The official forum for the popular mobile game Clash of Kings is the latest to fall victim to a cyberattack after a hacker broke through its defenses and managed to obtain the user data of around 1.6 million accounts.
The hack occurred on July 14 and the security breach was made known to the website LeakedSource.com by a hacker who wished to remain anonymous. The database of user account details taken from the forum contained the usernames, email addresses, IP addresses, device identifiers in addition to Facebook data and access tokens from those who signed in using their social accounts.
The Clash of Kings forum however did protect its passwords which were hashed and salted in the database acquired from the hack. In total, 1.597.717 user records were stolen from the hack.
The hacker was able to gain access to the forum by exploiting a known weakness in its software. The developer of Clash of Kings, Elix has been using an older version of vBulletin from 2013. This version in particular is known to contain a number of security flaws that can easily be exploited by an attacker using tools found online.
Through a method known as “Google dorking”, the hacker was able to utilize search engines to actively seek out sites running vulnerable or out-of-date forum software.
The Clash of Kings forum was targeted because it has a large user base and Elix, which fails to employ basic HTTPS encryption on its site, has shown how lax it is willing to be when it comes to the security of its users.