Media-registered attendees that made their way to Los Angeles to cover E3 in June just had their personal information leaked online for all to see by the Entertainment Software Association (ESA).
Thanks to a massive slip-up from the ESA, a sensitive document was published on the E3 website containing home addresses, phone numbers, email addresses, and names of 2,025 E3 attendees. This included those from YouTube content creators to even some of our own staff here on Escapist.
Escapist was first made aware of the breach yesterday evening by a person unrelated to the ESA, who used personal phone numbers from the list to reach out to those affected in an attempt to warn of potential privacy threats.
The post on the E3 website has since been removed but was available for anyone to take advantage of for an undisclosed amount of time.
YouTuber and writer Sophia Narwitz brought the news of an information breach to the public eye via video. Before publishing the video, Narwitz says she reached out to the ESA through a number of means and even attempted to contact some journalists to make them aware of the privacy breach. After she saw the page containing the leaked information had been removed, Narwitz went public with the video so that the public could “hold [the ESA’s] feet to the flames.”
However, as Kotaku reports, the private information was still available to those who looked at the page’s Google cache version that held past data.
The ESA has yet to make any formal statements on their official channels outside of a blanket message to the press, and an email (seen below) that contained no additional information that went out to those affected at approximately noon EST today, more than 12 hours since the news broke last night.
The email itself is even a bit dubious, as they explain the situation as a “website vulnerability,” but the document itself was publicly available on the website for anyone to merely click on and download.
Registered E3 Journalist –
The Entertainment Software Association (ESA) was made aware yesterday of a website vulnerability on the exhibitor portal section of the E3 website. Unfortunately, a vulnerability was exploited and that list became public. We regret this happened and are sorry.
We provide ESA members and exhibitors a media list on a password-protected exhibitor site so they can invite you to E3 press events, connect with you for interviews, and let you know what they are showcasing. For more than 20 years there has never been an issue. When we found out, we took down the E3 exhibitor portal and ensured the media list was no longer available on the E3 website.
Again, we apologize for the inconvenience and have already taken steps to ensure this will not happen again.
Thank you –
Entertainment Software Association
If you were affected, Steve Bowling from GameExplain has an excellent thread of information on how to protect yourself. We will update this story once the ESA provides a more detailed statement on the events that have occurred.
Hey! If, like me, you were doxxed by @theESA, here are some things you should do immediately:
1. Change your phone number. Let your carrier know what happened and they'll do it for free.
2. Set up multi-factor authentication on ALL your email accounts. (1/??)
— Steve Bowling (@SteveMBowling) August 3, 2019