Emails and Encrypted Passwords of Albion Online Forum Users Were Stolen

Albion Online, a relatively popular online massively multiplayer online RPG, suffered a data breach in late October. Sandbox Interactive, the game's German developer, announced the breach on Oct 17. The game's developer informed all affected users by e-mail as well as a forum post.

The bad actor involved in the attack managed to access the profiles of Albion forum users, which included the users' e-mails used in the forum registration. The hackers also got hold of passwords that were thankfully hashed and salted. The password strings were encrypted using Bcrypt and further salted using randomness to make decryption more difficult.

Albion's developer stated that the stolen passwords cannot be used to log into neither the game's client, nor the forum. The only potential issue Sandbox see with the password grab is that the data could be exploited to show users who used passwords that are very weak. Obviously, if a password was reused for both the forum registration and the game's client login, there is a very serious risk of account takeover.

Forum Software Vulnerability Patched After Breach

Sandbox Interactive stated the attack abused a vulnerability in the forum software they use for Albion, called WoltLab Suite. The security loophole has since been patched by WoltLab's developer.

The bad actor believed responsible for the attack had posted an ad on a hacker forum, attempting to sell alleged data including payment database dumps, but the post has since been removed. Given the information provided by Albion's developers, it's very likely that the post was an attempt to exaggerate the bad actor's achievements and bounty.

Albion is a free to play game, which almost always means a large audience. The company's own figures list over 2.5 million players across Windows, Mac, Linux and mobile devices. The breached forum has nearly 300 thousand users.

October 22, 2020

Leave a Reply