Four months after it announced that it had been hacked and that the intruders may have been able to access users’ personal information, millions of usernames, passwords and email addresses from the databases of Gamigo have been released online, an action being described as one of the biggest password dumps ever seen.
The site, based in Germany, announced in March that an “attack on the Gamigo database” had exposed not only “(alias) user names and encrypted gamigo user passwords” but also, possibly, more. “[Our] database was subject to an attack in the last few days,” the site posted in its forums, adding that “We cannot rule out that the intruder(s) is/are still in possession of additional personal data, although to date we have received no report of any fraudulent use.” With the site employing a micropayment system to create revenue, the threat of “additional personal data” loss could have been extremely unnerving to some users. “To prevent any unauthorized access to your account, we have reset all passwords for the gamigo Account System and for all gamigo games,” the announcement concluded. And then – nothing, or so it seemed, leading some to believe that the information hadn’t actually been breached after all, and hoping that it was all a false alarm. Sadly, it wasn’t.
A file containing just over eight million unique email addresses was shared via the InsidePro forum on July 6, with the subject line “11М md5 hashlist to dump.” The post itself didn’t give any context for the link, simply asking users to “Please test your dictionaries” and adding “OOPS!, the list should lead to a common mind, and that there is only a first hash, and then type E-mai: hash.” The dump – No longer available for download – was captured by PwnedList owner Steve Thomas, who identified it as the Gamigo information, going on to describe it as “the largest leak I’ve ever actually seen.” He went on to say, “When this breach originally happened, the data wasn’t released, so it wasn’t a big concern. Now eight million email addresses and passwords have been online, live data for any hacker to see.”
The information breaks down to 8,244,000 email addresses, with 3 million accounts coming from the US, 2.4 million accounts from Germany, and 1.3 million accounts from France. In addition to addresses from the more familiar public domains (Gmail, Hotmail, Yahoo!), there were also addresses from corporate addresses from companies including IBM, Allianz, Siemens, Deutsche Bank, and ExxonMobil. More than five thousand of the addresses included the word “gamigo,” suggesting that they were created specifically to sign up for the service. For Thomas, the dump of the passwords isn’t the end of the hack, but the beginning of the fallout. “Now that these full details are out there,” he told Forbes, “we can expect more attempts for accounts to be taken over or used maliciously.” Perhaps it’s time to start changing passwords, just in case.