An attacker leaked an E-Sports Entertainment Association (ESEA) database containing 1.5 million player profiles after an alleged failed extortion attempt.
The leak was part of a ransom scheme in which the attacker reportedly demanded $50,000 in exchange for keeping silent about the hack, according to CSO Online. An ESEA spokesperson confirmed with SC Media that there was an extortion attempt yet didn't specify the amount requested.
Officials were made aware of the breach on December 27, 2016, when an unknown individual reached out to ESEA to inform them of the incident which exposed usernames, emails, private messages, IPs, mobile phone numbers (for SMS messages), forum posts, hashed passwords, and hashed secret question answers, ESEA said in a Security Update FAQ.
Users have been instructed to change their passwords, security questions and answers for any other accounts which may have used the same or similar information as the ESEA account and to also to review their accounts for suspicious activity. Users should also be suspicious of any unsolicited communications that ask you for personal information or refer you to a website asking for personal information, the FAQ said.
Officials said in the FAQ that they have identified and patched the source of the vulnerability.
The association also noted that it has notified the FBI of the incident, consulted technical and legal experts, and are utilizing the full resources of their parent entities to strengthen their systems.
“If you're not part of the video game industry, you might not realize that it's a more than a $30 billion industry,” Tim Erlin, senior director of IT security and risk strategist at Tripwire, told SC Media. “Profit motivated criminals target industries that deliver financially.”
Erlin said that cybercriminals don't just target banking information and that all kinds of personal information has value on the black market adding that the gaming industry collects a lot of personal information which makes them an easy target.
“Modern gaming is all about collecting money from consumers, and gaming companies have plenty of credit card data to make them an attractive target,” Erlin said adding that this particular technique isn't new. “We've seen this particular technique for parting businesses and individuals from their money move through industries.”