Warframe, Clash of Kings players’ info stolen after forum hacks
Two new website hack/ user data theft combos have been revealed last week, and the victims are players of popular mobile real time strategy game Clash of Kings and online free-to-play third-person shooter Warframe.
In both cases the attackers found their way in by exploiting vulnerabilities in the software used by the companies to set up their online forums (vBulletin) or manage the content on their site (Drupal).
The Clash of Kings hack
The Clash of Kings forum hack has not yet been confirmed by China-based Elex (the game’s developers), but according to Leaked Source, nearly 1.6 million records have been compromised. They contain usernames, email addresses, IP addresses, hashed and salted passwords, Facebook access tokens, and more.
ZDNet reports that the hack was carried out on July 14 by an unnamed hacker, who took advantage of an old and well known weakness in the outdated vBulletin installation powering the forum.
This attacker apparently actively sought out sites running vulnerable, out-of-date forum software, and Leaked Source says that “at this point, any unpatched vBulletin 4 forum with over 100,000 users is probably hacked.”
The Warframe hack
The Warframe hack has been confirmed, and it’s old.
“Last week we were made aware of a potential web server breach that occurred in November 2014. At the time, we believed this to be a phishing scam as our account server was secure. After a thorough review of the data we received, we can confirm that a list of 775,749 email addresses were acquired through a Drupal SQL exploit that was patched by Drupal two weeks after the breach occurred,” an administrator explained in a post on the Warframe forums.
“The stolen data DID NOT include any account passwords, variations of passwords, hashed passwords, game account data or personal player information such as full names, addresses or other billing and payment information. Note that while there were hashes in the stolen data these were meaningless hashes of Alias names.”
Nevertheless, the company – Digital Extremes – is advising users to change their passwords frequently, and to make use of the 2-factor authentication option they have made available since then.
They are also not running the site on Drupal anymore – they have replaced it with a custom website system that does not store any account information.
The stolen info is currently being traded on cybercrime forums.