Symantec Uncovers 44 Million Stolen Game Accounts


Anti-virus company Symantec has discovered a server hosting the credentials of 44 million user accounts stolen from at least 18 different online games.

Symantec, best known as the maker of the Norton software line, stumbled on the server while analyzing a user-submitted sample of code. What apparently got the company’s attention wasn’t the sheer size of the database but the creative way in which it went about validating each account.

“What was interesting about this threat wasn’t just the sheer number of stolen accounts, but that the accounts were being validated by a Trojan distributed to compromised computers. Symantec detects this threat as Trojan.Loginck,” researcher Eoin Ward wrote on Symantec Connect. “By taking advantage of the distributed processing… you can complete the task more quickly and help mitigate the multiple-login failure problems by spreading the task over more IP addresses. This is what Trojan.Loginck‘s creators have done.”

“If the Trojan succeeds in its task of logging in, it will update the database with the time it logged in and any user credentials (such as current game level, etc.) before moving to the next user name and password,” he continued. “The attackers can then log on to the database and search for the valid user name and password combinations.”

The database holds approximately 17GB of “flat file data” from at least 18 different games, including roughly 60,000 Aion accounts, 210,000 World of Warcraft accounts, two million NCsoft accounts (shared across multiple games like Lineage 2, Guild Wars and City of Heroes) and 16 million Wayi Entertainment accounts. Determining the value of the data is “extremely difficult,” Ward wrote, because each account may have only a single, first-level character “whose only weapon is a rusty old spoon,” or multiple high-level characters with maxed-out equipment.

“This particular database server we uncovered seems very much to be the heart of the operation – part of a distributed password checker aimed at Chinese gaming websites,” Ward wrote. “The stolen login credentials are not just from particular online games, but also include user login accounts associated with sites that host a variety of online games.”

“If you are in possession of a gaming account from one of the websites listed above,” he added, “an update of your password would not go amiss.”

About the author