Game developer Sandbox Interactive GmbH recently disclosed that the forum for its medieval massively multiplayer online role-playing game (MMORPG) Albion Online has been hacked, reported ZDNet. The extent of the breach was not disclosed.
In a post published in the forum, the German-based company revealed that the breach took place on October 16. The hacker exploited a vulnerability in WoltLab Suite, the platform used to host the Albion forum.
While the number of accounts affected was not announced, the company sent emails to users whose data have been accessed during the hack. The game is known to have over 2.5 million players while the forum has 293,602 registered users.
The firm also said, “The intruder was able to access forum user profiles, which include the email addresses connected to those forum accounts.”
The hacker was also able to get users’ encrypted passwords that were hashed and salted. ZDNet explained that the passwords were hashed using the Bcrypt hashing feature and salted with random data “to make it harder for attackers to reverse and crack the password.”
While strong passwords can be more difficult to decrypt, the company warned that those with weak ones may be at risk, but with only “a small possibility.” Threatpost also said that the email addressed can be used to launch brute-force attacks on accounts.
However, Sandbox Interactive clarified that this does not mean that user credentials for the Albion website have been compromised as it requires another set of username and password. This does not apply to those who used the same login details for both the forum and website.
In order to prevent any unauthorized access to their accounts, the company urges users to change their passwords. It also informed players that the issue that allowed the breach has now been fixed.
It is also “running additional checks to ensure the integrity of our systems” and will be “executing a full review of all our systems to ensure [user] information remains absolutely safe.” Additionally, the firm is putting together a report, which will be submitted to authorities.
Meanwhile, ZDNet reported that a hacker claims to have the database. The attacker posted an advertisement for the database in a hacker forum on Saturday.
According to screenshots of the post published on Twitter, the attacker has access not only to login credentials but also payment databases and other datasets with sensitive info. At the time of writing, the post has been removed.