Town of Salem: BlankMediaGames - Hacked
On 12/28/2018 we’ve received an email regarding the popular online RP game “Town Of Salem”s breach. The sender, who wishes to be anonymous at this time, provided DeHashed with evidence of server access and provided the complete database for disclosure. We’ve reached out to BlankMediaGames regarding a statement and to provide assistance with securing their servers.
Town of Salem is a browser-based game that challenges players on their ability to convincingly lie as well as detect when other players are lying. The game ranges from 7 to 15 players. These players are randomly divided into alignments – Town, Mafia, and Neutrals. If you are a Town member (the good guys) you must track down the Mafia and other villains before they kill you. The catch? You don’t know who is a Town member and who is a villain. If you are an evil role, such as a Serial Killer, you secretly murder town members in the veil of night and try to avoid getting caught. – Wikia
Here’s an analysis of what we found. This is the first time the company has ever seen any kind of breach, ironically it was caused by a entree-level vulnerability known as “LFI” / “RFI”.
The data affected, includes but is not limited to:
Usernames, Emails, Passwords (phpass, MD5(WordPress), MD5(phpBB3)), IP Addresses, Game & Forum Activity, & Payment Information. With some of the users who paid for certain premium features having their billing information/data breached as well.
The total row count is: 8,388,894, with 7,633,234 unique email addresses.
Top 50 Email Providers – BlankMediaGames
| count | |
|---|---|
| gmail.com | 4530276 |
| hotmail.com | 928706 |
| yahoo.com | 662824 |
| outlook.com | 158033 |
| icloud.com | 93557 |
| aol.com | 77929 |
| live.com | 75164 |
| hotmail.co.uk | 63992 |
| comcast.net | 26435 |
| web.de | 24999 |
| ymail.com | 23881 |
| mail.ru | 23851 |
| google.ca | 20984 |
| seznam.cz | 17693 |
| wp.pl | 16875 |
| gmx.de | 16500 |
| msn.com | 15472 |
| googlemail.com | 14818 |
| live.co.uk | 14800 |
| me.com | 14614 |
| yahoo.co.uk | 14601 |
| abv.bg | 14538 |
| hotmail.fr | 14040 |
| rocketmail.com | 13263 |
| mail.com | 13036 |
| hotmail.ca | 11457 |
| live.nl | 11094 |
| yahoo.ca | 10702 |
| live.ca | 9986 |
| o2.pl | 9260 |
| hotmail.de | 8992 |
| windowslive.com | 8910 |
| att.net | 8899 |
| live.se | 8551 |
| sbcglobal.net | 8436 |
| yopmail.com | 7938 |
| hotmail.it | 7243 |
| verizon.net | 7121 |
| yahoo.de | 6994 |
| aim.com | 6855 |
| trbvm.com | 6831 |
| yandex.ru | 6785 |
| hotmail.se | 6595 |
| mvrht.net | 6200 |
| live.dk | 5959 |
| cox.net | 5741 |
| btinternet.com | 5480 |
| live.com.au | 5454 |
| hotmail.es | 5322 |
| yandex.com | 5259 |
In conclusion, this is the first for BlankMediaGames, with 8M Players being directly affected in the breach. We’ve reached out to them via email, and phone to assist in removing malware from their servers which is still infected, and to notify them regarding the breach. Hopefully they release a statement soon.
We have since provided the data to Troy Hunt of HaveIBeenPwned. We’ve also teamed up with multiple other security researchers in attempts to minimize the damage done by this breach. A special thanks goes out to all those who have provided assistance, the original person who sent us a copy of the data, & Troy Hunt.
Update: We have made numerous attempts to contact BlankMediaGames, both over phone and over email. They have yet to release a statement, we can no longer wait on publishing this as it has been well over 5 days.
Friday, 12/28/2018 – 11:33 AM PST – Emailed BlankMediaGames
Friday, 12/28/2018 – 12:33 PM PST – Called BlankMediaGames
Saturday, 12/29/2018 – 15:01 PM PST – Emailed BlankMediaGames
Saturday, 12/29/2018 – 15:12 PM PST – Called BlankMediaGames (No Answer)
Sunday, 12/30/2018 – 09:12 AM PST – Emailed BlankMediaGames
They have received our emails per our original voice conversation, but are yet to respond or even acknowledge either the breach or the emails.
Update: We’ve handed over everything to BlankMediaGames, they have found and removed multiple backdoors on their server. They’ve made an official announcement here. Please keep in mind the timing of this incident DID NOT help them at all.
Update: BlankMediaGames asked us to put this part in. Payment information includes Email, Full Names, Billing & Shipping addresses, IP Information, Payment Amount, and other details. No Credit Card Numbers.