Over the holiday, the popular browser-based game Town of Salem had a data breach that exposed the hashed passwords for approximately 7.6 million unique accounts. At the time of this writing, over 27% of the passwords have already been cracked.
On December 28th 2018, leaked information lookup site DeHashed received an email that contained proof that a server for BlankMediaGames’ Town of Salem game was hacked and a copy of the game’s database.
According to DeHashed, this database contained account information for over 8,388,894 users with 7,633,234 unique email addresses.
“Usernames, Emails, Passwords (phpass, MD5(WordPress), MD5(phpBB3)), IP Addresses, Game & Forum Activity, & Payment “,” stated DeHashed’s blog post. “With some of the users who paid for certain premium features having their billing information/data breached as well.”
After BlankMediaGames was notified, the game publisher announced the breach in their forums on January 2nd, but stated that the payment information only included contact information and did not include credit card numbers.
A later forum post stated that they “found and removed 3 different php files from our web server that allowed the hacker to have a backdoor into the server.”
Hashes.org, a community driven password recovery site that cracks leaked passwords, has been able to crack approximately 27%, or 2,108,552, of the encrypted passwords from the Town of Salem leak. While Hashes.org does allow users to download the cracked password lists, these lists do not include identifying information from the leaked database such as email addresses or user names.
If you are a Town of Salem user, it is strongly advised that you change your password at any site that uses the same password. It is also recommended that you utilize a password management service/software in order to use unique passwords at every site.