Players of Funcom games have been told that forums associated with four of the developer’s online games have suffered a data breach, with the studio resetting all passwords as a precaution. The news was delivered via emails to affected players and a notice on the studio’s website, with the Norwegian company claiming forum accounts on TheSecretWorld.com, AgeofConan.com, Anarchy-Online.com and LongestJourney.com had been “compromised by a third party.”
This comes almost immediately after gaming giant Epic Games suffered a massive data breach in which login credentials of 800,000 plus registered from Unreal Engine and Unreal Tournament forum were stolen. Robert Capps, VP of business development at NuData Security commented below.
Robert Capps, VP of Business Development at NuData Security:
“It’s becoming more and more important to realise that all data stolen in these breaches is valuable to hackers, not just passwords. For example, they can use your social accounts to scrape important identity information. They’ll use this information, like your grandmother’s name, your spouse’s name, your date of birth or your employer, to test your account passwords and 2 factor authentication. Once they gain entry they’ll compile even more data.
The fact is that every little bit of data identity thieves steal in these breaches is valuable and will be sold on the dark web. Data thieves sell this information to aggregators, who cross-reference and compile full identities. This increases the value and usefulness of the stolen data, which may have been gathered from multiple data breaches.
A full identity then allows a cyber-criminal to take over accounts, file a tax return or create new bank accounts under an actual person’s name. These actions cannot be traced back to the fraudster and can cause problems for the fraud victim for years down the road. In a New York Times article, a reporter details how a recent healthcare data breach exposed his child to identity theft that could dog her for the rest of her life, because her Social Security number was stolen.
Stolen data has repercussions for the victims, sometimes for years to come; this is the ripple effect of cybercrime. Small data breaches appear on the surface to be minor losses of data, but they can quickly expand out across the digital waters, converging into a wave of personal information so detailed that undoing the damage is next to impossible.
There is a hierarchy of value on the Dark Web for stolen data. Full consumer identities sell for as little as $5 a piece, but require a more in-depth and risky scam to realise value. Working user accounts with a payment method attached go for $27 each and can translate into hundreds to thousands of dollars in stolen money and merchandise.
It only makes practical sense, then, that account takeover (ATO) has become a new favourite fraud tactic. In account takeovers, fraudsters attempt to hijack valid user accounts instead of creating new accounts. ATOs can be automated or can be done with small human teams. Helping out the scammers are middlemen who play a key role in testing the login credentials before they are used again to commit actual fraud.
The best protection is to use solutions that make all this information irrelevant to hackers. It’s possible to verify accounts based on much more robust behaviour profiles, not just username and password. Doing this, even if a hacker did have all the valid credentials, they’d never get in because they just can’t replicate the behaviour of a valid user. Presto! Let’s start making these breaches pointless.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.