Sometime last week, online game storefront and bundle merchant Humble discovered it was the victim of a data breach. But you wouldn’t know it from visiting its website or checking the news. Instead, Humble elected to contact only affected users, informing them that while its customer data was accessed, no critical information was leaked.
Note — 12:30 AEDT: The Humble Bundle website is currently serving a 403 Forbidden page. This is likely a coincidence, rather than being related to the breach.
Note — 2:38 AEDT: And it’s back up. As mentioned previously, there is nothing to suggest currently that the breach and downtime are related.
Yesterday, Reddit user “InGordWeTrust” posted a screenshot of the email they received from Humble CEO Jeffrey Rosen, providing some details on the breach, which was blamed on “a bug in [Humble’s] code”.
According to the email, the suspect used a “list of email addresses” from a source other than Humble to exploit the site.
However, the data the hacker gained access to was minimal:
Sensitive information such as your name, billing address, password, and payment information was NOT exposed. The only information they could have accessed is your Humble Monthly subscription status.
More specifically, they might know if your subscription is active, inactive, or paused; when your plan expires; and if you’ve received any referral bonuses.
The email goes on to say that although the leak was minor, it felt it best to contact affected users as quickly as possible, in case “someone use[s] the information gathered to pose as Humble Bundle”.
While the email is a good — and one might say, mandatory — move, you would think Humble would have penned a blog post about the breach, in the spirit of transparency. If anything, it proves its security is pretty darn good if the hacker was only able to grab something as trivial as one’s subscription status.
(In semi-related news, Humble currently has a bundle running on cybersecurity books.)