The eSports Entertainment Association (ESEA) confirmed today that an unidentified malefactor breached ESEA servers last year, then published a trove of ESEA user data online this month after their attempts to ransom the data were rebuffed.
This is significant because of the size of the breach: ESEA is one of the largest Counter-Strike communities in the world, and a representative of ESL (Electronic Sports League, the parent company of ESEA since 2015) told CSO today that roughly 1.5 million accounts had been exposed by the afore-mentioned data leak.
(It's also something you should know about if you happen to have ever created an ESEA account!)
Devs who oversee their own vaults of player data may be curious to read ESEA's timeline of how the whole thing played out: it all started when a "threat actor" reportedly contacted the company in late December asking for a bounty of $100,000, or else they would publish a parcel of info that encompassed both player data and ESEA tech data.
The company says it responded by working to improve its security systems and alerted both its users and the authorities, but chose not to pay the bounty because "We do not give into extortion and ransom demands." After a series of escalating demands, the bounty-hungry hacker(s) went public.
ESEA claims it does not store payment info on its servers and thus credit card data acould not be compromised, but "usernames, emails, private messages, IPs, mobile phone numbers (for SMS messages), forum posts, hashed passwords, and hashed secret question answers" may have been leaked. However, it claims all passwords were encrypted via bcrypt hashing.