Over 2 Million GateHub and EpicBot Customers Are Warned About a Data Breach

Have you ever wondered how a cybercriminal can get their hands on the personal data of millions of unsuspecting people? Here's how.

On October 25, an anonymous user on a hacking forum shared a database with 2.2 million records full of personal information. We should point out that this is not one of the underground marketplaces hosted on the so-called Dark Web. The forum on which the data was posted is indexed by Google and can be accessed by anyone. The file is still up, it's not protected by a password, and the person that uploaded it doesn't demand any money for it.

In other words, a criminal who wants to obtain these 2.2 million records can fire up their favorite web browser, go to the aforementioned forum, make a registration, and click the download button.

Unfortunately, it really is as simple as that, and there's not much you can do about it. What you can do, however, is see who the 2.2 million affected people are because you might just be one of them.

A cryptocurrency wallet and an online game bot service got hacked

The data was stolen from two completely unrelated sources: a cryptocurrency wallet called GateHub and a RuneScape bot service named EpicBot. Of the 2.2 million records, 1.4 million belong to GateHub users while the rest were stolen from EpicBot. Cybersecurity expert Troy Hunt got his hands on the exposed data and loaded it into his Have I Been Pwned data breach alert service, which means that if you've ever subscribed to one of the two services, you can use your email to see if you have been affected. But what was lost exactly?

It might turn out that the GateHub breach was much more significant than anticipated

The fact that GateHub has been breached isn't news. Back in June, the cryptocurrency platform informed users that it had been targeted by a not-terribly-large cyberattack. The announcement said that after stealing a database full of access tokens, a hacker managed to gain unauthorized access to just under 18,500 "encrypted customer accounts". From there, the attacker was able to get users' names, email addresses, hashed passwords, hashed recovery keys, and encrypted XRP ledger wallets secret keys.

The company promised that it will work with law enforcement agencies and cryptocurrency exchanges to freeze any funds that might have been stolen during the attack and return them to their rightful owners. Whether any of that has worked is unknown. It's also unknown whether the same incident led to the exposure of the 1.4 million records.

The person who shared the database said that the GateHub portion includes two-factor authentication keys, mnemonic phrases, and wallet hashes. GateHub told Ars Technica that they have seen no wallet hashes in the dump and that they are not even sure if the data is authentic. Nevertheless, they are confident that the "re-encryption" of all GateHub accounts that took place in July is going to render all attacks useless. The only thing they forgot to mention is what they meant by "re-encryption".

EpicBot won’t say a word

The potential damage from the attack on EpicBot is much less significant. Quite apart from the fact that fewer people are affected, the nature of EpicBot's service means that there's a lot less to go wrong.

That being said, the response from the RuneScape bot provider is hardly exemplary. In fact, it's completely absent. About 800 thousand of its users have had their email addresses, usernames, and hashed passwords compromised, and yet EpicBot is not willing to issue even a single statement regarding what happened and what people need to look out for. This is not how and online service, no matter how big or small, should behave in the wake of a data breach.

On the whole, the details around the two hacking incidents are somewhat sparse, and the only silver lining is that both GateHub and EpicBot hashed users' passwords with bcrypt. This is good news because bcrypt is widely considered to be one of the most robust hashing algorithms currently available, and normally, reversing it is practically impossible. That being said, incorrect implementation could weaken it, which means that changing your EpicBot and GateHub passwords, especially if Troy Hunt's service tells you that you have been affected, might not be such a bad idea after all. Keeping in mind what could happen if the rest of the exposed information falls into the wrong hands is also extremely important.