A hacker has made off with at least 6.5 million email addresses and poorly hashed passwords from a Yu-Gi-Oh fan project called “Dueling Network.”
While the network itself was shut down by a cease and desist order in 2016, the site's forum continued running until recently, according to Vice's Motherboard.
Black Luster Soldier, a network administrator, told the publication, their working theory is that the assailant used a vulnerability in MySQL to obtain the information.
"At the moment, the claim that information has been breached for 6.5 DN million accounts appears to be accurate. Note that many accounts are duplicates owned by the same user or were never actually logged in, so this number is inflated," they said.
Leakbase, a paid breach notification service, provided Motherboard with a small sample of accounts for verification purposes.
Black Luster Soldier advised users to change their passwords on any other services that use the same credentials as their Dueling Network account.