Digital Extremes confirms the breach to Motherboard.
Someone or some corporation gets hacked every day. In our series Another Day, Another Hack, we give you what you need to know about the latest data breach, so you can figure out if you might be at risk.
User details for online, free-to-play game 'Warframe' are being traded in the digital underground. The nearly 800,000 records include email addresses, usernames, and dates for when the account was created and last logged into.
Warframe is available on PC, Playstation 4 and Xbox One, and is consistently in the top 20 played games on Steam. Troy Hunt, a security researcher and creator of the breach notification site Have I Been Pwned?, first flagged the data breach to Motherboard earlier this month. Motherboard obtained a sample of the data and provided a copy to Warframe, which verified its authenticity.
"After a thorough review of the data we received, we can confirm that a list of 775,749 email addresses were acquired through a Drupal SQL exploit that was patched by Drupal two weeks after the breach occurred," said Meridith Braun, VP Publishing at Digital Extremes, the company behind Warframe, in a statement to Motherboard.
The site was hacked in November 2014, but has only come to light now.
"The stolen data DID NOT include any account passwords, variations of passwords, hashed passwords, game account data or personal player information such as full names, addresses or other billing and payment information," Braun said. (EDIT: Motherboard pressed Braun on this, and pointed out that the hashes in question are marked as "pass." But Braun insisted this was just a placeholder value.)
In other words, the only data of note included in the breach were email addresses and usernames, which, while not ideal, will surely be a relief to Warframe players.
"We take account and game security very seriously and are constantly working to improve and plug any exploits we find," Braun continued. "As part of our continued efforts to improve the security of Warframe, over the last year and a half we have added two-factor authentication (2FA) and also replaced Drupal with a custom website system that no longer stores any account information to avoid exposing ourselves to these sorts of attacks."
The lesson: Gaming sites, and the forums and communities around them, are a particularly common target for hackers. When signing up to a service, always been sure to use a strong, unique and hard to guess password, even if that's for a seemingly innocuous game as a precaution.