In June 2016; the Evony Gaming Company’s official website was hacked resulting in the theft of data for more than 33 Million registered user accounts. Further to this; in August there was a similar breach on the site’s forums, resulting in 938,000 more accounts compromised. The data breach database website Leaked Source has now listed publicly available data for those users involved. The data stolen on this occasion was fairly comprehensive, including usernames, passwords, e-mail addresses and I.P addresses.
Leaked Source also claims to have cracked the majority of the passwords involved, stating they were stored using ‘unsalted MD5 hashing’ (a relatively weak encryption) – meaning these are more vulnerable to conventional password cracking software. More worryingly still, it appears that no official notification has been sent out by Evony Gaming Company regarding the breach to affected users. While their forum contains a post about a ‘potential’ breach there, it does not mention the much larger data loss. Something else to be aware of is, while some sources have suggested that Evony allowing users to sign in using Facebook connect will mean that stolen data could also contain Facebook login credentials, this is almost certainly not the case. The short term access codes used by the single sign-on application mean that Evony Gaming Company would never have access to the specific login details in question.
The blog post from Leaked Source also lists the most commonly used passwords and e-mail domains affected. The list also seems to highlight that a lack of data security awareness is still rife among online players; 123456 comes in as the most frequently used password, with 123456789 not far behind. As you might expect, the most commonly used e-mail domains were: yahoo.com, hotmail.com, and gmail.com.
If you think you might be affected by the breach, you can use your registered e-mail with Leaked Source to be notified if your data appears in their records. This covers much more than the Evony data breach; as the Leaked Source site uses algorithms to compile stolen user data that is publicly available on the web and dark web.
All developers are out to make a profit, but some make that their primary focus, above all else. Given that Evony is perhaps most notorious for its aggressive marketing images and its forced name switch from Civony, it’s not surprising that their approach to the news appears to have been to sweep it under the rug.
If you think you’ve been affected by this breach, please use the links above to take action. Tell us what you think of the news or of Evony Gaming Company’s non-reaction, in the comments below!