Industry News

Albion Online gamers told to change passwords following forum hack

Albion Online gamers told to change passwords following forum hack
  • Hacker exploited forum vulnerability, and offered stolen database for sale
  • Players advised to change their passwords

Sandbox Interactive, the developers of the free medieval fantasy video game Albion Online, have warned players that a hacker managed to break into its systems and gain access to its user database.

In a post on the Albion Online forum, players were advised that a hacker was able to exploit a vulnerability to gain access to the forum’s user database.

Exposed data included players’ email addresses, as well as passwords that had been salted and hashed with bcrypt.

At the very least this means that the hacker now has in their hands a list of Albion Online users’ email addresses – information which could be exploited in phishing and social engineering attacks in an attempt to trick players into handing over more information.

However, if some players chose weak passwords for their Albion Online forum account (which, lets face it, is hardly unlikely) then they might still be singled-out by a determined hacker.

If a hacker was able to correctly determine a user’s forum password it can also be used to play the Albion Online game itself. But more worryingly, it might be put to malicious use if the player has made the mistake of reusing the same password elsewhere on the internet.

The confirmation by Sandbox Interactive of a security breach came at approximately the same time that it was reported a hacker was offering the Albion Online database for sale on a hacking forum.

Sandbox Interactive is recommending that affected users can update their password via the Albion Online website. My advice would be for affected Albion Online players to do so, but also to ensure that they choose a strong, complex password and that they are not reusing passwords anywhere else on the internet.

That’s good advice whether there has been a security breach or not. All passwords should be hard-to-crack, hard-to-guess, and unique.

The use a good password manager can help ensure that passwords are being chosen sensibly rather than dreamt up by the human brain, and that unique, sensible and secure choices are made.

Albion Online says that it is contacting affected users via email. Of course, a malicious hacker might be contacting affected users at the same time – using the stolen email address list – so please be on your guard.

According to Sandbox Interactive, the vulnerability used by the hacker to access the sensitive data from the Albion Online forum has been patched, and a full security review is under way.

About the author

Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.