BlankMediaGames (BMG) has confirmed a vulnerability in its popular browser game, Town of Salem, that exposed 7.6 million users' personal data. The breach has since been closed, but not before exposing information like email addresses and passwords.
The breach was first discovered after an anonymous tip was sent to online security firm DeHashed with evidence of a major vulnerability in Town of Salem. In a blog post, DeHashed said it received the tip at the end of December and the firm reached out to BMG with the news and an offer to help close the breach.
According to DeHashed, the data potentially affected in the breach includes usernames, emails, passwords, IP addresses, game and forum activity, as well as payment information. Overall, 7.6 million unique accounts were exposed in the breach.
BMG addressed the breach on the company's forums yesterday, saying it has removed three different points of vulnerability from its servers. In the meantime, the company is urging players to reset their passwords and that the company will be emailing affected users shortly. Also, BMG says that despite DeHashed's findings, no credit card or payment info was stored in its servers. Usernames, hashed passwords, IP addresses, and email were all still vulnerable, however.
Users demanded to know why it took almost a week for BMG to address the breach, as DeHashed says it first contacted the developers on December 28. BMG responded by writing in the blog, "no game creator ever wants to be in this situation and having it happen over the holiday break when everyone was away was terrible timing."
In addition to notifying users to change their passwords, BMG says it is in the process of contacting security auditing firms, is switching to a more secure forum and hashing algorithm, and is potentially reinstalling all of its servers from scratch.