33M accounts hacked of Evony data breach

A data breach database website, Leaked Source has listed publicly available data for users involved in the website breach of Evony Gaming Company which took place in June this year and again in August.

While the first hack resulted in the theft of data for more than 33 Million registered user accounts or 33, 40, 472 users to be precise, the similar breach in August on the site’s forums resulted in compromise of 938,000 more accounts. The data stolen on this occasion included usernames, passwords, e-mail addresses and I.P addresses.

Evony is the company that developed the popular game Evony: Age II that is played by more of 18 Million gamers in over 167 countries.

Leaked Source also claims to have cracked the majority of the passwords involved, stating they were stored using unsalted MD5 and SHA1 hashing (a relatively weak encryption) which are more vulnerable to conventional password cracking software.

Evony also allows users to sign using Facebook connect which mean that stolen data could also contain Facebook login credentials, however short term access codes used by the single sign-on application mean that the Company would never have access to the specific login details in question.

The top most passwords and e-mail domains used by users in the website are stated below:

Rank       Password       Frequency      Email                domain Frequency
1             123456            714, 466     @yahoo.com     7, 464, 078
2              fuk19600         208, 121    @hotmail.com    6, 493, 345
3              123456789      163, 318    @gmail.com       3, 593, 315
4               mynoob           119, 365     NONE              3, 453, 701
5               password         96, 151     @aol.com           1, 005, 343
6               111111             82, 593    @hotmail.co.uk    667, 075
7               google              74, 051    @live.com            630, 399
8               evildick             70, 546   @msn.com           330, 372
9               qwerty              55, 872   @ymail.com         253, 433
10             1234567          52, 902   @yahoo.co.uk      259, 153

The list seems to highlight that a lack of data security awareness is still rife among online players.

Till now no official security notice has been sent out by the Gaming Company regarding the breach to affected users. While the forum contains a post on potential breach, it does not indicate the data loss.

Leave a Reply