User Data Stolen In Codemasters Hack Attack

The online leisure market has been hacked again as UK games developer Codemasters reported losing user data. Like Sony, it took the company a week before notifying its users.

An attack on June 3 forced the company to shut down its website after raiders made off with personal information stored in its CodeM database, EStore, and code redemption pages. Customers trying to access the Website found themselves redirected to the Codemasters’ Facebook page and this will continue to be the case “for the foreseeable future”.

This is the second attack on Codemasters within a month.

A Treasure Trove For Phishers

The haul of stolen data is quite extensive but does not include payment card details because the company uses an external payment provider.

The unknown hackers’ swag included members’ names, usernames, screen names, email addresses, dates of birth, encrypted passwords, and biographies entered by users. They also grabbed details of last site activity, IP addresses and Xbox Live Gamertags. In addition, telephone numbers, order histories, and newsletter preferences,were accessed.

Although Codemasters claims the passwords were encrypted, it has advised customers by email to change any similar passwords used for other sites, such as bank accounts.

The stolen information is a mine of useful background on each user and could be followed by cunningly crafted phishing attacks. With potted biographies giving further personal details about the users, Codemasters’ delay in informing its customers could have already caused problems for its customers.

When the company started redirecting vistors to Facebook, it caused confusion. Several expressed their concern that Codemasters email was a hoax. Some did not get the implications of the stolen-passwords notification and seemed genuinely worried that they could not access Codemasters’ Website to change their login details.

In the notification email, the company said, “Unfortunately, Codemasters is the latest victim in on-going targeted attacks against numerous game companies. We assure you that we are doing everything within our legal means to track down the perpetrators and take action to the full extent of the law.”

This will come as cold comfort to the affected users who are already expressing their anger on Codemasters’ Facebook page.

“This happened on the 3rd of June but they are only telling us now. (10th june 2011). Why they had to wait a week to tell us someone may have stolen all of our information is beyond me,” wrote Codemasters’ customer ‘Fudge’. “7 days these hackers had to do what they liked with our information. Is it to[o] much to ask for an email to all of your account holders?”

The Information Commissioner’s Office (ICO) is likely to take a close look at the breach and the fact that Codemasters was also hacked last month. At that time, as far as can be seen, the company did not put out any public notification. A statement sent out to any journalists querying the first hack received an official statement.

“On Friday 20 [May], there was an attempt to gain administrative access to the Codemasters.com Website. This admin access may have allowed alterations to our company Website.”

The statement concluded: “Our online team take security of user data very seriously and we are reviewing all of our Websites and systems to ensure we are as safe as possible, especially as many games companies have been popular targets for this sort of activity recently.”

It is not known if the two hacks are related.

There is no information about the latest hack on Facebook, not even a notification that it happened, so the redirected customers do not know why they have been re-routed. Neither is there any clue as to when Codemasters will be back online, other than a reference to “later this year” in the issued emails.