A data breach at BlankMediaGames (BMG) has affected more than 7.6 million players of Town of Salem, a browser-based online role-playing game.
The incident was disclosed on December 28 to cybersecurity company DeHashed, which received an anonymous email containing evidence of server and database access.
DeHashed says affected data includes usernames, emails, passwords, IP addresses, game and forum activity, and payment information. Some users who paid for features also had billing data compromised.
The attackers used a Local File Execution/Remote File Execution (LFI/RFI) attack that injects malicious code into a web server running PHP, DeHashed said.
The attackers then gained unauthorized access to the complete gamer database which contained 7,633,234 unique email addresses (most were Gmail, Hotmail, and Yahoo.com email accounts).
A BlankMediaGames developer named Achilles responded on the Town of Salem forums that no credit-card numbers were stolen. Further, Achilles wrote, all passwords were hashed and not stored in plain text.
“The only important data compromised would be your Username/hashed password, IP and email,” Achilles wrote. “Everything else is just game related data.”
Data is becoming a much larger issue for game developers; just last month, Bethesda Game Studios came under fire for a bug that leaked player information from support tickets.
If you’ve played Town of Salem, you should change your password immediately.