On Saturday, October 17th, the online team of the free medieval fantasy MMORPG, Albion, revealed a data breach. According to the blog post on Albion’s forum, a bad actor gained access to parts of the user database. These forum user profiles included email addresses.
In addition to the emails, the malicious actor also found encrypted passwords. “These can NOT be used to log in to Albion Online, the website or the forum, nor can they be used to learn the passwords themselves”, the Albion team stated in their forum post. “However, there is a small possibility they could be used to identify accounts with particularly weak passwords.” Albion stresses that no payment information is at risk currently. However, people who reuse passwords for other accounts are at risk.
At the time of writing their post, Albion mitigated the vulnerability. Additionally, they plan of executing a “full security review of [their] systems.” The team recommends all Albion users take precautionary measures to change their passwords. This especially applies to users who use the same passwords for other accounts such as email or social media. They also strongly suggest that users use unique passwords to lower the attack surface. This will help avoid situations like these down the road.
Albion also provided a forum for people to ask questions about the breach, titled “Forum Vulnerability Discussion Thread“. The comment thread largely features people requesting that Albion enables Two-Factor Authentication (2FA). The Game Director confirmed in a comment that the team “will be investigating the possibility of implementing 2FA.”