You can’t play games without giving up your data. But when you give up your data, you’re trusting a company to protect that data from nefarious hackers. And sometimes, this data gets leaked or breached, and suddenly, some guy in a different country has access to your passwords and maybe even credit card information.
In many ways, the worlds of gaming and hacking go hand in hand. A lot of hackers are gamers and vice versa. You can play hacking-oriented games like Uplink, Hacknet, Hackmud, Cyberpunk 2077, and more. Some of these games can teach you the fundamentals of hacking and coding, and hackers themselves designed most of these games. It’s hardly surprising then that gaming accounts have been a major focus for hackers since the dawn of the internet.
Why Do Hackers Target Gamers?
Hackers target just about everyone. Some hackers focus on high profile targets like massive corporations, and others go for the low-hanging fruit (small businesses with poor security). With big companies, the task is harder, but the reward is greater (potentially tens of thousands, hundreds of thousands, or even millions of accounts). And it’s easier to succeed when targeting smaller companies because their systems tend to be more vulnerable, and while the reward is lower, they can target more of them.
With that said, there are several reasons a hacker might specifically target a gaming company to acquire player credentials:
- Payment details on file: Gamers like to buy more games or in-game products, so link their payment information to their accounts.
- Account takeovers: A major drive for hackers is being able to take over your account. This is often done by individuals or companies who want to use your account for botting activities or to sell your in-game items. A player with a lot of in-game currency or high-end items might be a target for a phishing attack (a type of social engineering attack where you are tricked into giving your user name and password or security details).
- It seems less serious: An aspiring hacker might be wary of trying to bank banking apps or other ‘serious’ software. They might view a gaming account as non-serious and low-risk.
It’s worth pointing out that not all gaming accounts up for sale online come from players being hacked. In fact, the vast majority don’t, and you can buy legitimate game accounts from players who are ready to move on from the game. One platform that promotes the ethical sale of accounts is Eldorado.gg. Where, for example, you can purchase a legit OSRS account from an experienced player.
Now, onto the biggest player information leaks in gaming history.
Sony suffered a massive breach in 2011, which resulted in player credentials for 77 million accounts being leaked. At the time, it was one of the biggest internet security breaches in history. The hacker obtained players names, addresses, email addresses, birth dates, usernames, passwords, security questions and more. Sony did say that there was no evidence that the hacker stole credit card details but that it was possible. Essentially, they told players to act as though their credit card was stolen.
In 2019, online gaming company Zynga reported a data breach that affected approximately 200 million users. Stolen data included email addresses, usernames, login IDs, Facebook IDs, phone numbers, and hashed passwords. They used the SHA-1 hashing algorithm to encrypt the data, which was a major mistake. SHA-1 has not been considered safe since 2010, so why they were still using it in 2019, we don’t know.
A video game called Town of Salem, produced by BlankMediaGames, was breached in January 2019. It was reported that over 7,600,000 unique email addresses were exposed in this breach. But that’s not the end of it. Due to the weak MD5 encryption used to protect the database, it wasn’t long after the breach that hackers were able to successfully crack 2.4 million passwords.
There seems to be a weak encryption theme going on here.
A massive Armor Games data breach took place in January 2019. Armor Games became aware of the breach in late January 2019 due to the cybersecurity firm Tuik Security Group bringing it to their attention. An eye-watering 11 million accounts were impacted. Details exposed in the breach include usernames, email addresses, IP addresses, and hashed passwords. On the upside, since Armor Games did not store other sensitive data types, the impact was limited. For example, they didn’t store credit card details, phone numbers, addresses, or last names. However, it’s worth noting that hackers do cross-reference this information to create user profiles.