Hacking alert service PwnedList has discovered that more than 8 million email addresses and encrypted passwords from a gaming website have been published online, according to a report in Forbes.
The passwords, email address and user names were taken from free-to-play online gaming site Gamigo — publisher of games such as "Dungeon Empires" and "Cultures Online." And although the site is based in Germany, according PwnedList, 3 million American accounts were among the stolen data.
"It's the largest leak I’ve ever actually seen," PwnedList founder Steve Thomas told Forbes.
It's certainly the largest this year — following other significant breaches at LinkedIn, eHarmony and Last.fm.
Forbes reports that the stolen user information was posted to Inside Pro, a password-cracking forum, and remained there until late last week.
Gamigo first reported the hack back in early March with this post to its community members:
As you have all already noticed, our game servers, websites and forums are partially unreachable at the moment. We would like to explain to you what happened and what has been done on our side.
There was an attack on the gamigo database in which user information, such as alias usernames and passwords were stolen. An excerpt from these was published in the gamigo forums. We detected the attack and are working to the utmost of our resources to repair the damage and determine how it happened.
Your character data, including items, is safely stored on the backup! We cannot rule out that the intruder(s) is/are still in possession of additional personal data, although to date we have received no report of any fraudulent use.
To prevent any unauthorized access to your account, we have reset all passwords for the gamigo Account System and for all gamigo games!
But the trouble wasn't over at that point. On July 6, the hacker posted the pilfered passwords and other info on Inside Pro. The post was then discovered by PwnedList
The information has since been removed. And though the data was hashed to make it difficult to decipher, it's highly likely hackers were able to decode much of it. Certainly anyone who used the same personal information on other sites should be sure to change their passwords.
You can also check PwnedList’s site
to find out if your information was among that released.
I have contacted Gamigo for comment and will update this story when they respond.