Image
Last week we were made aware of a potential web server breach that occurred in November 2014. At the time, we believed this to be a phishing scam as our account server was secure. After a thorough review of the data we received, we can confirm that a list of 775,749 email addresses were acquired through a Drupal SQL exploit that was patched by Drupal two weeks after the breach occurred. The stolen data DID NOT include any account passwords, variations of passwords, hashed passwords, game account data or personal player information such as full names, addresses or other billing and payment information. Note that while there were hashes in the stolen data these were meaningless hashes of Alias names.Yes, you read that correctly. The data breach appears to have happened in late 2014 - over 18 months ago - but has only come to light now. The suggested timing of the breach is significant. Because in October 2014, Drupal issued a chilling warning to the hundreds of thousands of sites running its content management software, after automated attacks were seen within hours of it sharing details of a highly critical SQL injection vulnerability. At the time, Drupal warned users that they should should "proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th 2014, 11pm UTC." This was a big problem - as it meant that not only was any site using a vulnerable version of Drupal under threat of hacker attack, allowing online criminals to steal data or open backdoors, but also updating to a more recent version of Drupal in the wake of the announcement would not remove any backdoor already put in place. Furthermore, it was thought that some attackers may have themselves applied the patch on vulnerable websites to put system administrators off the scent that a breach had occurred, and prevent other hackers from exploiting the same flaw. Sheesh. No wonder they called it "Drupalgeddon." From the sound of things, Warframe never received the memo about the Drupal flaw or - if they did - failed to respond appropriately to secure their systems. And that's why, as Motherboard reports, details of almost 800,000 Warframe users are now being traded on the internet. Although it's easy to point a finger of blame at Warframe for not securing its servers properly, we shouldn't forget that they are victims of a criminal act. The real villains of the piece are the hackers who broke into Warframe's systems, and those who are now trying to profit from trading its users' credentials. We know that many other sites were also impacted by the Drupalgeddon vulnerability, and it wouldn't be the biggest shock in the world to one day discover that there are yet more sites that spilt their secrets because of the flaw. The silver lining on the cloud is that the stolen data did not include passwords or even hashed passwords, and that personal details such as users' full names were not exposed - limiting the opportunities for exploitation. Nonetheless, Digital Extremes is recommending that Warframe players look out for phishing emails, enable two-factor authentication to protect their accounts. It also says it no longer uses Drupal, and advises all Warframe players to take the time to review and "reset their passwords frequently." Personally, I'm not a fan of telling users to regularly change their passwords unless it is believed a breach has occurred, but we can probably leave that discussion for another day. Always choose a strong, hard-to-crack password and - importantly - ensure that you are not reusing it anywhere else on the web. That should be your mantra even if you don't deem a particular website (such as a gaming site) to be critical. Where two-factor authentication is offered, enable it to harden your accounts and use password management software to remember all of your different passwords for you. Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
