
  • Email addresses
  • Passwords in the (phpass, MD5(WordPress), MD5(phpBB3)) format
  • IP addresses
  • Game & forum activity
  • Purchased game premium features, but without payment information or credit card details

"To clarify, we do not handle money. At all," said Achilles, one of the BMG staff members. "The third party payment processors are the ones that handle all of that. We never see your credit card, payment information, anything like that. We don't have access to that information."

DeHashed, which is a commercial service similar to the more successful Have I Been Pwned (HIBP), has also shared the data with HIBP. Users who registered on HIBP should be receiving an email alert if their data was included in the Town of Salem leak.

For the time being, BMG is still dealing with the hack's aftermath and has not yet notified affected users except a short forum post. As a first step, the company has advised gamers to change their account passwords, although an in-game message would be preferable to a forum post that not all users will likely see. We could not reach the company for additional comment.

More data breach coverage: