The personal information and passwords of more than 2.2 million users have been published online.
Security researcher, Troy Hunt, told Ars Technica on Tuesday, that users of GateHub a cryptocurrency wallet service and EpicBot, a gaming bot provider, had their information posted online despite being heavily encrypted.
Hunt uncovered databases online with as many as 1.4 million accounts from Gatehub, and 800,000 EpicBot accounts – all containing emails and passwords that were cryptographically hashed with technology named bcrypt.
GateHub released a statement in the summer confirming that it had been hacked, and that the perpetrator “gained unauthorized access to a database holding valid access tokens of our customers.” GitHub stated that the tokens were used to access 18,473 encrypted customer accounts. However, the recent findings show that the breach was much bigger than previously thought.
Rather than obtaining only access tokens, the perpetrators also gained access to email addresses, password hashes, mnemonic phrases and possibly wallet hashes.
The data stolen from the EpicBot leak, was published onto the same hacker forum as GateHub, and contained roughly 800,000 unique email addresses, usernames, bcrypt-hashed passwords and IP addresses
The company has not mentioned the breach on its website. Hunt’s announcement of the leak appears to be the best evidence to show that the breach did occur.
EpicBot users are urged to change their passwords as soon as possible, whilst GateHub users are urged to replace their mnemonic phrases.
PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.
For more information on upcoming events, visit the website.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.
Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/