1.5 million gaming profiles leaked after site refuses hacker's $100,000 ransom

A hacker threatened to release user data from an esports community site unless they paid $100,000, but the league behind the site decided it doesn't negotiate with hackers.

It took 12 days after the initial threat on Dec. 27 came in, but the hacker finally leaked more than 1.5 million users' records from the competitive gaming community, ESEA. (ESEA also works to offer reliable servers with extra cheat-prevention security for Counter-Strike and Team Fortress 2 players for a monthly fee.) According to ESEA, the leak includes the usual suspects from these kind of data leaks—some players' usernames, email addresses, hashed passwords, hashed security question answers, and forum posts—but other, potentially more worrying data like private messages, IP addresses and phone numbers were leaked, too.

The hashed passwords are encrypted with bcrypt, ESEA said, which means they should be very difficult to crack. It's possible that people using the leaked data could get into some users' accounts, whether through phishing methods or sheer luck. Former pro Chad "Spunj" Burchill said his account was compromised following the leak Tuesday.

This Tweet is currently unavailable. It might be loading or has been removed.

LeakedSource, a searchable database of hacked accounts, announced the scale of the hack over the weekend. You should have already been warned to change your account information, but you can see if your ESEA account information was leaked by putting in your email address here.

Following the leak of the records, ESEA released a statement saying the hacker demanded $100,000 to not release or sell the data, which ESEA refused to pay.

"We do not give in to ransom demands and paying any amount of money would not have provided any guarantees to our users as to what would happen with their stolen data," ESEA said. "The most responsible course of action was to share the incident with the authorities and our community so each individual could take steps to secure their accounts. At the same time, we have worked around the clock to isolate the attack vector, patch the vulnerability and further upgrade our security program."

ESEA isolated and patched the database that was breached, notified the FBI of the attack and told the community to change their passwords and credentials for security purposes. A few days later, the hacker managed to access ESEA's game server infrastructure database, changing every players' karma to -1337.

For ESEA users who haven't done anything to secure their accounts since the hack in December, the ESEA outlined some recommendations to prevent accounts from being hacked:

Change your passwords and security questions/answers for any other accounts on which you used the same or similar information used for your ESEA account, and review any such accounts for any suspicious activity.

Use passwords specific to each website you hold accounts at.

Be cautious of any unsolicited communications that ask you for personal information or refer you to a website asking for personal information.