A finales de diciembre el portal de competiciones online ESEA fue hackeado. La propia página confirmó la noticia y explicó lo sucedido:
Following an incident that took place earlier this week, ESEA hereby issues an important security update for all users. Please read this carefully.
What happened?
On Tuesday, 27 December, 2016 we were made aware of a security breach of the ESEA website database and the potential theft of certain user account information. It appears that the user data that might have been taken included usernames, emails, private messages, IPs, mobile phone numbers (for SMS messages), forum posts, hashed passwords, and hashed secret question answers. All ESEA user account passwords are using bcrypt, an industry best practice for securing passwords.
ESEA does not store any sensitive payment information (credit card, bank account, etc.), so any payments made on the ESEA website, or through third parties, have not been compromised. No ESEA Client and anti-cheat systems have been impacted in this incident. Neither the ESEA Client itself, nor data related to the ESEA Client, was accessed through this incident.
What are we doing to protect your account?
We are enforcing the following procedures with all accounts to make sure any compromised user data is no longer being used:
Password reset
MFA reset
Security question reset
General recommendation: what can you as a user do to protect your account?
As a standard security best practice, we encourage users to consider the following measures:
Change your passwords and security questions/answers for any other accounts on which you used the same or similar information used for your ESEA account, and review any such accounts for any suspicious activity
Use passwords specific to each website you hold accounts at
Be cautious of any unsolicited communications that ask you for personal information or refer you to a website asking for personal information
We apologize that this incident has taken place. ESEA takes the security and integrity of customer details and information very seriously and we are doing everything in our power to investigate this incident, establish precisely what has been taken, and make changes to our systems to mitigate any further breaches.
Click here for the FAQ and please open an ESEA support ticket if you have any questions.
https://play.esea.net/index.php?s=news&d=comments&id=14932
https://play.esea.net/?s=content&d=securityupdate
Sin embargo ahora se conoce el alcance del ciberataque: se ha visto comprometida la información de 1.5 millones de usuarios. Los datos que han obtenido los atacantes son: ciudad, estado (provincia), última conexión, nombre, apellidos, nick, bcrypt hash, dirección de email, año de nacimiento, código postal, número de teléfono, website, Steam ID, Xbox ID, and PSN ID.
ESEA ha realizado el siguiente comunicado:
Recently news has been made that ESEA’s user data has been leaked online. We expected something like this could happen but have not confirmed this is ESEA’s data. We notified the community on December 30th, 2016 about the possibility this could happen. The type of data and storage standards was disclosed. We have been working around the clock to further fortify security and will bring our website online shortly when that next round is complete. This possible user data leak is not connected to the current service outage.
Según parece además los atacantes intentaron extorsionar a ESEA con el pago de $50,000 a cambio de satisfacer sus demandas, guardar silencio y ayudarles a mejorar la seguridad, pero la dirección no accedió.
Fuente de la noticia: ESEA hacked, 1.5 million records leaked after alleged failed extortion attemptl
Edit. ESEA cuenta su visión de lo sucedido: https://play.esea.net/index.php?s=news&d=comments&id=14936
