Personal details belonging to approximatively 2.2 million user accounts from GateHub and EpicBot were leaked online, according to Troy Hunt, creator of the Have I Been Pwned? Data breach search website.
The websites of GateHub, a cryptocurrency wallet service, and EpicBot, a RuneScape bot service, were compromised sometime this year. It’s difficult to say when the incidents happened precisely, but there’s a bit of good news as well. Both websites were using bcrypt, a password hashing function that can prevent bad actors from reading the actual data, or at least delay them for a very long time.
According to an Ars Technica report, the hackers took wallet hashes, mnemonic phrases, and two-factor authentication keys for 1.4 million accounts from the cryptocurrency wallet GateHub. The EpicBot hack was a little bit smaller, with 800,000 accounts leaked, including usernames, IP addresses, and encrypted passwords.
Of the two services, only GateHub admitted to being hacked, but when they initially announced it back in August, they only mentioned around 18,000 being compromised.
“On affected accounts, the following data was being targeted: email addresses hashed passwords, hashed recovery keys, encrypted XRP ledger wallets secret keys (non-deleted wallets only), first names (if provided), last names (if provided),” GateHub said a few months ago.
While it’s good that the services encrypted some of the data, even leaking user names is a problem. Many people have the same user names and passwords for multiple online accounts, and other websites might not take care to encrypt their data. Matching user names from multiple leaks is not difficult.
GateHub sent notices telling users to change their passwords when the breach was announced, but if you didn’t change your password then, you should do it now. More importantly, users should consider changing their mnemonic phrases.
For EpicBot, things are a little bit more complicated since the people running the bot service have yet to acknowledge any intrusion, which means that they haven’t notified their users. So, if you have an EpicBot account, you need to change your password now.