Town of Salem is a browser-based multiplayer game developed by BlankMediaGames (BMG). Described as “a game of murder, deception, lying and mob hysteria,” the game is an online version of classic social deduction games like Mafia and Werewolf.
Find out what happened during the Town of Salem breach that occurred in 2018.
What is Town of Salem?
Town of Salem is a video game that is played by over 8 million gamers. The game involves 7-15 players randomly divided into groups or alignments – Town, Mafia, Serial Killers, Arsonists, and Neutrals.
The mafia, serial killers, and arsonists are all evil roles, while the town alignment is the only good role. All alignments have their specific roles and win conditions.
For instance, the job of members of the mafia is to kill everyone that does not submit to them. The town group has to lynch members of the mafia as well as other villains. Arsonists must kill everyone in the game except a select few by dousing houses and setting them on fire in the night.
The Town of Salem Data Breach
On December 28, 2018, cybersecurity firm DeHashed received an anonymous email that disclosed the breach. Evidence of a break-in into the server and the player database were included in the email.
According to DeHashed, the database in the email had a total row count of 8,388,894 including about 7,633,234 unique email addresses. The data leaked included usernames, emails, passwords, IP addresses as well as game and forum activity. The firm also claimed that the billing and credit card information of those that paid for certain features were also leaked. However, BlankMediaGames disputed this claim.
Five days later, on January 2, 2019, BlankMediaGames confirmed the breach via an announcement on the official Town of Salem game forum. A spokesperson with the username ‘Achilles’ stated that the breach had indeed occurred but the only important compromised data were usernames, passwords, IP, and email addresses.
The claim that the billing information of some users was also released was denied. Achilles stated that all payments were handled by third-party payment processors and BMG does not even see any credit card information at all.
How the Breach Happened
Players of Town of Salem have access to a WordPress site, which was the point of attack for the hackers. The administrator of the site had reused passwords on multiple sites, making it easy for the hacker to gain access to the account. While the admin quickly detected the hack and changed the password, the damage had already been done.
The hacker already put in a ‘backdoor’ that allowed reentry without any authentication request. From there, the hacker uploaded a file that resulted in an RFI (Remote File Intrusion). This file enabled them to download the entire database of the server and get the information they needed.
The fault of the hack lies with the developers of the game and the administrator of the WordPress site. The developers made use of a scripting software (phpBB) that gave anyone with the correct username and password access to extract the user database. There is common misinformation in the media about how the passwords were encrypted with a mixture of MD5 and PHPass. This is false as the encryption was entirely PHPass. MD5 is easy to hack while PHPass is more complex to decrypt.
After Town of Salem confirmed the breach, a lot of users complained about how the situation was handled.
Firstly, it took them three weeks to acknowledge that they had been hacked. After the breach occurred, it seemed like there was going to be no foul play. So, the company didn’t say anything about it.
Secondly, DeHashed sent emails over the Christmas and new year holiday to BMG about the hack. But they didn’t get any response from the team. BMG claimed that the emails DeHashed sent to them were all redirected to the spam folder. So they didn’t get them.
At first, the leaked data were only available for sale on dark web forums at the cost of $500 per file. After a while, it became available on Google to anyone that searched for it. Although credit card information and other sensitive data were not leaked, the leaked information is phishing material.
To prevent scams or blackmail, BMG sent mass emails to their users asking them to change their passwords.
Although the breach was quite an unfortunate incident, it assisted the police in making an important arrest.
20-year old Timothy Dalton Vaughn was sending fake bomb threats to thousands of schools while trying to frame gamers as the culprit. The police went through the leaked data and found the same username. He used to chat with a friend about the threats on Twitter on the list.
The leaked data showed that in 2018, someone had registered the username ‘hdgzero’, which was the username Vaughn used on Twitter. The username was registered with an email address and IP address. And the police were able to trace the culprit of the act.
The hackers of the Town of Salem were never caught. This incident shows that companies, no matter the size, must not take cybersecurity lightly.
Making use of safe scripting software is a good step in the right path. Also, admins should not be negligent when handling their passwords.
The data leak issue also raised important ethical questions. For example, in the case of a data breach where there is no immediate leak of the stolen data, should the users be made aware that the servers have been breached? Also, how soon should the public be made aware of such a breach? Should it be immediately or after a complete analysis?