back to article Armor Games admits all its users' deets slurped in database mega-hack as site moves to repair chink

Armor Games (AG) has confirmed that 100 per cent of its users were caught up in February's mega-leak that saw the details of 617 million online accounts hacked from 16 hacked websites being sold on the dark web. As exclusively revealed by The Register last month, the haul included account databases for Dubsmash (162 million), …

  1. Aristotles slow and dimwitted horse Silver badge

    * cough *

    "The company claimed none of the data, part of the trove put up for sale in the Dream Market cybersouk, had been misused..."

    ...Yet.

    1. Semtex451 Silver badge

      Re: * cough *

      How would they know, yet or otherwise?

  2. Korev Silver badge
    Joke

    Is that all I'm worth?

    If $0.000002 is all I'm worth then I'm almost disappointed...

    1. Aladdin Sane Silver badge

      Re: Is that all I'm worth?

      That's the mean price. Who says you're worth even that?

      1. Korev Silver badge
        Coat

        Re: Is that all I'm worth?

        A errr Sane point

  3. Victor Ludorum

    617 million? Really?

    Are you telling me that almost 1 in 10 of the world's population had an account in their database?

    1. Michael B.

      Re: 617 million? Really?

      I did read it that way first of all but I think their password database was amongst the 617 million accounts amongst 16 different websites. So the article has no information on the size of the scale of the breach.

    2. sinsi

      Re: 617 million? Really?

      From the email I received

      We are one of the smaller companies affected, apparently holding less than 2% of the total accounts affected between the 16 companies.

  4. Jay Lenovo Silver badge
    Angel

    Death, taxes, and data breaches.

    Isn't it time that El Reg provides a "private data" obituary page?

    Keeping data private, seems to violate a faux 2nd law of "data dynamics", where the entropy of private data eventually must migrate to a public state.

    1. tmTM

      Re: Isn't it time

      Isn't it time that the huge fines we've been promised are dished out??

      Not just a slap on the wrist, something large enough to decimate the stock price.

  5. Pascal

    "and information about our password protection processes at the time (including the password salt)"

    Hashed passwords: check

    Salts used: check

    Same salt for all password: FAIL!

    So still only a few $ spent on Amazon to break into a high percentage of those accounts.

    Does that still really rate as "better than clear text passwords"?

  6. fidodogbreath Silver badge

    Flash

    Most of the games on Armor's site require Flash; so it's pretty much a security fail all around.

  7. Mark 110 Silver badge

    Market Opporttunity

    Surely theres a markett opportunity here for all the numerous security bods to buld a protective template for customers. Out of the box protection.

    You know just basic shit:

    - we won't store your CCN (even thoough ts more convenient for you if we did)

    - We'lll cross check the email password combo you tried to use against known hacked combos and warn you if you are using a hhacked combo and disallow it

    - We won't store your DoB anywhere associated with any other details (realising that companies marketing depts need the age profile of their customers to operate but that it doesn't need to be connected to the actual customers other data)

    Theres more but I'm hungry and its late. Sick to death of everyone tryiing to reinvent thiis stuff. It really shouldn't be this hard.

    1. Doctor Syntax Silver badge

      Re: Market Opporttunity

      realising that companies marketing depts need want the age profile of their customers to operate

      FTFY

      The only thing they need a DoB for is if there's some need for an age verification. Even then "over 18" or whatever should be sufficient. Anyway, how are they going to verify the DoB supplied?

      Perhaps a useful addition to KeepassX would be a DoB field alongside the other fields and a DoB generator to ensure that all DoBs supplied for a given user are unique.

      1. Anonymous Coward
        Anonymous Coward

        Re: Market Opporttunity

        "Perhaps a useful addition to KeepassX would be a DoB field alongside the other fields and a DoB generator to ensure that all DoBs supplied for a given user are unique."

        OK, it sounded good inprinciple, but then what about the sites that cross-link with e.g. every page having little blue pils with an f in them, sites which then deny all responsibility for misuse of the collected and cross linked slurped ata (not that I'm looking at El Reg here, oh no).

        If the slurped DoB entries don't match, then what? Maybe I've misunderstood?

        Who cares about privacy policies, the corporate slurpers clearly don't feel any need to obey the law.

  8. JLV Silver badge

    something they got right though

    >Thankfully, the data haul did not include first or last names, credit card data, addresses or phone numbers. But only because AG didn't hold that information in the database.

    Whatever else they messed up, at least they got that right. If you don’t have it, you don’t need to protect it. A good reason to use external payment providers, IMHO.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019