Town of Salem Data Breach

Online gaming company BlankMediaGames (BMG) suffered a major data breach in January of 2019 when a small hacker group copied their database and stole credentials for 7.6 million users of the game called Town of Salem exe.

An anonymous email was sent to the security research firm called “DeHashed” in which the sender revealed the data breach and confirmed it with a copy of the entire player database totaling 7,633,234 users.

The data breach exposed players’ names, email addresses, usernames, IP addresses, passwords, game and forum activities, credentials for WordPress, and the database from which it was stolen. Although players can pay for premium services, BMG does not handle payment details; those are sent through to their payment processor who was not hacked, so no payment details were exposed in this data breach.

The passwords stolen were hashed, but hackers were able to decrypt them easily. In a Reddit forum post, one user claiming to the part of the group who breached the game said that hacking the database “was a lot simpler than everyone thinks it is.” The cybercriminal explains that it was an easy job to decrypt the passwords due to storing files in the notoriously insecure phpBB.

He or she goes on to boast,

“These credentials have been excellent for trying against many games, and we’ve made tens of thousands from checking these combos and selling copies of the database. The disclosure was too late, we’ve already made swift use of the credentials. We don’t care about your Town of Salem accounts; those are of no value whatsoever to us, we care about other sites.”

Basically, the author goes on to describe the entire affair and blames the company for reusing passwords, which made it easy for them to access the database of users. They also make some suggestions on how to improve their security and even mention an alternate platform BMG should use.

A year after this breach, independent researchers ran a script to test how many of the leaked accounts were still using the same passwords, and shockingly more than 961,000 accounts were still using the old, breached passwords. The game owners never reset the accounts or forced a change until they were notified of this research and fixed it in October 2020. Other than a vague blog post, BMG never officially notified users of the breach of their accounts.

When Was the Town of Salem Data Breach?

Initially, the data breach of the Town of Salem game was assumed to have occurred on January 1, 2019. On January 16, 2019, the anonymous hacker posted a very long detailed account on Reddit of the process, why they did it, and how. They even provided explicit details with samples of the stolen data that moderators removed for privacy reasons. He also corrected the timing and said the hack actually took place on December 13, 2018. He also mentions three other accomplices making them a four-person hacking group.

How to Check if Your Data Was Breached

Although BlankMediaGames did not notify users of the breach except in a short blog post on their forum, they finally reset all passwords in October 2020 and forced all users who had not yet reset them to change their password immediately. You can use third-party resources to check to see if your Town of Salem credentials shows up on the dark web. Since more than 7.6 million were stolen, chances are you were included in the mix.

What to Do If Your Data Was Breached

If your account was among the many breached, immediately change your password if, for some reason, the game hasn’t forced you to already. If you reused that password anywhere else on any other web service, change it immediately. The hacker who posted on Reddit mentioned that this breach would never have happened if people didn’t reuse the same passwords and that their goal was to reuse these credentials on other websites for financial gain. 

Are There any Lawsuits Because of the Data Breach?

No lawsuits or legal issues have been posted yet regarding this data breach.

Can My Town of Salem Hack Information Be Used for Identity Theft?

Yes. All hackers need is your name, email address, and one password on any account you use to wage a war of identity theft on you. With so many data breaches occurring all the time, the dark web is a treasure trove of information, and they can link a few bits of information about you to an entire profile. Once they have some information, they could potentially access your other accounts (even bank and credit card accounts), send you phishing emails, or perpetrate fraud by sending you spam calls. You can never be too careful, and even a tiny bit of information can lead to identity theft or worse.

What Can You Do to Protect Yourself Online?

You can’t play online games without having an account, so how do you keep your stuff safe?

The first rule of thumb that we learned from this singular breach is never to reuse passwords. Some other tips are:

• Change your password on all accounts often and create really long, strong passwords using a combination of letters, symbols, and numbers. Vary the case with letters also to make them even harder to decrypt. 
• Always sign up for 2-factor authentication when available. This helps to keep your account safe and prevents hackers from gaining access without your mobile device.
• Never click a link in an email.
• Install good antivirus/anti-malware software on all your devices and run deep scans often. This is especially important for gamers.
• Only use one dedicated credit card for online purchases to minimize your risk.
• Keep a close eye on your credit reports, bank statements, and credit card charges.
• Keep an eye out for suspicious emails and phone calls. If you did not initiate the action, hang up, or delete the email. Most fraud and scams are perpetrated through email and phone calls. 

Always use common sense and never share your credentials with anyone or give out personal information unless you initiated the contact.