The American and European websites of Koei Tecmo remain down, informing the visitor of an external cyberattack that obliged the Japanese gaming company to launch an investigation on the issue. Considering that the attacks took place ten days ago, the effects are notable as one would suggest that the firm should have resolved the problem by now. Unfortunately for them, the reason for the persistence is that the hackers who have stolen sensitive data from them and who also published them on hacker forums have planted a shell that's still alive.
The listing for the sale of the SQL database details the existence of 65,000 records comprising the email addresses, IP addresses, hashed passwords, usernames, and the dates of birth of forum members. The seller claims that the data breach was the result of a successful spearphishing campaign launched against the employees of the gaming company, and adds that the access shell is still alive today. Access to the exfiltrated database is sold for 0.05 BTC ($1,350), while access to the live shell is priced at 0.25 BTC ($6,750). That certainly explains the extended downtime for the websites.
Thanks to the intelligence that we gathered with the help of KELA, the database first appeared on the dark web on December 20 and was sold to at least six users. On December 23, the seller decided to leak everything for free. The promise that was given initially is that if someone buys the shell version, they will get exclusive access, and the listing will be retracted.
Koei Tecmo, the maker of several notable Japanese games for PC and consoles, has stated that they don’t see any signs of this being a ransomware event. Moreover, they clarify that participation in forums is optional, so only a small subset of its client-base has been affected by the incident. If you are using different credentials to access the game, you are totally unaffected. Even if you’re using the same, your accounts should be safe as the passwords are hashed. In any case, you should do a password reset anyway.
Since email addresses are in the hands of hackers, it is possible that you will be on the receiving end of phishing emails or scam attempts. Beware of this possibility and treat unsolicited communications with extra caution. Especially those claiming to come from ‘Koei Tecmo’, informing you about this very data breach incident.
UPDATE: The hacker responsible for the breach and the listings has sent us the following message to explain why the data was eventually released for free:
"I released it after they removed the web shell but had not let users know or had made GDPR aware within guidelines. From 25 May 2018, the General Data Protection Regulation (GDPR) introduces a requirement for organizations to report personal data breaches to the relevant supervisory authority, where the breach presents a risk to the affected individuals. Organizations must do this within 72 hours of becoming aware of the breach.
72 hours is key here and while I may not be the most ethical person, I care a lot when it comes to user security and privacy and if companies refuse to use simple encryption techniques to stop user data from the fallout of a cyber attack, I will keep attacking them. If they do not adhere to guidelines set by the people, they will face fallout.
They could spend just a few extra shekels to encrypt user information to ten rounds of bcrypt and WHEN, not IF there is a cyber attack users will be protected to an extent but they refused to do that over costs of processing power and instead chose to use a weak salted MD5 hashing algorithm from 1992. They refused to update their systems to divert a cyber attack, and that was their responsibility with 65,000 user records."