Codemasters confirms attack and data breach
Attacks against the gaming sector have continued with a ‘significant' data theft against Codemasters.
The developer and publisher of games for PCs and consoles emailed users saying that unauthorised entry was gained to the Codemasters website on Friday 3rd June and as soon as the intrusion was detected, it immediately took codemasters.com and associated web services offline in order to prevent any further intrusion.
It said that following the attack, it had conducted a thorough investigation in order to ascertain the extent and scope of the breach. It discovered that the intruder was able to gain access to the corporate website and sub-domains, the Codemasters.com website, the DiRT 3 VIP code redemption page and the Codemasters EStore.
It said: “We believe the following have been compromised: customer names and addresses, email addresses, telephone numbers, encrypted passwords and order history. Please note that no personal payment information was stored with Codemasters as we use external payment providers, meaning your payment details were not at risk from this intrusion.
“Members' names, usernames, screen names, email addresses, date of birth, encrypted passwords, newsletter preferences, any biographies entered by users, details of last site activity, IP addresses and Xbox Live Gamertags are all believed to have been compromised.
“Whilst we do not have confirmation that any of this data was actually downloaded onto an external device, we have to assume that as access was gained, all of these details were compromised and/or stolen.”
It said that the Codemasters.com website will remain offline for the foreseeable future with all Codemasters.com traffic re-directed to the Codemasters Facebook page instead. A new website will launch later in the year.
It encouraged users to change any passwords they have associated with other Codemasters accounts and to be extra cautious of potential scams that ask for personal or sensitive information.
“Unfortunately, Codemasters is the latest victim in on-going targeted attacks against numerous game companies. We assure you that we are doing everything within our legal means to track down the perpetrators and take action to the full extent of the law. We apologise for this incident and regret any inconvenience caused,” it said.
Graham Cluley, senior technology consultant at Sophos, said: “Unfortunately, many internet users have chosen to use the same password on multiple websites. So if your password was stolen during the Codemasters hack, it could then be used to unlock many other online accounts and potentially cause a bigger problem for you.
“Even if you're not a Codemasters customer, it still makes sense to ensure that all of your passwords are strong and unique.”
Paul Vlissidis, technical director at NGS Secure, an NCC Group company, said: “
“The time where internet users could use online sites in such an ignorant and naïve way is long gone and this is a classic example of why people need to take responsibility for their own security.
“It is common for users to apply the same passwords to frequently used websites, however, by doing this you are effectively increasing the risk that if any of the websites get hacked then all the others can be accessed. As well as the websites' responsibility to keep their customers' data safe, users must also accept that their behaviour directly affects their own security.
“For a user to share a password for Codemasters with their personal banking provider is naïve to say the least and more people need to wise up these dangers quickly.”
The attack marked a new stage in online attacks after Sony and Nintendo were targeted. I asked David Harley, senior research fellow at ESET if he believed that the notorious LulzSec group were behind the Codemasters attack.
He said: “I suspect not. There are no shrinking violets in that crew and I haven't seen any hint that they've taken ‘credit' for the Codemasters or Epic breaches, it looks to me like someone looking seriously for assets.
“Bragging rights seem to be more Lulzsec's style at the moment, though that could be misdirection. They're doing some pretty effective PR: who knows what they're doing that they aren't talking about? And who knows what sort of customer they may be pitching for?”
Gerhard Eschelbeck, chief technology officer at Webroot, said: “The recent increase in high-profile hacking attacks have highlighted the common vulnerabilities of today's online and internet infrastructure. After such a significant compromise, a complete rebuild of a company's online infrastructure is required.
“The impact to the targeted organisations is substantial considering cost of downtime and lost online revenue, loss of image and even fines and law suits. Managing online security risks in a world where cyber criminals are getting more sophisticated is a tough business and not one where a one size fits all approach can be applied.
“Considering that today's high profile attacks are mostly carried out using an employee's desktop computer as a gateway, user training and education needs to be part of a well defined risk management process. Managing risk and exposure is not a one-time effort, but an ongoing process and one that is significantly lower pain compared to a compromised infrastructure.”