ESEA confirmed that personal information from an estimated 1.5 million people was compromised in a December 27 data breach.
The company hosts competitive leagues for CS: GO, Team Fortress 2, and other games. It said an unidentified hacker reached out via its bug bounty program to say they had managed to break in to the company’s systems and demanded a $100,000 ransom in exchange for keeping the information private. ESEA declined–it said that its policy is not to comply with any ransom demands–and the hacker published that user data on January 8.
ESEA said it doesn’t store any banking information on its servers. But it did store plenty of other information–the hacker was able to steal “usernames, emails, private messages, IPs, mobile phone numbers (for SMS messages), forum posts, hashed passwords, and hashed secret question answers.” That was just the information ESEA required from its users; the company explained that many people choose to share more about themselves on the service:
There are additional optional fields of data for user profiles which make up a larger percent of the data stolen, which ESEA users can enter to further complete their publicly viewable profile page. Such data points include favorite drink, favorite food, favorite esports player, their computer hardware specifications, Xbox gamer tag, and PlayStation Network ID to allow other users to interact with them through those platforms, etc. All users add those data fields knowing that it is publicly viewable on their profile page, and may include different amounts of completion for these optional profile fields.
It’s one thing to share information with other forum members, and another thing entirely to have that information bundled up with other data and published online. Besides the usual risk associated with data breaches–namely, attackers breaking into other accounts by exploiting the fact that people reuse login credentials–the inclusion of all that other data could make the 1.5 million people affected by this hack vulnerable to phishing attacks.
Phishing works best when attackers know something about their victims. This is called spear-phishing: Instead of just casting a wide net and hoping for someone to bite, attackers carefully select their targets and focus their energy on duping them. Which seems more likely to work, a generic email with a malicious link inside, or a custom-tailored message that appeals directly to one person? Most experts agree that the latter poses more of a problem.
ESEA advised its users to change their passwords on other services, to stop reusing login credentials across multiple sites, and to “be cautious of any unsolicited communications that ask you for personal information or refer you to a website asking for personal information.” The company said it’s been in touch with the FBI about the incident, and it made a series of security upgrades between December 28 and January 8 to prevent similar intrusions.