Clash of Kings forum hacked, 1.6 million account details put at risk

The details of almost 1.6 million players of a popular smartphone game have reportedly been stolen after the official forums of “Clash of Kings” game were hacked.

As ZDNet reports, hackers were able to break into the strategy war game forum – run by Chinese firm Elex – and make off with the usernames, email addresses, IP addresses, device identifiers and (if players had logged in using their social network) Facebook data and access tokens of 1,597,717 players.

In addition, password details are stored in the breached database – albeit in a salted and hashed form.

It’s important to realise that the breach does not appear to impact all players of the popular Clash of Kings game. Your details are only at risk if you registered an account on the Clash of Kings forum.

Clash of Kings forum

Just as well. As ZDNet explains, Clash of Kings is one of the most popular mobile games, with over 100 million installs on the Android platform alone.

Furthermore, although forum users’ password details were stored in the breached database, these were stored in a salted and hashed form – making it more difficult for hackers to exploit those credentials.

And while whoever hacked the Clash of Kings forum is currently a mystery, it is thought that it is known how the site was breached.

It is believed that the hackers exploited a security vulnerability in vBulletin, the software used to power the Clash of Kings forum, to gain access to the sensitive data. The site appears to have been running an out-of-date version of vBulletin, meaning that it had not been updated to patch against a cavalcade of security vulnerabilities found in the software in recent years.

The breach is thought to have occurred on July 14th, but at the time of writing there is no official statement to be seen on the forum site – meaning users may be unaware that a security incident has occurred, and have not been advised of the security measures they should take to protect themselves.

For instance, if a hacker now knows that you are a fan of Clash of Kings and a member of the forum it is easy to imagine that they might be tempted into sending out tailored email messages to users, perhaps tricking them into revealing their passwords through phishing attacks or luring them into clicking on links which might lead to malware.

The fact that an attacker knows details about you, such as your Clash of Kings username, makes any bogus communications they send to you all the more convincing.

And although there is currently no suggestion that the hackers have cracked any of the password details – it would seem wise for Clash of Kings forum users to consider changing their passwords, and – perhaps most importantly – ensuring that they are not using the same password anywhere else on the internet.

After all, if a hacker is able to determine your password for one site chances are that they will attempt to use the same credentials to unlock your accounts on other sites as well.

While the lack of an official statement from the Clash of Kings forum is worrying, the failure to run an up-to-date patched version of the vBulletin forum software on its server is a problem that is all too familiar.

The administrators of modern websites must wake up to the fact that their sites are no longer online pamphlets, promoting a particular good, company or service. Instead they are increasingly complex pieces of software, with hundreds of thousands of lines of code, which by its very nature is likely to contain bugs and vulnerabilities.

And wannabe hackers can easily use search engines to hunt for websites vulnerable to known vulnerabilities.

If you don’t keep the software running on your website up-to-date with the latest security patches, and put measures in place to reduce the risks of systems being breach and data being leaked, then you are putting your customers at risk.

Author Graham Cluley, We Live Security

Follow us

Copyright © 2016 ESET, All Rights Reserved.