2.2 Million Passwords Exposed In Gaming And Cryptocurrency Hacks
Published: March 4, 2020 on our newsletter Security Fraud News & Alerts Newsletter.
Over two million users of GateHub and EpicBot learned their account passwords may have been posted in an online data dump. GateHub, a cryptocurrency wallet service, and EpicBot, a RuneScape bot provider for online gaming, were targets of a cyberattack. For 1.4 million GateHub fans, personal data like two-factor authentication keys and wallet hashes were also included. EpicBot had 800,000 passwords hacked including IP addresses and usernames. Both websites use the bcrypt hashing function for passwords, known as one of the toughest functions to crack. However, it wasn’t that long ago that “cheaters” dating website Ashley Madison made errors leading to 36 million bcrypt hashed passwords being exposed, as well as client emails and other personal data.
The account data from GateHub was discovered dumped on a hacker website called RaidForums in August of 2019, after GateHub publicly reported it had been hacked. Soon after the discovery, GateHub claims to have generated new encryption keys and was re-encrypting all sensitive information for its account holders. The company also said, “All affected customers were notified about the unauthorized access and provided a list of data that the perpetrator was able to retrieve from their account.” Users who were not affected were also notified of the hack. GateHub notified all its users that changing passwords is not necessary since they were already re-encrypted and changed in July but suggests mnemonic phrases should also be changed. However, whenever a breach like this occurs, it’s always best practice to change your password.
EpicBot has had prior security issues but they are currently staying quiet about this latest one. Users are being advised by the company to change their passwords as soon as possible, but it has released no further account security suggestions at this time. Changing a password immediately after a hack is always advised, no matter the website. Users of both hacked websites should be alert of other attacks that use their personal information, such as email spear phishing, vishing (voice phone calls) and smishing (SMS text messaging). Both companies say they are currently investigating the hacks to bring the perpetrator(s) to justice.
Use these tips to create a strong password:
Don’t use dictionary words, names, dates of birth, or identifying information of you or close family members.
Passwords should be at least six characters.
Include letters, numbers, special characters.
Of course, don’t write them down and leave them accessible. If it necessary to write them at all, keep them separate from internet-connected devices and tucked away out of plain sight.
Keep up to date: Sign up for our Fraud alerts and Updates newsletter
Want to schedule a conversation? Please email us at firstname.lastname@example.org