Gamers tend to be quite technically adept, with many hackers starting out seeking cheats for the online games they play – but in some cases, gamers become a potential vulnerability if their gaming activities lead to your most technical staff getting hacked at home – or are they more alert to the issue than most, and do they, as a result, avoid the pitfalls of password re-use?
In the wake of today's news that 2.5 million PlayStation and Xbox users globally have had their personal details leaked in what the Daily Mail newspaper describes as a major hack, companies may need to ask their IT staff, are you a gamer? The actual hack of forums 'XBOX360 ISO' and 'PSP ISO' is reported to have taken place in September 2015 but the gamers' email addresses, account passwords and IP addresses are only now being leaked – presumably after the original thieves have exhausted their use of them. XBOX 360 forum XBOX360 ISO accounted for 1.2 million of the accounts exposed.
Gaming forums have again become a favoured target in recent months notes Javvad Malik, IT security advocate at AlienVault who points out, “Typically they have weaker security, so it is easier for attackers to gain access to the passwords. Attackers rely on the fact that most users will reuse the forum password on other sites.
“While user education into the dangers of choosing easily-guessed, or re-using passwords should continue, companies need to evaluate all their digital assets equally from a security perspective. There is no such thing as a ‘low priority' public sit wherever a user account resides.
“Secondly, these attacks highlight the importance of effective security monitoring controls that can help detect threats underway in a timely manner. In this day and age, discovering a breach over a year after the attack is an eternity.”
Jonathan Sander, VP of Product Strategy at Lieberman Software adds, in comments emailed to SC, “Xbox and PSP users are going to be a pretty tech savvy bunch with accounts for many different services. As breach after breach has shown that using the same username and password for multiple sites is a bad idea, you would have to imagine this group would have gotten that message by now. When you see a dump of passwords hit a much less techie site, you can be sure that huge numbers of the victims are going to have to go around changing their credentials on the many sites where they foolishly used the same details over and over. If the Xbox and PSP crew haven't learned that they can't use the same email and password on every service by now, then likely it is game over for their personal data.”
Mark James, IT Security Specialist at ESET concurs, warning, “Hacks like these are quite common where data has been stolen and the victims are only finding out months or even years later. Scams and phishing attacks will try and use the valuable data to entice even more information from the unsuspecting user; that info is tested, stored and often will be used for identity theft purposes. Quite often people using seemingly low security websites don't enforce good password security because it's not a financial target, but all data has a value and will be reused for other purposes. Every website should be treated as unique and require different passwords with a mix of usernames if possible.”
Links to free downloads of games are provided by the ISO forums for Xbox and Playstation consoles, though in some cases this may be copyrighted material which would be illegal to download without a licence.
Robert Capps, VP of business development at NuData Security, adds that consumers need to be wary of who they provide their information to, online, commenting, "While this site is mostly used to distribute pirated copies of games, DVD's and BluRays, consumers who use the forums need to make sure that they are vigilant. Keep alert to any phishing scams that may appear in email as a result of this hack, changing passwords on any site where the passwords or usernames used on these sites are used. This data is likely to be sold on the Dark Web and used for future cyber-crime. It's a good reminder to choose unique passwords on all sites that require registration.”