The ESEA is an esports community that runs a popular online Counter-Strike league. In late December, its security got breached in a big way. Now the details of that breach are coming to light, with 1.5 million users affected after the ESEA refused to pay a hacker $US100,000 ($135,839).
Late yesterday, the ESEA confirmed that 1.5 million users were affected. They have also published a timeline of events in which they say a hacker first contacted them "demanding a ransom payment of $US100,000 ($135,839) to not release or sell the user data" on December 27.
After verifying the hacker's claims, consulting with legal council, and patching the breach, the ESEA notified their community of a possible leak on December 30.
The ESEA decided not to play ball with the hacker, who continued threatening them from December 31-January 6, but didn't leak anything. Then the hacker stepped up their efforts. On January 7, they breached a game server directly and quickly made their presence known. "Through information obtained from our game server infrastructure database, the threat actor was able to gain access to a game server," the ESEA said.
"With that game server's restrictive access, the threat actor was able to edit karma (community feedback system) of users, but not able to view, access or modify any personal information."
On January 8, the hacker, still not $US100,000 ($135,839) richer, finally went through with the leak. It's pretty gnarly. "We are still investigating but believe that a large portion of the ESEA community members' information including usernames, emails, private messages, IPs, mobile phone numbers (for SMS messages), forum posts, hashed passwords, and hashed secret question answers could all have been exposed," the ESEA explained in an FAQ published today. It's important to note that passwords are safe, but other data could be used for socially-driven attacks like phishing.
On the upside, the ESEA added that they have "worked to identify the source of the vulnerability and have taken the appropriate measures to patch it." They also noted that they're working with technical and legal experts, as well as the FBI, to track down the hacker and ensure that their systems are secure.
If you've used ESEA services with Counter-Strike or any other games, you ought to change your passwords on other sites as soon as possible and be on the lookout for suspicious requests for personal information. This is, to put it lightly, A Big Fucking Mess. While it sounds like the ESEA is doing what it can to ensure this doesn't happen again, you'd be wise to keep a wide and wary eye on them for a long, long time.