French video games leak user passwords

Published: 30 March 2023
Last updated: 3 April 2023
French game data leak
Image by Cybernews

The French web-based games ‘Play Glory’ and ‘Play Astra’ accidentally spilled the passwords of 50,000 players.

  • French web-based games Play Glory and Play Astra exposed private data to the public.
  • The sensitive data exposed were usernames, passwords, security questions and answers, proxy addresses, and their credentials.
  • Attackers could have exploited the data to hijack users’ accounts and launch credential-stuffing attacks.

Cybernews discovered a publicly available database with 50,000 user account data entries.

ADVERTISEMENT

Leaked data included usernames, passwords, security questions, answers, subscription status, and subscription expiration dates – all stored in plaintext format.

Researchers attributed the database to French web-based games Play Glory and Play Astra. Cybernews reached out to the developers, and at the time of writing, access to the database was secured.

Password leak

The researchers first found the leak on October 21, 2022. Along with private user account-related data, the database also spilled tens of thousands of proxy addresses, credentials to access them, and internet protocol (IP) addresses for live and testing servers. The database was hosted by Hetzner, a data-center operator in Germany.

At first, researchers could not determine the owner of the leaked database. The database's hosting IP did not have any certificates assigned to it, and there were no web servers hosted on it that could disclose the owner's identity.

However, by analyzing the naming and structure of the database, researchers attributed it to the games Play Glory and Play Astra.

Screenshot of leaked user passwords | Image by Cybernews
Screenshot of leaked user passwords | Image by Cybernews

Risk of account hijacking

ADVERTISEMENT

The database contained a large number of plaintext credentials, thereby providing malicious actors with the opportunity to hijack user accounts.

Using Sherlock, or similar tools that can identify accounts belonging to the same person, attackers could have scanned the web for usernames found in the database and launched credential-stuffing attacks by utilizing the leaked passwords.

Even if the passwords used for other accounts differed, reusing security-question answers could enable an attacker to reset the password for the targeted account, effectively locking out the rightful user.

Proxy addresses and their credentials are also valuable prey for potential threat actors. By exploiting leaked credentials, attackers could use a compromised proxy rather than their own to carry out attacks, making it harder to trace the source of the attack back to them.

Screenshot of leaked proxy credentials | Image by Cybernews
Screenshot of leaked proxy credentials | Image by Cybernews

Companies still storing passwords in plaintext

Cybernews researchers remind users that passwords stored in plaintext are a dangerous security misstep, leaving systems vulnerable to hacking and data breaches, as anyone accessing the database can read and use the stored passwords.

To mitigate the risks, passwords should always be stored in a hashed and salted format. Hashing the password into a unique irreversible string of characters makes cracking them more unlikely. Salting adds random characters to passwords, making hashes even harder to crack.

Yet, as revealed by previous Cybernews research, even major companies are not immune to the exposure of passwords due to a simple human error.

For example, multinational media conglomerate Thomson Reuters was leaking sensitive user and corporate data, including third-party server passwords in plaintext format through a publicly accessible database.

ADVERTISEMENT

Although the company took immediate action to fix the issue, the 3TB of sensitive data was accessible for several days: malicious bots can discover publicly available instances in just a few hours.

Cybernews researchers believe the exposed data would be worth millions of dollars on underground criminal forums, because of the potential access it could give to other systems.

Strong passwords essential

Research shows that people still use weak passwords – last year we reported that nearly one in every 200 passwords is 123456. Cybercriminals can breach accounts with weak passwords in seconds.

To safeguard against potential risks, Cybernews recommends creating strong passwords by adding unique characters, using upper and lowercase letters in combination with numbers, to significantly prolong password-cracking time.

The easiest way to create barely crackable passwords is by using a password generator. Furthermore, using Cybernews' tools, you can always check if personal data or passwords have been compromised.

Share
Post
Share
Share
Share
More from Cybernews
World’s leading mathematicians ridicule AI hype in high-IQ declaration
Democrats are far more worried than Republicans that AI will take jobs, new poll finds
Companies using Fable 5 beware: it’s collecting your data, and there are no exceptions
Europe’s tech revolution feels like Soviet déjà vu
New York demands advertisers use “synthetic performer” label or else
The surprising way Elon Musk is powering your next holiday flight
ADVERTISEMENT
Leave a Reply

Your email address will not be published. Required fields are markedmarked