Image: Sandbox Interactive GmbH
A hacker has breached the forum of Albion Online, a popular free medieval fantasy MMORPG, and stole usernames and password hashes, the game maker disclosed on Saturday.
“The intruder was able to access forum user profiles, which include the email addresses connected to those forum accounts,” said Sandbox Interactive GmbH, the company behind Albion Online.
The attacker also harvested encrypted passwords. Sandbox Interactive said the passwords were hashed with the Bcrypt password-hashing function and then salted with random data to make it harder for attackers to reverse and crack the password.
“These can NOT be used to log in to Albion Online, the website
or the forum, nor can they be used to learn the passwords themselves,” the German game maker said.
“However, there is a small possibility they could be used to identify accounts with particularly weak passwords.”
Users who reused emails and passwords for both their game and forum account are at particular risk.
As a result of the unauthorized intrusion, the game maker asked forum users to reset passwords via a forum post on Saturday, and emails delivered to all impacted users.
The company did not disclose the size of the breach.
Sandbox Interactive said the intrusion took place on Friday, October 16, and the attacker utilized a vulnerability in its forum platform, known as WoltLab Suite.
The vulnerability is now patched, the game maker said.
Our forum has gone down for an emergency maintenance that will last several hours. The game and website will remain online and will not be affected by this maintenance.
— Albion Online (@albiononline) October 16, 2020
Sandbox Interactive said it’s compiling a report on the attack to provide to authorities.
“So far we have prioritized fixing vulnerabilities and informing players about this incident,” it said.
Albion Online was launched in July 2017 and is available as a free-to-play game for Windows, macOS, Linux, iOS, and Android.
The game is believed to have more than 2.5 million players, while the Albion Online forum lists 293,602 registered members at the time of publishing.
On Saturday, a hacker claimed to be in possession of the site’s database, which they began advertising for sale on a well-known hacker forum. The post has now been deleted.
Threat actor claims he hacked Albion Online, a large MMORPG with over 180,000 daily players.
The actor is claiming he has access to the main game’s database, the payment database, and other databases containing sensitive information. pic.twitter.com/M8Qk3pI2rK
— Alon Gal (Under the Breach) (@UnderTheBreach) October 17, 2020