Disclaimer: This thread was made with the intention of being a source of useful and relevant information as a response to a large amount of confusion and frustration surrounding what is a very controversial topic. This took a significant amount of time to put together. Should any information be inaccurate I will be doing my best to update as necessary. Again, I repeat this thread is meant to inform. Please do not use this thread for console warz.
There's been a lot of frustration and confusion surrounding a recent surge in game console account "hacks." What I've noticed is that there is a lot of misinformation and misattributed blame being thrown out there when comes to these "hacks" and most notably there's a distinct lack of awareness as to how one can protect their own accounts from being compromised. So, I decided to make this thread in which I will attempt to comprehensively detail the most prevalent causes for these recent breaches and the most effective preventative measures you can personally take to exponentially reduce the chances of a personal breach.
First let's talk about the causes. There are three commonly cited causes for instances of accounts being compromised.
The first are key loggers.
Key loggers are often cited as a cause for account comprises but in reality with the widespread of availability and access to free comprehensive virus protection services incidents of key loggers compromising passwords are becoming significantly less common.
The second is Social Engineering
Social engineering (or the use of readily available private data such as phone numbers, addresses etc) to exploit account support systems into granting access to otherwise secure accounts is a rapidly growing concern. However, the use of such strategies usually relies heavily on information gleaned from unrelated online breaches resulting in the trading and selling of such sensitive information online. These type of attacks are also, by their nature, very targeted attacks so they are still significantly less widespread thanks to the added time and effort that is often required as compared to other methods
The third is the breach/leak of account info from unrelated less secure sites/services.
In the VAST majority of recent cases the root cause for these compromised accounts lies with the widespread use of same or similar passwords across multiple accounts online. You might be wondering "why are shared passwords such a concern?" Well in the past three years there have been an unprecedented amount of compromised websites, forums and services leading to a flood of username, emails and passwords for sale, trade and cross reference online. These online info dumps are often sold and traded online amongst would be hackers and beneficiaries on what is known as the "darknet" (a sort of Internet subsystem only accessible via direct urls/pathways and hidden from search engines and the like).
The reason this information is (rightfully) seen as so valuable is because with some of the earliest mass breaches ( like Yahoo in 2011) it was discovered that, on average, more than 80% of the users with accounts for multiple breached sites used the exact same email and password combinations across those otherwise unrelated sites. So, this means that, more often than not, passwords from unrelated often trivial sites and forums with what amounts to very little or no data security will be applicable when cross referenced with more sensitive payment and financial related sites/services such as PayPal, Online Banking, Amazon and even PSN/XBL.
Now knowing that such a high number of people share passwords across multiple accounts/sites/services you might be thinking "that would never happen to me." Well let's take a look at some of the bigger mass data breaches that included usernames emails and passwords in the past 3 years. Please keep in mind these are only some of the breaches that we know for a fact have been sold or referenced on the "darknet."
A list of some of the biggest/most relevant online account breaches in the past 3 years:
- Adobe: This includes accounts created for Photoshop, Forums, and Flash Player.
Total: 155 million accounts
- AdultFriendFinder: all accounts created prior to the hack in 2015 including most deleted accounts were compromised.
Total: 4.7 million accounts
- Android Forums: all current accounts were compromised.
Total: 1 million accounts
- AshleyMadison: All past and current accounts were compromised.
Total: 30 million accounts
- Avast Antivirus: Paid subscriber accounts were all compromised leading to Avast forcing a password reset for all accounts after the hack in 2014.
Total: 500k accounts
- Battlefield Heroes: while the hack occurred back in 2011 the data was not sold openly online until 2013.
Total: >500k accounts
- BeautifulPeople: All current accounts as of Nov 2015 were compromised. This included not only emails, usernames and passwords but also dates of birth, home addresses, Job titles, names, and even income levels.
Total: 1.1 million
- Bell Canada: All accounts were compromised including any attached credit card information.
Total: 50k accounts
- BitTorrent Forums: All current accounts on the forum were compromised and data also included personal IP Addresses.
Total: Unknown
- Boxee: All current user accounts as of March 2014 were leaked. This included dates of birth, addresses, previous passwords, private messages and all other site related data.
Total: 160k accounts
- Cannabis .com: All accounts both current and previous were leaked. Data included IP Addresses, previous passwords, instant messaging usernames, and more.
Total: 230k accounts
- Comcast: Multiple subsets of Comcast accounts in specific regions on the East Coast of America were ousted for sale. The most recent of which was in Nov 2015 and included 590k accounts in just that one sale. It is unkind how many accounts were included in previous sales.
Total: Unknown
- DC Universe Online: An unknown number of accounts for this online game were sold in multiple occasions over the course of 2014 leading to a forced password reset for most PC accounts.
Total: Unknown
- Dominos Pizza: Accounts from dominos pizza websites have been sold online on multiple occasions by region and country. Accounts from US, France, Japan, and Belgium are known to have been sold online. Recently accounts from France were held in ransom by a hacker collective and publicly released when Dominos refused to pay.
Total: Unknown
- Dungeons and Dragons Online: All user accounts both past and present as of August 2013 were sold online.
Total: 1.6 million Accounts
- Final Fantasy Shrine Forums: All account data was publicly leaked online in Sept 2015 and it was discovered that of emails with corresponding FFXIV accounts over 80% used the same passwords for both accounts.
Total: >620k accounts
[*]Forbes .com: Accounts for the Forbes website were publicly leaked in March 2014 as retaliation for what the hackers claimed was a Syrian hate campaign on behalf of Forbes coverage of events in Syria.
Total: >1 million accounts
[*]Gawker Media: In retaliation for negatively skewed coverage of 4 chan a substantial number of accounts across all Gawker owned websites were publicly leaked.
Total: >1.3 million accounts
[*]Gmail .com: A large number of gmail accounts and associated passwords were ousted for sale in September 2014. It is unknown how many accounts were compromised in total all we know is the number that was sold.
Total: >5 million accounts sold
[*]KM .ru: A large cache of accounts associated with this Russian email service were posted for sale online in February 2016 with another unknown cache posted for sale in June.
Total: >1.7 million accounts
[*]Lifeboat Minecraft Forums: All user accounts for this incredibly popular Minecraft community were breached and leaked online.
Total: 7 million accounts
[*]LinkedIn: Thus was a huge one. One of the biggest account breaches in internet history occurred on LinkedIn back in 2012 with the data remaining private up until just this past May in 2016 when over 164 million accounts were leaked publicly for cross reference online. It is believed this leak consisted of ALL LinkedIn accounts set up prior to 2012. It all represented the single largest influx of new accounts and passwords online in the past 6 years.
Total: >164 million accounts
[*]Linux Mint Website: The official website for the increasingly popular Linux distro was breached resulting in the leaking of dates of birth, IP addresses, and more.
Total: 145k accounts
[*]Lord of the Rings Online: Account data for this online MMO was being publicly traded online as early as August 2013. It is believed all accounts created prior to that date were leaked in excess of 1.1 million accounts.
[*]MajorGeeks .com: A large number of accounts from this popular freeware and software download site were publicly traded and sold online as early as Nov 2015.
Total: 270k accounts
[*]MalwareBytes Forum: user accounts for the official forums of this antivirus service were leaked online and sold as early as November 2014.
Total: 111k accounts
[*]Mate1 .com: All accounts and all associated data on this popular dating site were leaked online after a massive breach in February 2016.
Total: >27 million accounts
[*]NaughtyAmerica .com: all accounts for this popular porn site were stolen in March 2016 and sold online.
Total: 1.4 million
[*]NextGenUpdate .com: This video game website and its accompanying forum suffered a breach sometime in early 2014 leaded to the sale of all of its account info.
Total: ~1.2 million accounts
[*]Nexus Mods: This popular game mod hosting hub was breached in July of 2013 resulting in the leak and subsequent sale of all user account data both past and present.
Total: ALL exact number Unknown
[*]Patreon .com: More than 16gb of data including all user account information was stolen in October of 2015. Only after the pertinent data was fully decrypted in February of this year have these accounts been slowly spreading for sale and trade online. Thus far over 2.3 million unique accounts have been identified as compromised with the remainder likely available out there somewhere.
Total: ALL or >2.3 million accounts
[*]PLEX: The online forums for this popular video streaming service/application were compromised in July 2015 resulting in the release of all user account data.
Total: >327k accounts
[*]PS3Hax This hacking and modding website for PS3 was breached in July 2015 resulting in the loss of all account data. Many of these accounts were leaked with PSN ids resulting in east cross referencing and account phishing.
Total: >447k accounts
[*]PSX-SceneAll user data for this forum and website were compromised sometime around Feb 2015 and promptly released online. Many of these accounts were leaked with PSN ids resulting in east cross referencing and account phishing.
Total: >340k accounts
[*]Snapchat: this service was breached shortly after an article detailing its security vulnerabilities was published in Jan 2014. The resulting account dump represents a significant breach as it attached many existing known accounts with their corresponding phone numbers therefore enabling these accounts across other services to be compromised via social engineering with their corresponding support systems.
Total: >4.6 million accounts
[*]Target: a massive company wide breach resulted in the retrieval and sale of all current Target loyalty, rewards, credit card and customer accounts both online and retail. It is currently unknown just how many accounts there were but ever single one of them was compromised leading to a huge influx of unique usernames, emails, phone numbers and passwords available online opening up not only many straight password crossovers but also a large number of support password resets via the other leaked info affiliated with each email address and username.
Total: ALL exact number unknown
[*]Tumblr: The popular site was breached some time in early 2013 resulting in its user accounts being sold online over the remainder of the year.
Total: >65million accounts
[*]VTech: All user accounts in this popular educational resource site were leaked including security questions, dates of birth, phone numbers, and addresses opening many accounts up for compromise via social engineering on various other websites.
Total: >5 million accounts
[*]Wildstar: User accounts for this MMO started to pop up for sale online in July of 2015. All accounts made prior to the first appearance of sale are suspected to have been compromised.
Total: ALL exact number Unknown
[*]Xbox-Scene: This semi popular Xbox fan forum was totally breached in February of 2015 resulting in the leak of passwords that were often directly attached to gamer tags allowing for easy cross referencing.
[*]YouPorn: This incredibly popular porn site was breached in Feb 2013 resulting in the loss of all account data.
Total: >1.3 million accounts
You can also check to see if your personal account info has been a part of any of the publicly available/known leaks by entering your email into this website and searching. This site cross references your email with all known leaked data and tells you if, where, and when its been compromised.
Now keep in mind this is only data that has been released online in the past 3 years and it's only the biggest most relevant of the known breaches. As you can see it is becoming easier and easier for certain elements to obtain account data and cross reference it with other popular services in order to exploit shared or similar passwords across said services. It's no surprise then that this is by far the leading cause for compromised accounts (gaming or otherwise) especially when considering the large amount of data that became widely available and publicly circulated only just recently.
So, now that we know the various causes let's answer the most important question:
How can I protect myself from these breaches on XBL or PSN?
2 factor authentication is one method of protecting yourself when available but it is by no means the end all be all when it comes to account security. This is especially true given the recent trend of phone numbers, addresses and other pertinent personal information being tied to modern info leaks. While the use of 2FA does vastly reduce the chances of your account being compromised, accounts with 2FA can have their second factor compromised via phone spoofing, insecure email accounts or even just social engineering using customer support to override it. 2FA can also be inconvenient should you lose access to the phone or email it is attached to.
The single easiest way to protect yourself is actually remarkably simple create a completely unique password for any and all accounts associated with payments/purchases. There are even password managers such as 1password and LastPass designed for this very thing. They randomly generate unique passwords and secure them behind their comprehensive encryption services that can then be accessed using a single key of your choosing. Should you wish to be even more secure you can opt to update your password regularly be it yearly or otherwise. Furthermore you can even opt to remove any payment information following each transaction to absolutely ensure no purchases could be made in the slim chance of a breach still occurring.
Unique passwords DRAMATICALLY decrease the chances of your account being compromised on these services as they are no longer susceptible to the breaches experienced by so many of these other services and sites. These days using the same password across multiple (or heaven forbid all) accounts is basically begging for email accounts and accounts with financially impactful data attached to be compromised sooner or later. As such, using unique keys for each such account exponentially decreases the chances of being compromised.
So, to summarize, please make sure to do the following in order to protect your personal account info
- Don't ever use the same password across multiple financially sensitive or email sites/accounts.
- Don't use an easily cracked password like "password" or any other minor variation. Instead, consider using three entirely unrelated words or a randomly generated password manager as these are the most difficult sort of passwords to crack.
- Use 2-step verification whenever available especially for your account related email.
- Consider creating more than one email account with completely different names and passwords for registering financially sensitive accounts.
- If you can avoid storing sensitive financial info by using pre-paid cards, do so.
- Safeguard your PC from Trojans and key loggers by updating and running an antivirus regularly
While companies could undoubtedly do more to help secure your information or protect you from financial fallout (honestly every company could) it is important to understand that the vast majority of these compromised accounts are not hacks or security breaches of their individual networks. As such they should not, in my opinion, be called "hacks" as it implies a level of fault and suspicion that is entirely unmerited and perpetuates potentially damaging assumptions and misinformation amongst the less informed. The truth is no amount of security options will protect your account if you don't take your own personal security seriously. These companies are not liable for breaches across other sites/account systems/services (nor should they be blamed when this data is used to compromise accounts on their service in my opinion). Nor is this a problem of limited to one specific network (yes despite what you might believe XBL is susceptible to this sort of as well) While 2 factor authentication is becoming a more popular way of curbing this particular issue, in my opinion, in the grand scheme of things it's only a bandaid for a widespread user specific problem: using the same and/or similar passwords across multiple accounts and services. Make no mistake, doing so is basically the Internet equivalent of playing with fire as it becomes not a question of if you'll get burned but when.
TLDR: Please learn from the errors of your peers and heed the advice of security experts: stop being passive about your own personal information security. Take the necessary steps mentioned above to secure your own information [unique passwords, 2FA, etc] yourself because, in this day and age, when it comes to your personal and financial information online you are quite literally your own worst enemy.
Should anyone have any further helpful advice or information please do post it below. My hope is that this thread will be a valuable resource for people looking to further secure their accounts online.
Edit: The following will be regularly updated to the best of my ability with recent relevant private data dumps
Code:
[b]Trillian[/b]
In December 2015, the instant messaging application Trillian suffered a data breach. The data was released July 2016 and exposed various personal data attributes including names, email addresses and passwords stored as salted MD5 hashes.
Total - [U]3,800,000 breached accounts[/U]
[B]17[/B]
In April 2016, customer data obtained from the streaming app known as "17" appeared listed for sale on a Tor hidden service marketplace. The data contained over 4 million unique email addresses along with IP addresses, usernames and passwords stored as unsalted MD5 hashes.
Total - [U]4,000,000 breached accounts[/U]
[B]Neopets[/B]
In June 2016, a set of breached data originating from the virtual pet website "Neopets" was found being traded online. Allegedly hacked "several years earlier", the data contains sensitive personal information including birthdates, genders and names as well as almost 27 million unique email addresses. Passwords were stored in plain text and IP addresses were also present in the breach.
Total - [U]26,900,000 breached accounts[/U]
[B]Warframe[/B]
Warframe was hacked and 819k unique email addresses were sold in late June 2016. The attack exposed usernames, email addresses and payment data. Digital Extremes (the developers of Warframe), claims the info is only "alias names" rather than passwords but recently available data shows otherwise.
[i]Edit: As per [url=http://m.neogaf.com/showpost.php?p=210804795]Kayant[/url] this breach occured in Nov 2014 and it's only the data that was recently released.[/i]
Total - [U]819,000 breached accounts[/U]
