1.5 million. That’s the number of user’s records that were breached in the Esports Entertainment Association League (ESEA) hack in late 2016. Compared to the rest of the world, this breach is hardly a drop in the ocean; AOL had 92 million records compromised in 2005, Ebay had 145 million records compromised in 2014, and more relevant to gaming, Sony PlayStation Network had 77 million records compromised in 2010. Cybercrime is targeting any and all information, because ultimately, it will generate profit either through ransom or on the “dark-web”. The esports industry is no exception, and serious emphasis needs to be placed on improved cyber security by tournament organisers and esports organisations alike.
The ESEA breach in 2016 was a specific type of attack; a ransomware attack. For those unfamiliar with the term, a ransomware attack encrypts all information on the infected device/PC and demands a ransom, normally in bitcoin or other cryptocurrency, to be paid for the return or the information. Essentially, if your computer is infected, all your personal files, including family photos, tax reports and anything else you have, will be locked by a password that you do not know, and you will not be able to access them. As a side note, it is best practice to never pay the ransom which claims your files will be unlocked, as there is no guarantee that the malicious software will actually return your stolen assets, and, depending on the payment method, could harvest your banking information. You might have heard of the WannaCry Ransomware attack in May, 2017; this specific attack was estimated to impact more than 200,000 computers across 150 countries in only 4 days. WannaCry had serious impacts – it rendered entire business useless as they had no access to any functionality, including hospital life support systems, fabrication factories and car production lines. Thankfully, the ESEA breach was not as significant. While the millions of records breached cannot be understated, their core business model was not impacted or damaged. ESEA refused to pay the ransom (notably at $100,000), isolated the breached database, and contacted the FBI for investigation.
ESEA exercised a reasonable level of due diligence in handling the breach. They quickly isolated and applied a patch to the compromised server, which prevented the rest of information stored at ESEA from being breached, and contacted legal authorities to gain assistance and advice on the appropriate next steps. However, all of the activity performed by ESEA was purely reactive; the incident had potential to be avoided entirely if appropriate preventative controls were in place. Interestingly, ESEA state that all the passwords stored on their compromised database were hashed, which should make them incredibly difficult to compromise. Hashing passwords, essentially encrypts all the passwords to a fixed length and to a seemingly “random” string of numbers and letters. All passwords, regardless of their actual length, will appear as a string of jargon that is the same length as all the other passwords stored. To learn more about hashing and encryption, we recommend this article from gooroo. Hashing passwords is much better than simple encryption, or worse yet, storing the passwords as cleartext, but the larger issue still remained for ESEA – how did the database get compromised in the first place?
Among the information leaked was usernames, hashed passwords, hashed security questions, IP addresses and private messages. Of the group, the IP addresses and private messages should immediately be flagged as the high risk items. IP addresses allow the hacker to know where you are accessing your device from, down to the city or town. This poses a great threat to people in domestic violence situations, as well as disgruntled exes. If a breach IP address falls into the wrong hands, the individual now has to the power to find out what location you are accessing the internet from. The importance of private messages goes without saying – the messages are private for a reason. Individuals are placing their trust in ESEA to protect their private conversations from any outside listeners, with this breach there has been much scrutiny into ESEA’s safeguarding mechanism, as well as raising the ethical dilemma of why ESEA (and other companies) store private conversations in the first place.
ESEA’s breach two years ago exemplifies the rising importance of proactive cyber security practices. New cyber security threats are emerging every day, and large scale companies are not as safe as they once thought, with British Airways as one of the latest victims. It is only a matter of time until esports organisations are large enough to have a target painted above their heads, and we need to be ready for that inevitable future.
Have a topic in mind you would like us to write about? Want to learn more about cyber security and how you can increase good cyber practices at your esports organisation? Feel free to contact the Re:Cover team at firstname.lastname@example.org, we are always happy to answer any questions you might have.