Two popular gaming forums have been hacked leaking the details 2.5 million accounts globally. The hack breached forums ‘XBOX360 ISO’ and ‘PSP ISO’ in 2015 but details of the leak are only just coming to light. IT security experts from Lieberman Software, ESET, AlienVault, NuData Security, Prevalent, VASCO Data Security and Lastline commented below.
Jonathan Sander, VP of Product Strategy at Lieberman Software:
“Xbox and PSP users are going to be a pretty tech savvy bunch with accounts for many different services. As breach after breach has shown that using the same username and password for multiple sites is a bad idea, you would have to imagine this group would have gotten that message by now. When you see a dump of passwords hit a much less techy site, you can be sure that huge numbers of the victims are going to have to go around changing their credentials on the many sites where they foolishly used the same details over and over. If the Xbox and PSP crew haven’t learned that they can’t use the same email and password on every service by now, then likely it is game over for their personal data.”
Mark James, IT Security Specialist at ESET:
“Hacks like these are quite common where data has been stolen and the victims are only finding out months or even years later. Scams and phishing attacks will try and use the valuable data to entice even more information from the unsuspecting user; that info is tested, stored and often will be used for identity theft purposes. Quite often people using seemingly low security websites don’t enforce good password security because it’s not a financial target, but all data has a value and will be reused for other purposes. Every website should be treated as unique and require different passwords with a mix of usernames if possible.”
Javvad Malik, IT Security Advocate at AlienVault:
“Gaming forums have been a favoured target in recent months. Typically they have weaker security, so it is easier for attackers to gain access to the passwords. Attackers rely on the fact that most users will reuse the forum password on other sites.
While user education into the dangers of choosing easily-guessed, or re-using passwords should continue, companies need to evaluate all their digital assets equally from a security perspective. There is no such thing as a ‘low priority’ public site wherever a user account resides.
Secondly, these attacks highlight the importance of effective security monitoring controls that can help detect threats underway in a timely manner. In this day and age, discovering a breach over a year after the attack is an eternity.”
Robert Capps, VP of Business Development at NuData Security:
“The recently disclosed data theft from the unofficial PlayStation and Xbox forums is yet another example of the need for consumers to be wary of who they provide their information to, online. While this site is mostly used to distribute pirated copies of games, DVD’s and BluRays, consumers who use the forums need to make sure that they are vigilant. Keep alert to any phishing scams that may appear in email as a result of this hack, changing passwords on any site where the passwords or usernames used on these sites are used. This data is likely to be sold on the Dark Web and used for future cyber crime. It’s a good reminder to choose unique passwords on all sites that require registration.”
.
Jeff Hill, Director, Product Management at Prevalent:
“Like rushing to close the barn door after most of the horses have escaped, changing passwords at the time of an announced breach may provide some comfort, but precious little protection. The initial breach occurred in September 2015, giving the attackers 17 months to operate undetected, more than enough time to find and exfiltrate enough data to profit greatly from their efforts. At this point, it’s not even clear the breach was actually detected – possibly the attackers simply rung as much return as possible out of their theft, and simply discarded the remaining useless data. In today’s cybersecurity environment, no metric is even remotely as critical as time-to-detection. Needless to say, 17 months lag time is not a good number.”
John Gunn, VP of Communications at VASCO Data Security:
“While this breach is minuscule in comparison to the Yahoo breach, the length of time that the victims user name and password combinations were exposed – more than a year – underscores the urgent need for the entire industry to abandon the unsafe and out-of-date use of passwords. Multifactor authentication is hassle free, readily accepted, inexpensive, and provides security that is a magnitude superior.”
.
.
David Vergara, Head of Global Product Marketing at VASCO Data Security:
“The regularity of data breaches is nearly becoming “white noise” with no context for the significance. Often times the bigger risk picture is lost. The millions of accounts hacked across these gaming platforms is not limited to these platforms, but represents exposure across all online accounts as users commonly re-use the same passwords. Until we move past the use of weak static passwords, they will remain the largest kink in the security armor.”
.
Willy Leichter, VP of Marketing at CipherCloud:
“This is just the latest example of the relentless pursuit of private data by hackers that gets monetized on the dark web. Any combination of usernames, passwords, email addresses or other private information can be correlated with data stolen from other sources for identity theft and/or data theft. Although this particular incident targeted gaming systems, every large scale breach such as this one should concern businesses as well. Users often use common passwords, security questions, or personal email addresses to access personal and work-related systems, making it easier for hackers to break into corporate networks and steal massive amounts of data.”
Dan Mathews, Director of Sales Engineering at Lastline:
“The forums themselves are isolated from the core Xbox and PSN properties owned by Microsoft and Sony, respectively. The bigger problem with breaches like this is that people frrequently reuse the same username (email address) and passwords at the various sites they visit – oftentimes including sites they visit from their work log-ins.
“This makes it trivial for attackers to compromise multiple sites using user credentials stolen at a single forum, and creates an open channel for advanced and systematic attacks. Lastline’s recommendation: everyone should use a password manager such as Lastpass or Keepass to maintain a master password database, and also to generate high entropy passwords unique to each site that a user maintains a login on. This protects the user, their employer and any third-party entities they touch.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.