More than one million players of the video game Stalker Online have been put at risk after hackers offered them for sale on the darknet.
As Cybernews reports, a database containing over 1.2 million Stalker Online user records is being sold on hacking forums. Separately, another database which is said to contain more than 136,000 records from the game’s forums are also being offered for sale.
Cybernews says it found the database for sale on a popular hacking forum on May 5, with a link to a defaced page on the Stalker Online website offered as “proof” that the game’s servers had been hacked.
The security of this web server has been compromised and all your files and userdata are now in our possession.
Contact us on [REDACTED] for assistance in securing your web server. If not reach within 24 hours – data gathered will be posted publicly for all to download
Of course, a defaced webpage is not evidence of a data breach. Controversially, Cybernews purchased the user database from the hacker, and says that it was able to confirm that the samples of the Stalker Online database “are genuine and the email addresses therein are deliverable.”
Purchasing stolen data from cybercriminals makes me extremely uncomfortable. It could be argued that anyone purchasing hacked databases – whether it by security researchers, journalist, or criminal fraudsters – are encouraging further hacks to occur by generating a demand for more stolen data.
The database, which is being offered for sale for “several hundred Euros worth of Bitcoins”, contains 1,289,084 Stalker Online player records, including usernames, account passwords, email addresses, phone numbers, and IP addresses.
Passwords are MD5 hashed and salted, which is certainly better than if they were held in plaintext, but such a weak algorithm may not present much of a challenge to criminals determined to crack them.
Cybernews says that it contacted the ecommerce platform that was hosting the hacker’s online store, and it has now been taken offline. However, that’s no guarantee that it will not be offered for sale elsewhere, or that anyone else might have purchased the database.
So, players of the free-to-play MMORPG, set in a post-apocalyptic world, should really consider their details are now compromised. Hackers may have not only your username, email address, and phone number. They may also have cracked your password.
And if you made the mistake of reusing that password anywhere else on the internet, then there is a chance they could use that information to compromise your other online accounts.
Furthermore, you should obviously be aware that you might be targeted with phishing attacks, exploiting the information contained inside the database.
According to Cybernews, the makers of Stalker Online have not responded to messages related to the security reach.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.