Data from 2014 hack of children’s online game Bin Weevils leaked online; hacker claims 20m records

We’ve seen it before – in fact, we seem to be seeing it a lot recently – data from an old hack first being publicly leaked. This time it’s Bin Weevils, a British online children’s game, owned by 55 Pixels

In September 2014, Bin Weevils posted a note on their site that they had discovered a “vulnerability” affecting usernames and passwords. In response, they forced a password reset and added some unspecified security features. Their note does not seem to inform users that the data were actually hacked and acquired. And based on data provided to DataBreaches.net yesterday and today, they did not fully disclose the types of information that were hacked.

Yesterday, DataBreaches.net was contacted by “ShohidzIslam,” who wrote that he had learned of a database that was now being released to the public by hackers going by the names of “Pure”, “LukeBaxter”, “Akshay”, “Tyrone” and “Philip.” A link to the data had reportedly been posted in an IRC chat.

The file, which DataBreaches.net obtained and inspected, consisted of 1,022,883 records. Each record included the user’s username, encrypted password (salt+hash), and in-game data like their pet’s ID number, pet’s name, and date of registration.  A line at the top of the dump credits “jkb, legit, lukebaxter, tyrone, philip, pure, akshay.”

ShohidzIslam informed DataBreaches.net that he asked the hackers if they also had IP addresses and email addresses. In response, they provided a redacted screenshot showing all of the fields, which did include both registration and login IP addresses, as well as email addresses.

User data from a 2014 hack of Bin Weevils is now appearing on the web. Screenshot provided by hacker indicates that they obtained more information than acknowledged by Bin Weevils in their 2014 notification.

“Luke Baxter” allegedly informed him that they were reserving the full data set with the email addresses and IP addresses as they might sell all of the data privately at some future time. The 1-million record sample was to alert the public that the data were out there, but he claimed that the full data set has approximately 20 million records.

Data in the dump were dated from 2014, which would be consistent with the incident reported in September, 2014 by Bin Weevils. Attempts to verify the data by trying to create new accounts using usernames in the dump resulted in messages that the tested usernames were already taken. Data in the redacted screenshot corresponded to data found in the data sample, although it appeared to be from a different database as the order of the rows did not match.

Evidence that the hackers have email addresses obviously raises questions about Bin Weevils’ report that the breach affected (only) usernames and passwords. Based on Bin Weevil’s About page and Privacy Policy, the email addresses are likely the parents’ email addresses. Parents might understandably want to have been informed if their email addresses with some of their children’s information had been acquired by hackers.

DataBreaches.net  sent Bin Weevils an inquiry yesterday asking them to confirm whether email addresses and IP addresses were also in the hacked database, and to confirm or deny the claim of approximately 20 million records, but has received no reply other than an auto-responder.

DataBreaches.net will update this post if additional information is obtained.

Update of August 20, 2017: DataBreaches.net received an email from a sender identifying themselves as “Akshay,” that claimed, in part:

… The information on that link I have given has the name ‘akshay’ in, who did not have anything to do with the games database being released, the name was used to blame another individual.

I have copy and pasted the lines on your website containing the name ‘akshay’ below. You was given this article by someone who was actually involved in what happened and now is trying to cover himself up and blaming others which is really sad.

 

About the author: Dissent