The Esports Entertainment Association (ESEA), renowned within the CS:GO community for its involvement in professional Counter-Strike tournaments, has confirmed it was hacked during the Christmas period. Rumours of the hack were first verified by website LeakedSource, a searchable database of hacked accounts, before ESEA later confirmed the damage: information from over 1.5 million user accounts was leaked online following the organisation’s refusal to pay a $100,000 ransom to the hacker.
ESEA announced that they were initially contacted by the hacker on the 27th of December, by which point the hacker had breached the websites security and gained access to servers and profiles’ data. The unknown hacker demanded $100,000 in exchange for silence and their collaboration on patching up the ESEA’s security flaw.
The Counter-Strike website published a security update on the 30th of December to warn its users about a security breach, giving recommendations to its community regarding their user information (Password change, unsolicited communication, etc.), but it wasn’t enough to save many of their details from becoming publicly available.
According to ESEA, the website doesn’t store any payment information. They disclosed the personally identifiable information that may have been at stake:
“We are still investigating but believe that a large portion of the ESEA community members’ information including usernames, emails, private messages, IPs, mobile phone numbers (for SMS messages), forum posts, hashed passwords, and hashed secret question answers could all have been exposed.
“All ESEA user account passwords are using bcrypt, an industry best practice for securing passwords. ESEA does not store any sensitive payment information (credit card, bank account, etc.), so any payments made on the ESEA website, or through third parties, have not been compromised.”
ESEA’s update from C “Torbull” L
Though encrypted, it remained possible that people using the leaked data could get into some users’ accounts, whether through phishing methods or sheer luck. Former professional Counter-Strike player, Chad “Spunj” Burchill was one of the first victims to have his personal accounts accessed:
Looks like they must have gotten the passwords from that ESEA hack as my password has been changed 🙂 thanks @ESEA
— Chad Burchill (@SPUNJ) January 10, 2017
Yesterday, ESEA published an update on the incident, publicly announcing the leak and apologising to its community. In this update, ESEA outlined that they had notified the authorities of the breach and various updates and were co-operating with the FBI.
Despite suffering a devastating loss, ESEA likely took the best decision not yielding to the hacker’s demands. Doing so would have given credits to the hacker and would been a sign of weakness from ESEA, which could have been an opportunity for other hackers further down the line. By denying this ransom and contacting the FBI, ESEA should be safe from further attacks.
Whilst this leak is not particularly damaging to ESEA’s users, provided they are wary of unsolicited contacts and the value of their passwords, it still shows a weakness within the eSports industry. The previous PlayStation Network (PSN) hack in 2011, should have been a warning for all games companies handling public data. The PSN hack reflected poorly on Sony as a result of the credit card details released into the public domain. Sony’s disaster cost the company around $171 million.
Whilst cheaters are capable of compromising the games themselves, hackers are a permanent threat to the wider eSports industry – The threat has the potential to dissuade investors and partners. Security needs to be a priority for any eSports business, an achievable step that will sustain the industry’s growth.