No Comments

More than 500,000 credentials from nearly 25 game developers were found being sold on the darkweb


More of 500 thousand internal systems credentials 25 game developers leaked and were found being sold in Russian forums last year, inform researchers from Israeli information security, Kela.

Kela investigated the 25 largest publicly traded companies in the sector, ordered by revenue based on the last half of 2019. With the study, it found nearly a million compromised customer and employee accounts, with more than half of them being sold on the darkweb.

The companies were ordered by Newzoo, a market data consultant in the gaming world. Tencent; Sony; Apple; Microsoft; Nintendo; Google; Blizzard; Electronic Arts (EA); Bandai Namco; Warner Bros; Ubisoft; Square Enix; Nexon; NCSoft; Konami; Perfect World; Sega and Zynga are among the 25 listed companies.

Offer of accounts in Russian forum. Photo: Reproduction Kela.
Offer of accounts in Russian forum. Photo: Kela.

Kela researchers have identified employee accounts and internal credentials of administrative panels, VPNs, work management tools like Slack, Trello and Jira, File Transfer Protocol (FTP), Single Authentication (SSO) accounts, game development environments and others, being sold at low prices.

“We detected compromised accounts for internal resources from almost all of the companies in question. These features should be used by employees, for example – administration panels, VPNs, Jira instances, FTPs, SSOs, development-related environments and the list goes on indefinitely. As seen in the examples below, with the payment of just a few dollars, a potential attacker may have access to the central areas of a company’s network, ”write the researchers.

Internal credential ads. Photo: Kela.
Internal credential ads. Photo: Kela.

The researchers also identified at least four recent ransomware infections among the 25 largest companies in the industry. “In the past three months, we’ve seen four ransomware incidents affecting game companies – three of which have been reported publicly,” they say.

“We also detected an infected computer (bot) that had credential records for many confidential accounts that could be accessed by attackers when purchasing: SSO, Kibana, Jira, adminconnect, service-now, Slack, VPN, password manager and the company’s poweradmin – all in a single bot – which strongly suggests that it is used by a company employee with administrator rights. This highly valuable bot was available for sale for less than $ 10”, They write.

The risks

According to the researchers, leaked credentials represent the first step in a more elaborate attack. “Leaked credentials can easily be” translated “into a more meaningful attack.” With credentials in hand, a cybercriminal can use social engineering and tailor-made phishing scams to authenticate those accounts, if necessary.

“The goal is, of course, obtain the relevant credentials to gain access to services of interest, find an entry point for a target network, then scale privileges and move laterally. Once access has been obtained to a service of interest – the actor will continue to move sideways to eventually deploy ransomware [por exemplo]”, They write.

“However, the Ransomware deployment is just one of many different cyber attacks that these cybercriminals can try. This access can also allow them to initiate other crimes, such as corporate espionage, fraud and other methods that can cause victims to incur serious financial losses, ”they conclude.

Sources: Kela; Newzoo.

See the original post at:

You might also like

More Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.