BlankMeidaGames data breach

[chazragg]

It would appear BlankMediaGames has been the victim of a data breach.

 

Direct from my have i been pwned email

 

Quote

Breach:	BlankMediaGames
Date of breach:	28 Dec 2018
Number of accounts:	7,633,234
Compromised data:	Browser user agent details, Email addresses, IP addresses, Passwords, Purchases, Usernames, Website activity
Description:	In December 2018, the Town of Salem website produced by BlankMediaGames suffered a data breach. Reported to HIBP by DeHashed, the data contained 7.6M unique user email addresses alongside usernames, IP addresses, purchase histories and passwords stored as phpass hashes. DeHashed made multiple attempts to contact BlankMediaGames over various channels and many days but had yet to receive a response at the time of publishing.

 

 

edit: some extra information courtesy of rcmaehl 

Quote

BMG's website didn't support SSL to begin with. Additionally, functions used to hash/encrypt passwords were weak as they are using a FIVE year old version of their forum software. It was honestly was just a matter of time before this happened to them.

2

 

[Ashley MLP Fangirl]

this one is really bad.

[Levent]

nice, I just got my email as well. This is my 11th data breach (according to haveibeenpwned), feels normal nowadays.

[Ryujin2003]

So, these guys make cheap browser games? All I can see looking them up is Town of Salem, something I've never heard of or played. Do they do anything else either?

[BananaInSandals]

14 minutes ago, Ryujin2003 said:

So, these guys make cheap browser games? All I can see looking them up is Town of Salem, something I've never heard of or played. Do they do anything else either?

Well, that 7 million data could have been simply 7 million accounts. 1 person could have registered multiple accounts. 

[Bananasplit_00]

I really should get arond to changing all my passwords where I don't have 2FA

[chazragg]

1 minute ago, Bananasplit_00 said:

I really should get arond to changing all my passwords where I don't have 2FA

i made the switch to last pass and a yubikey 2 years ago and would never go back.

[rcmaehl]

Original Post is missing a lot but here's some stuff to add to it

 

BMG's website didn't support SSL to begin with. Additionally, functions used to hash/encrypt passwords were weak as they are using a FIVE year old version of their forum software. I honestly was just a matter of time before this happened to them.

[DocSwag]

Well crap.

 

I don't really want to change my password yet though... It sounds like they haven't increased their security so I could theoretically get breached again. Luckily I changed the password for all the websites I use the most recently and didn't change mine for BMG so it shouldn't be TOO big a deal

[mxk]

noooo my town of salem wins

[Bananasplit_00]

4 hours ago, chazragg said:

i made the switch to last pass and a yubikey 2 years ago and would never go back.

I don't like password managers, feels a lot like putting all your eggs in one basket. They brech the password manager and they get all your passwords instead of each app individually. Not that I doubt that password managers have good and well built security systems but I just don't like it much. 

[imreloadin]

It must be my age showing because I've never heard of this dev or this game at all...

[Hit_and_run_poster]

i've got have i been pwned set up and i've got a BMG account but i didn't get any email

[Jtalk4456]

it's alright guys, that was still technically 2018, so we're still fresh for this year!

[ZacoAttaco]

Yeah ivebeenpwned here, signed for this site years ago with some friends at a LAN party. They got my good email too...

10 hours ago, chazragg said:

BMG's website didn't support SSL to begin with. Additionally, functions used to hash/encrypt passwords were weak as they are using a FIVE year old version of their forum software. It was honestly was just a matter of time before this happened to them.

So would this indicate they probably can decrypt these passwords? Better have another look at my password manager.

 

Also, thanks for reminding me that I can get email alerts, should have set that up ages ago.

[Matsozetex]

I have three emails for this basic purpose:

 

A shitty email used for shitty things, including scripts to delete the constant spam it gets (hasn't been leaked).

 

An email used for video gaming services (the one that was leaked).

 

An email for serious stuff.

[chazragg]

14 hours ago, Bananasplit_00 said:

I don't like password managers, feels a lot like putting all your eggs in one basket. They brech the password manager and they get all your passwords instead of each app individually. Not that I doubt that password managers have good and well built security systems but I just don't like it much. 

I see where you are coming from, I like LastPass because a majority of the major sites support an auto change password feature so if my account was every breached I think I could change all my passwords before anyone could crack the hashed passwords. you could also use software like keypass which is a local version, we use it here at my work.

[chazragg]

12 hours ago, Hit_and_run_poster said:

i've got have i been pwned set up and i've got a BMG account but i didn't get any email

well, you only get the email if your email address appeared in the list posted online, maybe you were lucky and didn't get posted? 

[chazragg]

13 hours ago, imreloadin said:

It must be my age showing because I've never heard of this dev or this game at all...

there was also a Starcraft 2 arcade game that was similar called mafia. really interesting but I find it best played as a group as PuGs can ruin the fun

[XR6]

19 hours ago, rcmaehl said:

BMG's website didn't support SSL to begin with. Additionally, functions used to hash/encrypt passwords were weak as they are using a FIVE year old version of their forum software. I honestly was just a matter of time before this happened to them.

Exactly. Nowadays SSL is pretty much essential for anything containing emails and passwords.

 

BMG had it coming though, they were an easy target.

Not only was it the lack of SSL and the old forum software, but it was also the fact they were a relatively small game whose developers were most likely oblivious to the fact that the emails, passwords, IP addresses and whatever else they stored on their servers was not adequately protected.

I'm not one to jump to conclusions, but the fact that they couldn't even use SSL or update their forum software just makes me think BMG didn't really know what was going on with the security side of things.

 

Take everything I say with a grain of salt. I'm not a web developer nor a cybersecurity expert.

 

[NeuesTestament]

A data breach per day keeps the privacy at bay 

[Bananasplit_00]

4 hours ago, chazragg said:

I see where you are coming from, I like LastPass because a majority of the major sites support an auto change password feature so if my account was every breached I think I could change all my passwords before anyone could crack the hashed passwords. you could also use software like keypass which is a local version, we use it here at my work.

Yah I'd be a lot more up for a local version tbh but for now il keep off

[TVwazhere]

I only used the Steam version of the game, not the browser so I never made an account with BMG AFAIK. I think I'm fine unless this penetrates into that as well, but it sounds like it's mostly a browser security issue.