Four months after the site was compromised, a huge number of Gamigo user names and encrypted passwords have found their way to the web.
Gamigo is a German online game company that tends to hang out in the more casual side of town, so you’d be forgiven for not noticing, or not remembering, the March intrusion into its user database. But it was a big one, and four months down the road more than 8.2 million unique email addresses and 11 million encrypted passwords taken in the attack have turned up on hacking site Inside Pro.
“It’s the largest leak I’ve ever actually seen,” PwnedList founder Steve Thomas told Forbes. “When this breach originally happened, the data wasn’t released, so it wasn’t a big concern. Now eight million email addresses and passwords have been online, live data for any hacker to see.”
The archive has since been removed (although not before Thomas had a chance to download it himself and check it out) and the good news is that the passwords were hashed. The bad news is that the encryption likely won’t hold up forever; less than a half-hour after it went up, another Inside Pro forum user posted a message implying that he had already decrypted 94 percent of the passwords. It’s impossible to verify the accuracy of the statement but it’s a virtual certainty that somebody, somewhere is hard at work on breaking the encryption.
There’s also no official confirmation yet that this file does in fact contain the information taken during the Gamigo intrusion, although Thomas said that roughly 5000 of the email addresses contain the world “gamigo,” suggesting that they were created specifically for registering with the site. Gamigo itself said that the file appears to contain “no new data” but added, “The republication of the stolen data serves as a strong reminder of the need for vigilance and ongoing critical review of our procedures and policies.”
It’s not necessarily a big deal for Gamigo users, since the site issued a notification of the attack and reset all passwords immediately following the breach. The real security risk lies among those who reuse passwords for multiple sites or services. Because of that, people who have used their Gamigo passwords for other sites are strongly urged to change them as soon as possible.