33 Million Evony User Accounts Emerge Online

Sunday, October 16, 2016

Ionut Arghire

Fa42af438e58b799189dd26386f5870f

Over 33 million accounts from online gaming platform Evony have emerged online after hackers reportedly gained access to the platform’s main database in June this year.

The data dump has already emerged on Leaked Source, which reveals that a total of 33,407,472 users might have been affected by the leak. Each of the records included in the leak, they say, included a username, email address, password, and IP address, as well as various other internal data fields.

What’s worrying is that the gaming platform wasn’t using advanced protection when the user passwords were involved. According to Leaked Source, “passwords were stored using unsalted MD5 hashing,” and were also stored “in unsalted SHA1 next to the MD5.”

Looking at the list of the most used passwords, “123456” emerges on top, with 714,466 occurrences, showing once again how little thought many users give to their account’s security. “password” is also present on the list, on the fifth position, along with “111111” on the sixth and “qwerty” on the ninth. “123123”, “abc123”, “000000”, and “evony1” are also some easy-to-guess passwords used by gamers.

Because the passwords were so easy to retrieve, Leaked Source also revealed some other interesting stats, such as a list of the longest passwords used on the platform. The longest of them is 49 characters long, but uses only words written in lowercase.

With 7,464,078 occurrences, yahoo.com was the most used email domain, followed by hotmail.com with 6,493,345 occurrences and gmail.com with 3,593,315. The list also shows over 1 million aol.com emails, which doesn’t come as a surprise, given that Evony was launched several years ago (the copyright on the main page still reads 2010-2012).

As it turns out, this isn’t the first data breach that Evony experiences this year. The platform’s forum was hacked in August, which reportedly led to the compromise of some 938 thousand user accounts. In a forum post, Evony prompted users to reset their passwords “considering the nature of security on the internet,” and “even though all forum passwords are encrypted.”

We have contacted Evony for additional details on the 33 million accounts hack and we will update the story as soon as we receive a reply.

Earlier this year, numerous other large data breaches were brought to light, though none as recent as the Evony one. Dropbox (68 million), LinkedIn (167 million), Myspace (360 million), Tumblr (65 million), Last.fm (43 million), and VK (170 million) were all breached several years ago, but information on the stolen data emerged only this year. A VerticalScope breach that impacted 45 million happened earlier this year.

Last month, Yahoo! confirmed that hackers managed to breach its network in 2014 and that no less than 500 million users might have been impacted by the incident, one of the largest data breaches in recent history. Earlier this month, the company refuted claims that it had secretly scanned millions of emails to help American intelligence. 

18868
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.