The ESEA is an esports community that runs a popular online Counter-Strike league. In late December, its security got breached in a big way. Now the details of that breach are coming to light, with 1.5 million users affected after the ESEA refused to pay a hacker $100,000.

It all began with an announcement from breach notification service LeakedSource on Saturday, January 7. They claimed to have added 1,503,707 ESEA records to their database (via Salted Hash). Today, the ESEA confirmed that 1.5 million users were affected. They’ve also published a timeline of events in which they say a hacker first contacted them “demanding a ransom payment of $100,000 to not release or sell the user data” on December 27. After verifying the hacker’s claims, consulting with legal council, and patching the breach, the ESEA notified their community of a possible leak on December 30.

Advertisement

The ESEA decided not to play ball with the hacker, who continued threatening them from December 31-January 6, but didn’t leak anything. Then the hacker stepped up their efforts. On January 7, they breached a game server directly and quickly made their presence known. “Through information obtained from our game server infrastructure database, the threat actor was able to gain access to a game server,” the ESEA said. “With that game server’s restrictive access, the threat actor was able to edit karma (community feedback system) of users, but not able to view, access or modify any personal information.”

On January 8, the hacker, still not $100,000 richer, finally went through with the leak. It’s pretty gnarly. “We are still investigating but believe that a large portion of the ESEA community members’ information including usernames, emails, private messages, IPs, mobile phone numbers (for SMS messages), forum posts, hashed passwords, and hashed secret question answers could all have been exposed,” the ESEA explained in an FAQ published today. It sounds like city/state/province info was also leaked for some people. It’s important to note that passwords are safe, but other data could be used for socially-driven attacks like phishing.

On the upside, the ESEA added that they have “worked to identify the source of the vulnerability and have taken the appropriate measures to patch it.” They also noted that they’re working with technical and legal experts, as well as the FBI, to track down the hacker and ensure that their systems are secure.

Advertisement

If you’ve used ESEA services with Counter-Strike or any other games, you ought to change your passwords on other sites as soon as possible and be on the lookout for suspicious requests for personal information. This is, to put it lightly, A Big Fucking Mess. While it sounds like the ESEA is doing what it can to ensure this doesn’t happen again, you’d be wise to keep a wide and wary eye on it for a long, long time.

You’re reading Steamed, Kotaku’s page dedicated to all things in and around Valve’s wildly popular PC gaming service. Games, culture, community creations, criticism, guides, videos—everything. If you’ve found anything cool/awful on Steam, send us a message to let us know.