A database containing over 1.2 million user records from the popular MMO Stalker Online is being sold on hacker forums. Another database, which allegedly contains more than 136,000 user records from the Stalker Online forums, is being sold separately.
Stalker Online is a free to play, post-apocalyptic MMORPG developed by Australian studio BigWorld Technology, a subsidiary of Wargaming.net. The game is especially popular among hardcore gamers in Russia and Eastern Europe, and is available in both English and Russian.
The user records stored in the database include the players’ usernames, passwords, email addresses, phone numbers, and IP addresses.
How we found this database
As part of our dark web monitoring project, we regularly visit multiple darknet marketplaces and hacker communities in order to help prevent cybercriminals from taking advantage of large-scale data breaches. On May 5, we noticed a thread with the Stalker Online database posted on a popular hacker forum.
As proof of a successful cyberattack against the server, the hacker posted a link to a page on the Stalker Online website that proved that they had “personally hacked” and placed their “tag” on the server.
In order to verify the data posted for sale, notify the game developer, and point out the exact accounts that need a password change, a CyberNews researcher bought the database from the hacker.
Click HERE to see if your data has been leaked
After running our own tests, we have determined that the user records stored in the hacked Stalker Online database samples we analyzed are genuine and the email addresses therein are deliverable.
We tried to contact representatives from BigWorld Technology and Wargaming.net on several occasions in order to help the developers identify the hacked accounts, but we did not receive a reply from either company.
We then reached out to the e-commerce platform that hosted the hacker’s digital storefront on May 29, and they were able to remove the storefront on the same day.
What’s in the hacked Stalker Online database?
The hacked player account database contains 1,289,084 Stalker Online player records, including:
- Account passwords (MD5 hashed and salted)
Example of leaked user records:
The Stalker Online account passwords stored on the database were hashed using the ineffective MD5 hashing algorithm and salted for an additional layer of security. While better than storing passwords in plain text, cracking and converting MD5 salted passwords to plain text is still possible within a reasonable timeframe and without too much effort.
Who had access?
Both databases were hosted on Shoppy.gg and were available for anyone to download for several hundred euros worth of Bitcoin. It’s currently unknown if anyone else bought and downloaded the databases, but we assume that anyone who had money to spare and knew where to look could have accessed the databases during the exposure period.
As of May 29, after we contacted the e-commerce platform that hosted the hacker’s digital storefront, the Stalker Online databases have been removed from the platform.
However, the fact that the storefront was operational for almost a month may suggest that copies of the database containing 1.2 million user records may have been sold on the black market to multiple buyers. In addition, the removal of the databases from the e-commerce platform does not preclude the hacker from putting them up for sale someplace else.
This means that all Stalker Online players should consider their records to still be compromised.
What’s the impact?
The data found in the hacked Stalker Online database can be used in a variety of ways against the players whose information was exposed, including the following:
- Using credential stuffing to hack the players’ accounts on other gaming platforms like Steam
- Holding players’ game accounts ransom
- Using the data from the database to mount targeted phishing attacks
- Spamming the victims’ emails and phones· Brute-forcing the passwords of the email addresses
Since Stalker Online is a free-to-play game that incorporates microtransactions, malicious actors could also make a lot of money from selling hacked player accounts on the gray market.Fortunately, the stolen 1.2M database does not contain any extremely sensitive information like credit card numbers, passport IDs, or social security numbers. However, even email addresses and “salted” passwords can be enough to take over additional accounts in case the victims use the same login details across multiple online services.
What to do if you’ve been affected
If you have a Stalker Online account, change your password immediately. If you’ve been using an identical password for other online services, make sure to change it on other websites as well.
Using a unique password for each service that you sign up for will prevent attackers from reusing your password for credential stuffing attacks in order to compromise more than one of your accounts.
Following our vulnerability disclosure guidelines, we notified the developers and their parent company Wargaming.net about the leak on May 8, 2020. However, we received no reply. Our follow-up emails were left unanswered as well.
On May 29, we contacted shoppy.gg, the e-commerce platform where the hacker hosted both Stalker Online databases, with a request to remove the digital storefront. On the same day, they were able to remove it from the platform.