h-Online: A file with 11 million password hashes belonging to users of the online games platform Gamigo has been circulated on the internet. According to an analysis by ZDNet, 8.2 million different email addresses are also part of the 478MB file. Around 3 million of these belong to users from the US, 2.4 million are German addresses and 1.3 million are supposed to originate in France. The list also includes corporate email addresses from companies such as IBM, Siemens, Deutsche Bank and the German insurance company Allianz.
The file appeared in the same forum which had previously circulated millions of password hashes from Linkedin, Last.fm, eHarmony and other web sites. One user of the forum has claimed to have cracked 94 per cent of the MD-5 hashes in a trivial amount of time. The fact that it was possible to crack the hashes this quickly would suggest that they were not salted. A hacker who goes by the pseudonym 8in4ry_Munch3r is believed to be behind the attack.
Gamigo, which is a subsidiary of the German Axel Springer publishing group, has confirmed to The H’s associates at heise Security that the data contained in the file is authentic. The company has stated that it noticed a “security-related incident” in March 2012 in which an older version of a database was copied off its servers. Gamigo says it immediately contacted the affected members and reset the passwords to their accounts. The company also says it took the affected database offline and initiated “a comprehensive security audit”. Now that the data has been leaked, the company wants to look at the incident again.
Users who are registered with Gamigo and have used the same password at other web sites should immediately change their logins. Generally, using the same password with several online services is a bad idea as a break-in at one web site means that many of the user’s accounts are suddenly at risk.