A database containing over 1.2 million user records from the popular MMO Stalker Online is being sold on hacker forums. Another database, which allegedly contains more than 136,000 user records from the Stalker Online forums, is being sold separately.
Stalker Online is a free to play, post-apocalyptic MMORPG developed by Australian studio BigWorld Technology, a subsidiary of Wargaming.net. The game is especially popular among hardcore gamers in Russia and Eastern Europe, and is available in both English and Russian.
According to a PR Representative from Stalker Online, the sale of these user records are a result of an attack on Stalker Online’s MSK server in early May. This attack resulted in the hacker-for-hire, known as Instakilla, stealing the data and altering Stalker Online’s homepage.
The user records stored in the database include the players’ usernames, passwords, email addresses, phone numbers, and IP addresses.
To see if your data has been exposed in the Stalker Online or other security breaches, try our personal data leak checker.
How we found this database
As part of our dark web monitoring project, we regularly visit multiple darknet marketplaces and hacker communities in order to help prevent cybercriminals from taking advantage of large-scale data breaches. On May 5, we noticed a thread with the Stalker Online database posted on a popular hacker forum.
As proof of a successful cyberattack against the server, the hacker posted a link to a page on the Stalker Online website that proved that they had “personally hacked” and placed their “tag” on the server.
In order to verify the data posted for sale, notify the game developer, and point out the exact accounts that need a password change, a CyberNews researcher bought the database from the hacker.
After running our own tests, we have determined that the user records stored in the hacked Stalker Online database samples we analyzed are genuine and the email addresses therein are deliverable.
We tried to contact representatives from BigWorld Technology and Wargaming.net on several occasions in order to help the developers identify the hacked accounts, but we did not receive a reply from either company.
We then reached out to the e-commerce platform that hosted the hacker’s digital storefront on May 29, and they were able to remove the storefront on the same day.
After we published the story, a representative from Stalker Online contacted us to clarify how the attack happened.
According to the representative, “In the morning of 11 of May, we saw that our website was hacked and on its frontpage was a message from a hacker called INSTAKILLA.” (Instakilla is the same hacking group that attacked Bulgaria’s National Revenue Agency in 2018.) They immediately closed the site and servers to determine the exploit and fix it.
Stalker Online assured us that all their passwords were encrypted, but they nevertheless performed a forced password reset for some users.
The representative said that the database and website have now been “reworked to exclude opportunities of possible attacks.” They also state that they have not found any instances of any stolen user accounts, but that a two-step verification process is in place to protect accounts.
What’s in the hacked Stalker Online database?
The hacked player account database contains 1,289,084 Stalker Online player records, including:
- Account passwords (MD5 hashed and salted)
- Email addresses
- Phone numbers
- IP addresses
Example of leaked user records:
The Stalker Online account passwords stored on the database were hashed using the ineffective MD5 hashing algorithm and salted for an additional layer of security. While better than storing passwords in plain text, cracking and converting MD5 salted passwords to plain text is still possible within a reasonable timeframe and without too much effort.
Who had access?
Both databases were hosted on Shoppy.gg and were available for anyone to download for several hundred euros worth of Bitcoin. It’s currently unknown if anyone else bought and downloaded the databases, but we assume that anyone who had money to spare and knew where to look could have accessed the databases during the exposure period.
As of May 29, after we contacted the e-commerce platform that hosted the hacker’s digital storefront, the Stalker Online databases have been removed from the platform.
However, the fact that the storefront was operational for almost a month may suggest that copies of the database containing 1.2 million user records may have been sold on the black market to multiple buyers. In addition, the removal of the databases from the e-commerce platform does not preclude the hacker from putting them up for sale someplace else.
This means that all Stalker Online players should consider their records to still be compromised.
What’s the impact?
The data found in the hacked Stalker Online database can be used in a variety of ways against the players whose information was exposed, including the following:
- Using credential stuffing to hack the players’ accounts on other gaming platforms like Steam
- Holding players’ game accounts ransom
- Using the data from the database to mount targeted phishing attacks
- Spamming the victims’ emails and phones· Brute-forcing the passwords of the email addresses
Since Stalker Online is a free-to-play game that incorporates microtransactions, malicious actors could also make a lot of money from selling hacked player accounts on the gray market.Fortunately, the stolen 1.2M database does not contain any extremely sensitive information like credit card numbers, passport IDs, or social security numbers. However, even email addresses and “salted” passwords can be enough to take over additional accounts in case the victims use the same login details across multiple online services.
What to do if you’ve been affected
If you have a Stalker Online account, change your password immediately. If you’ve been using an identical password for other online services, make sure to change it on other websites as well.
Using a unique password for each service that you sign up for will prevent attackers from reusing your password for credential stuffing attacks in order to compromise more than one of your accounts.
Password managers create not only strong and unique passwords, but they'll also alert you when your credentials have been leaked.
Learn more about password managers
Following our vulnerability disclosure guidelines, we notified the developers and their parent company Wargaming.net about the leak on May 8, 2020. However, we received no reply. Our follow-up emails were left unanswered as well.
On May 29, we contacted shoppy.gg, the e-commerce platform where the hacker hosted both Stalker Online databases, with a request to remove the digital storefront. On the same day, they were able to remove it from the platform.
Editor’s note: The article was updated on June 24, 2020, to include information from Stalker Online’s PR Representative.