UK Retailer GAME hacked - Passwords stored as plain text.

Today GAME, the biggest UK gaming retailer's website has been hacked.

A couple of gaming websites, Catalyst-Gaming (catalystgaming.net) from Northern Tasmania and Game (game.co.uk) from the United Kingdom, are the latest victims of hackers.
As security solutions providers predicted, gamer communities are becoming a tempting target to hackers and their operations, especially since many gaming websites offer their customers the opportunity to purchase virtual items and bonuses using credit cards.

This isn’t the case in this scenario, but these incidents come to show how exposed gaming websites are.

Usernames, email addresses and password hashes were leaked from Catalyst Gaming, but from Game, a website that commercializes consoles, games and hardware components, the hackers managed to obtain email addresses and passwords in clear-text.

The latter site contained a shell injection vulnerability that allowed the hackers to access its databases and expose their customers.

Users who own accounts on the aforementioned sites are recommended to immediately change their passwords.

http://news.softpedia.com/news/Catalyst-Gaming-and-Game-Co-Uk-Hacked-Data-Leaked-246709.shtml

As the article says Catalyst-Gaming has also been hacked but at the very least the passwords were hashed.

If you have ever bought anything from GAME online then be wary that your password is leak and they also have your email address so be on the look out for phishing and spam emails.

And suddenly my decision to start using LastPass proves itself to be the wisest thing I've ever done. Had I been using my old passwords I'd now be rushing around panicking trying to remember every other site where I used my GAME password and be frantically changing passwords. Today I just sit back and relax knowing that every other site has a different password.

Also, seriously? Who the fuck stores passwords in plain text? That's just a recipe for disaster. It's not like password hashing is some magical technology that has only just been invented. It's standard.

What's great is I just reset my password there the other day, luckily it's nothing I use elsewhere so that's good.

Just a complete and utter joke that they'd store it as plain text.

Whatever happens they've lost any future custom from me. Along with Gamestation and gameplay. (All owned by the same company)

@MattyFTM: Tell me more about this magical LastPass.

@MattyFTM said:

Also, seriously? Who the fuck stores passwords in plain text?

Companies who have never had a scandal like this :P.

Thanks for the warning. I'll change my password immediately. So should everyone else, y'hear?

Thanks for posting this. I don't use my GAME password anywhere else, but geez..

I think I'll be using Last pass from now on too.

Thanks for the heads-up duder, just changed my password.

@JeanLuc said:

@MattyFTM: Tell me more about this magical LastPass.

LastPass. It's a password manager. It generates and stores passwords on its servers. It has browser extensions for all the major browsers and will automatically input your passwords for you on any site you visit. I don't know what else to say. It even has smartphone applications for you to use your passwords on your phone. Oh, and it has the Dave Snider seal of approval, as does 1password another password manager available.

There is, of course the nightmarish theoretical scenario that LastPass gets hacked and their password hashes get decrypted, but I still feel a lot safer using it than I did just having a handful of passwords that I used on different websites. It's never going to be possible to have a 100% foolproof password system, but I feel that using something like LastPass is as close as you're going to get to it.

Thanks for the heads up. Hackers proving to be one of the worst thing about the internet.

And suddenly my decision to start using LastPass proves itself to be the wisest thing I've ever done. Had I been using my old passwords I'd now be rushing around panicking trying to remember every other site where I used my GAME password and be frantically changing passwords. Today I just sit back and relax knowing that every other site has a different password.

@MattyFTM: As for me, a person that keeps all random passwords generated on a safe piece of paper discluded from any devices because of paranoia, how would this service provide me anymore security? To me it seems that these kind of services are a broken leg that just sits there and ask to be hacked so every password you've stored onto it will be leaked. If that happens you probably would be more stressed than just when one password got into the abyss, like this scenario. I bet LastPass and similar services are heavily attacked because they know people store valuable passwords on there.

We know that some of you have been concerned about the rumour going around today about our data. Please rest assured that we always take data issues very seriously and have investigated this claim thoroughly.
Here are our official words:
"At GAME we guard our customers' details very carefully. We have thoroughly investigated the hacking claims made today by the website Pastebin, and can confirm that they are entirely false. The published email addresses are not registered users of GAME.co.uk, and there has been no breach of our database security.
We would like to assure all our customers that their details are well protected, and advise anyone who has any questions to contact our customer services team via the website, our Facebook page or Twitter account."
Anna-Marie Mason, GAME spokesperson

Seems like it might just be a rumour.

@MattyFTM: Fantastic! I'll check it out.

I'd still be wary until we have further details. Will be interesting to see exactly how the rumour start and as to why if that is indeed the case.

Even if it is a rumour I've changed my password just incase.

@AhmadMetallic said:

@MattyFTM said:

And suddenly my decision to start using LastPass proves itself to be the wisest thing I've ever done. Had I been using my old passwords I'd now be rushing around panicking trying to remember every other site where I used my GAME password and be frantically changing passwords. Today I just sit back and relax knowing that every other site has a different password.

Or you can simply type in a different password for each website/account?

Are you rain man? How can you remember so many passwords? I've got hundreds of website accounts. How am I supposed to remember a different password for each? I'm not. That's why I use LastPass.

@FritzDude said:

@MattyFTM: As for me, a person that keeps all random passwords generated on a safe piece of paper discluded from any devices because of paranoia, how would this service provide me anymore security? To me it seems that these kind of services are a broken leg that just sits there and ask to be hacked so every password you've stored onto it will be leaked. If that happens you probably would be more stressed than just when one password got into the abyss, like this scenario. I bet LastPass and similar services are heavily attacked because they know people store valuable passwords on there.

It's all about a balance between security and convenience for me, I suppose. Writing them down might be more secure (although with my terrible handwriting I'd probably not be able to read my passwords a lot of the time :P) but what if that piece of paper got stolen? What if I lost it in a house fire? Anything could happen. Ultimately LastPass seems to be pretty secure. And if something does happen, it's not the end of the world. No one is ever going to get access to my email account (I don't store that password in LastPass AND it uses two-step authentication meaning Google send me a text with a verification code before I actually get into my email) and as long as I have access to that I can reset passwords and shit using my email. It'll just be a bit of a headache. Ultimately no password system is going to be perfect. I'm pretty happy with using LastPass.

@MattyFTM said:

And suddenly my decision to start using LastPass proves itself to be the wisest thing I've ever done. Had I been using my old passwords I'd now be rushing around panicking trying to remember every other site where I used my GAME password and be frantically changing passwords. Today I just sit back and relax knowing that every other site has a different password.

I started using LastPass because of some thread on GB some time last year and haven't looked back. This scenario just reinforces its utility.

Also, seriously? Who the fuck stores passwords in plain text? That's just a recipe for disaster. It's not like password hashing is some magical technology that has only just been invented. It's standard.

It's pretty scary how many companies don't have a figgin' clue about data security. It seems like every week there's a copy and pasted news story like this with a different company name at the beginning.

I don't even remember if I have a game account. I know I have a member card but my dad signed up for that under my name.

@AhmadMetallic said:

@MattyFTM said:

And suddenly my decision to start using LastPass proves itself to be the wisest thing I've ever done. Had I been using my old passwords I'd now be rushing around panicking trying to remember every other site where I used my GAME password and be frantically changing passwords. Today I just sit back and relax knowing that every other site has a different password.

Or you can simply type in a different password for each website/account?

Are you rain man? How can you remember so many passwords? I've got hundreds of website accounts. How am I supposed to remember a different password for each? I'm not. That's why I use LastPass.

Storing passwords in plain-text is negligent on the level that it should almost be considered criminal when user data is then stolen. As for passwords being hashed - it is only meaningful if the hashes are salted. If they're not, then they may as well just be stored in plain text, to begin with.

@MattyFTM said:

@AhmadMetallic said:

@MattyFTM said:

And suddenly my decision to start using LastPass proves itself to be the wisest thing I've ever done. Had I been using my old passwords I'd now be rushing around panicking trying to remember every other site where I used my GAME password and be frantically changing passwords. Today I just sit back and relax knowing that every other site has a different password.

Or you can simply type in a different password for each website/account?

Are you rain man? How can you remember so many passwords? I've got hundreds of website accounts. How am I supposed to remember a different password for each? I'm not. That's why I use LastPass.

What I suggest for people who can't remember all their passwords is to set up a system. Stupid websites, like banking and CC websites like to limit the number of characters you can use... *grumble* so, I tell people to limit their initial password to 7 characters. So. let's say your base password is "meta1ic" Let's say each subsite of Whiskey Media had its own seperate password. I'd lop off the first and last letter of each site and turn that into part of the password.

iantMeta!icbom

omicMeta!icvin

nimeMeta!icvic

and so on. Banks and CC numbers get different base passwords. So bankpassword for Bank of America ends up being mericabankpasswordban. Citibank ends up ankbankpasswordcit. Discover, ardbankpasswordiscove, and so on. Email, same thing.

omicPa44wordin is much harder to break than Ae64#z and much easier to remember, as well.

Unless I'm being singled out or keylogged, if someone has a list of thousands of passwords and logins, they're most likely going to just move on to another account than figure out my login for Tested.

From what I can tell, this is the link to the supposed "hack":

http://pastebin.com/Cb4nJfm0

Unless its incomplete I wouldn't worry. There's only like 200 accounts and according to Game.co.uk none of them actually exist.

Metro.co.uk had the following response from GAME

'At GAME we guard our customers' details very carefully. We have thoroughly investigated the hacking claims made today by the website Pastebin, and can confirm that they are entirely false. The published email addresses are not registered users of GAME.co.uk, and there has been no breach of our database security.

We would like to assure all our customers that their details are well protected, and advise anyone who has any questions to contact our customer services team via the website, our Facebook page or Twitter account.'

Read more: http://www.metro.co.uk/tech/games/887540-game-denies-website-hacking-story#ixzz1je3X0k00

@GiroMindTricks said:

Metro.co.uk had the following response from GAME

'At GAME we guard our customers' details very carefully. We have thoroughly investigated the hacking claims made today by the website Pastebin, and can confirm that they are entirely false. The published email addresses are not registered users of GAME.co.uk, and there has been no breach of our database security.

We would like to assure all our customers that their details are well protected, and advise anyone who has any questions to contact our customer services team via the website, our Facebook page or Twitter account.'

Read more: http://www.metro.co.uk/tech/games/887540-game-denies-website-hacking-story#ixzz1je3X0k00

Exactly as I thought.

LastPass? psh, nooblets. Everyone knows Keepass is where it's at! lol, seriously though, if anyone is slightly paranoid of online password managers like I am then this is a nice alternative since it only stores your passwords to your machine.

Threads like this are the fucking worst. OMG I HEARD A RUMOUR NOW I AM GOING TO BLOW IT OUT OF PROPORTION. Yo it's a load of cobblers.

@BabyChooChoo said:

LastPass? psh, nooblets. Everyone knows Keepass is where it's at! lol, seriously though, if anyone is slightly paranoid of online password managers like I am then this is a nice alternative since it only stores your passwords to your machine.

Every password that is stored on a device instead of a paper handwritten by me is considered, to me, a security flaw. And when I have control on where I store them, I store them on the most secure place and away from devices that can easily get corrupted and hacked. Yes, I'm that paranoid. Keepass is no exception because even if it's stored on my computer with the "latest" and "best" encryption software to-date, my PC can still be hacked. The only way to lose secure handwritten passwords are by a burnt down house or a thief sneaking in my home, odds I'll take anyday instead of having Urkel accessing my passwords across countries.

Maybe someday my paranoia can go away to some degree so I can try to get my trust to some of these services, but not now it seems.

@AlexW00d: How dare I post something that at the time of making this topic was stated as fact by several reputable sources. It wasn't a rumour at the time of posting.

@Branthog: Hashed passwords are only as strong as the hash which is used. The problem is that a lot of the more common hashing methods have been either completely figured out or at the least there is a list of dictionary words (and other common phrases) to their hashed values meaning that it's easier to get the password if you have the hash, but only for those common passwords.

Salting has its floors if used with common hashing formulas due to the fact that the salt needs to be in the database too. It just adds extra calculations to the dictionary hacking process but is still fairly simple to get into accounts using common passwords.

Hashing in general has nothing from with it, the problem is the hashes are targeted and need to be changed to more complex hashes.

PW changed, just in case.

@DarkDude said:

@AlexW00d: How dare I post something that at the time of making this topic was stated as fact by several reputable sources. It wasn't a rumour at the time of posting.

@Branthog: Hashed passwords are only as strong as the hash which is used. The problem is that a lot of the more common hashing methods have been either completely figured out or at the least there is a list of dictionary words (and other common phrases) to their hashed values meaning that it's easier to get the password if you have the hash, but only for those common passwords.

Salting has its floors if used with common hashing formulas due to the fact that the salt needs to be in the database too. It just adds extra calculations to the dictionary hacking process but is still fairly simple to get into accounts using common passwords.

Hashing in general has nothing from with it, the problem is the hashes are targeted and need to be changed to more complex hashes.

I'm not sure what you mean by the salt having to be in the database. It just has to be wherever the application doing the encryption is; not stored in the database. If you pilfer the database and haven't taken the salt, then it's fairly useless. You can brute force it, but brute forcing an eight character password is trivial - rainbow tables. Brute forcing an eight character password hashed with a 128 character salt suddenly becomes much more difficult. Using a salt is not the perfect solution, but neither is merely hashing. It is another component that is necessary to maintaining a difficult-to-compromise set of data. In all forms, brute force can eventually crack everything. It's just a matter of making it too computationally expensive.

@BabyChooChoo said:

LastPass? psh, nooblets. Everyone knows Keepass is where it's at! lol, seriously though, if anyone is slightly paranoid of online password managers like I am then this is a nice alternative since it only stores your passwords to your machine.

LastPass is just fine. I hear people talk about how insecure it is yadda yadda all the time and they rarely understand how it actually works. Two part authentication. Encryption of the passwords occur on your system and the keys are stored on your system. As long as you use a complex password and two-factor authentication, you'll do fine. In fact, they had a possible security breech a few months ago and it was a trivial concern. They required people with simple passwords to change them and required re-authentication in certain cases. And this was all part of being overly-paranoid (even if the database was stolen, it's pretty much useless). They were on the ball enough that the only reason they raised a flag about it wasn't that data was actually stolen *for certain*, but that they noticed a little bit more data passing in one direction than was passing in the other direction, which could maybe possibly sort of some times theoretically suggest a small theft of data.

Anyway, it's worth reading up on how LastPass actually works. The benefits of having a unique password for every site, two factor authentication, no need for separate software for each machine, automatic syncing across systems, etc . . . far outweigh the possible risk.

I thought we were past using market retail companies, especially GAME. At least it seems no-one is in serious trouble.

@Branthog: Assuming the site is using a salt that is unique to each user then it has to be stored in the database. The formulas for salted MD5 hashes are things such as: MD5(MD5Password + MD5Salt). Given that hackers will have a common list as MD5Passwords they already have that part of the equation solved and as they know the unhashed salt it's only an extra step or two to get the password. Sure it's a lot more work and it only has an impact on those stupid enough to use dictionary words/other common phrases and it does make it more difficult but by no means does it make them invulnerable. Although it is a lot better than just hashed passwords and is of course infinitely better than storing passwords as plain text.