2.2 Million crypto and gaming passwords leaked according to a report by a security researcher. The site “Have I been pwned” has made a public announcement that 2.2 million crypto and gaming passwords have been leaked online. If your name is among the list, we recommend changing your password immediately.
On Nov. 19, Ars Technica reported that security researcher Troy Hunt confirmed that the compromised data belonged to accounts of cryptocurrency wallet, GateHub, and RuneScape bot provider EpicBot.
Password data and other personal information belonging to as many as 2.2 million users of two websites—one a cryptocurrency wallet service and the other a gaming bot provider—have been posted online, according to Troy Hunt, the security researcher behind the Have I Been Pwned breach notification service.
One haul includes personal information for as many as 1.4 million accounts from the GateHub cryptocurrency wallet service. The other contains data for about 800,000 accounts on RuneScape bot provider EpicBot. The databases include registered email addresses and passwords that were cryptographically hashed with bcrypt, a function that’s among the hardest to crack.
The person posting the 3.72GB Gatehub database said it also includes two-factor authentication keys, mnemonic phrases, and wallet hashes, although GateHub officials said an investigation suggested wallet hashes were not accessed. The EpicBot database, meanwhile, purportedly included usernames and IP addresses. Hunt said he selected a representative sample of accounts from both databases to verify the authenticity of the data. All of the email addresses he checked were registered to accounts of the two sites.
The Gatehub account data, which was posted to a widely visited hacker site in late August, came three months after the cryptocurrency service reported that it had been hacked. The attackers, GateHub said, had stolen—or at least tried to steal—a wealth of sensitive information for more than 18,000 user accounts. The wording of the post left unclear exactly what data beyond access tokens was successfully obtained.
GateHub officials wrote:
As previously suggested in our investigation update, we believe the perpetrator gained unauthorized access to a database holding valid access tokens of our customers. Using these tokens the perpetrator accessed 18,473 encrypted customer accounts, a very small fraction of our total user base. On affected accounts, the following data was being targeted: email addresses, hashed passwords, hashed recovery keys, encrypted XRP ledger wallets secret keys (non-deleted wallets only), first names (if provided), last names (if provided).
GateHub’s disclosure went on to say that site officials notified users whose accounts were accessed and generated new encryption keys and re-encrypted sensitive information, such as ledger wallet secret keys.
The posting of the database means the breach that the wallet service disclosed in July was much bigger than previously thought. Rather than obtaining only access tokens, the attackers also took 2FA keys, email addresses, password hashes, mnemonic phrases, and possibly wallet hashes. What’s more, the breach affected as many as 1.4 million GateHub users, not just the 18,473 mentioned in the disclosure. In an email, an unnamed member of the GateHub security team wrote:
We are aware of a database posted on RaidForums whose author claims that it belongs to GateHub. The alleged GateHub database is being thoroughly examined by our team, therefore, we are unable to confirm its authenticity at this time. We will make sure to keep you posted of any updates.
From what we have gathered so far, it does not contain wallet hashes. As mentioned before, we are still verifying its authenticity.
One of our initial responses to the cyber attack was to introduce re-encryption to all GateHub accounts. With the new re-encryption, all GateHub accounts were re-encrypted and all of our customers had to change their passwords. This was introduced in July 2019.
GateHub is a Bitcoin, Ripple, Ethereum, Ethereum Classic and Augur wallet. It allows users to store, send and exchange these cryptocurrencies in a built-in exchange. All private keys and passwords are hashed and encrypted using industry standard algorithms, even GateHub cannot access them. Million crypto and gaming passwords leaked into the dark net.