The Esports Entertainment Association (ESEA), best known for its involvement in professional Counter-Strike tournaments, has confirmed it was hacked over Christmas. According to LeakedSource – and later confirmed by ESEA – information from over 1.5 million user accounts was leaked following the organisation's refusal to pay a $100,000 ransom to the hacker.
After learning of the breach on December 27, ESEA notified its community on December 30 that a hack may have occurred. A week later, on January 7, LeakedSource confirmed that 1,503,707 ESEA records had been added to its website. These include personal information such as city, state, first and last name, time of last log-in, email address, date of birth, phone number and more.
Between ESEA learning of the breach and the records leaking, the hacker responsible for the breach demanded $100,000 in exchange for silence and collaboration on fixing up the ESEA's security flaw. The company refused.
In a FAQ on its website, ESEA explains what's at stake for its users. "We are still investigating but believe that a large portion of the ESEA community members’ information including usernames, emails, private messages, IPs, mobile phone numbers (for SMS messages), forum posts, hashed passwords, and hashed secret question answers could all have been exposed."
Meanwhile, on the topic of how the hacker acquired the information in the first place, ESEA claims it has already found and addressed the problem. "To be clear, we have worked to identify the source of the vulnerability and have taken the appropriate measures to patch it." It also asks that ESEA users follow a password and information change procedure outlined in the FAQ.
"We apologize for the incident that has taken place," the ESEA continued, "as it is our responsibility to do everything possible to secure the data of our users. We will continue to work with both our developers and independent security experts to improve our security and invest in strengthening ESEA’s infrastructure going forward."