A data breach database website, Leaked Source has listed publicly available data for users involved in the website breach of Evony Gaming Company which took place in June this year and again in August.
While the first hack resulted in the theft of data for more than 33 Million registered user accounts or 33, 40, 472 users to be precise, the similar breach in August on the site’s forums resulted in compromise of 938,000 more accounts. The data stolen on this occasion included usernames, passwords, e-mail addresses and I.P addresses.
Evony is the company that developed the popular game Evony: Age II that is played by more of 18 Million gamers in over 167 countries.
Leaked Source also claims to have cracked the majority of the passwords involved, stating they were stored using unsalted MD5 and SHA1 hashing (a relatively weak encryption) which are more vulnerable to conventional password cracking software.
Evony also allows users to sign using Facebook connect which mean that stolen data could also contain Facebook login credentials, however short term access codes used by the single sign-on application mean that the Company would never have access to the specific login details in question.
The top most passwords and e-mail domains used by users in the website are stated below:
Rank Password Frequency Email domain Frequency
1 123456 714, 466 @yahoo.com 7, 464, 078
2 fuk19600 208, 121 @hotmail.com 6, 493, 345
3 123456789 163, 318 @gmail.com 3, 593, 315
4 mynoob 119, 365 NONE 3, 453, 701
5 password 96, 151 @aol.com 1, 005, 343
6 111111 82, 593 @hotmail.co.uk 667, 075
7 google 74, 051 @live.com 630, 399
8 evildick 70, 546 @msn.com 330, 372
9 qwerty 55, 872 @ymail.com 253, 433
10 1234567 52, 902 @yahoo.co.uk 259, 153
The list seems to highlight that a lack of data security awareness is still rife among online players.
Till now no official security notice has been sent out by the Gaming Company regarding the breach to affected users. While the forum contains a post on potential breach, it does not indicate the data loss.