Online Game Breach Hits 8 Million: What to Do Now

UPDATED Jan. 7 with news that many of the passwords had been cracked.

Millions of teenagers may be in for a nasty surprise. BlankMediaGames, creator of the massively popular online role-playing game Town of Salem, has suffered a data breach. 

Screenshot: Monica Chin/BlankMediaGames

Screenshot: Monica Chin/BlankMediaGames

Cybersecurity firm DeHashed said in a blog posting Tuesday (Jan. 1) that it had received a copy of BlankMediaGames' full database of user information, which the person contacting DeHashed said had been stolen. The breach exposes more than 8 million users and 7.6 million unique email addresses.

The attacker or attackers used a Local File Execution/Remote File Execution (LFI/RFI) attack that injects malicious code into a web server running PHP, DeHashed said.

The exposed user information includes usernames, email addresses, passwords, IP addresses, game and forum activity, and payment and billing information for any users who purchased premium content (such as character clothing or game skins).

A BlankMediaGames developer said Wednesday (Jan. 2) on the Town of Salem forums that no credit-card numbers were stolen. But if you have a BlankMediaGames account, change your password now.

MORE: 7 Easy Ways to Get Your Identity Stolen

"We have found and removed 3 different php files from our webserver that allowed the hacker to have a backdoor into the server," the developer said. "We are in the process of contacting security auditing firms and potentially discussing reinstalling all of our servers from scratch just to be 100% sure."

The developer said that each passwords was stored in the database as a "salted MD5 hash."

In other words, what was actually stored was the digital representation of each password after it had been run through a one-way algorithm that, in this case, resulted in a unique 128-bit number -- the "hash." To further foil attempts to crack, or reverse, the hash, each password was "salted" with random additional data before the hash was generated.

But that's not all good news. The MD5 hash function is widely considered to be insecure. The original author of the algorithm urged users to abandon it in 2012, following the leaking of more than 6.4 million LinkedIn passwords (which later turned out to be 117 million passwords) that had been hashed in a similar manner.

It's likely that despite the salting, whoever attacked the Town of Salem database has cracked, or will soon crack, many of the exposed passwords. [UPDATE: As of Jan. 7, nearly 28 percent of the password hashes had been cracked, according to Hashes.org.]

If you've played Town of Salem, you should change your password immediately. Additionally, make sure to do the same for any other accounts that use the same email and password -- and make sure that you create new passwords for all those accounts.

Best Identity Protection Services

TOPICS

Monica Chin is a writer at The Verge, covering computers. Previously, she was a staff writer for Tom's Guide, where she wrote about everything from artificial intelligence to social media and the internet of things to. She had a particular focus on smart home, reviewing multiple devices. In her downtime, you can usually find her at poetry slams, attempting to exercise, or yelling at people on Twitter.

Latest in Online Security
A magnifying glass on top of the Steam logo in a web browser
Valve just pulled a malicious game demo spreading info-stealing malware from Steam
A man filing his taxes electronically on a laptop
AI-powered tax scams are here - how to stay safe from deepfakes, phishing and more this tax season
MacBook Pro 2023
New Mac attack is tricking users into thinking their computer is locked — how to stay safe
Hacker using a stolen social security card
Your Social Security number is a literal gold mine for scammers and identity thieves — here’s how to keep it safe
An open lock depicting a data breach
Half a million teachers hit in major data breach with SSNs, financial data and more exposed — what to do now
Green skull on smartphone screen.
Malicious Android apps with 60 million installs bombarding phones with ads and phishing attacks — how to stay safe
Latest in News
Apple Watch Series 10
Future Apple Watch models could get a surprising new feature — what we know
NYTimes Connections
NYT Connections today hints and answers — Monday, March 24 (#652)
NYT Strands on a cellphone
NYT Strands today — hints, spangram and answers for game #386 (Monday, March 24 2025)
iPhone 16 Pro vs iPhone 16 Pro Max in hand showing displays
Forget iPhone 17 — iPhone 18 could get this huge upgrade
The new Husqvarna iQ series robot lawn mower.
Husqvarna’s new robot mowers offer GPS for less
Rendered images of rumored foldable iPhone.
Foldable iPhone report just revealed key details — here's what we know