Details of a data breach involving retro gaming website Emuparadise have emerged, revealing that data belonging to more than 1.1 million users was compromised in an April 2018 attack.
Emuparadise previously hosted ROM files containing retro games that could be played through an emulator. It stopped hosting these files in August 2018 due to copyright fears, but continued to operate as a forum.
The compromised data was added to Have I Been Pwned’s (HIBP) breach database today after being discovered by breach directory DeHashed.com. According to reports, the data had been listed for sale on hacker forums since the start of the year.
According to HIBP, email addresses, IP addresses, usernames and passwords were compromised during the breach.
Emuparadise relied on outdated password hashing algorithm
HIBP claims that the passwords stolen from Emuparadise were stored using the MD5 hashing algorithm.
Cryptographic hash functions are commonly used to secure passwords. Rather than storing a password in plain text, the hash function converts a password into a long, complex hash value.
However, MD5 hashes have long been considered outdated and can be easily cracked by cybercriminals. The creator of the MD5 algorithm admitted that MD5 was “no longer safe” following a LinkedIn breach that compromised more than 6.4 million users in 2012.
“MD5 hashing is outdated, and there are other hashing techniques available that can offer stronger security,” Adam Brown, manager of security solutions at Synopsys, told Verdict.
The Emuparadise passwords stolen were also salted, which Brown explains offers an additional line of protection. This means that random data was inputted into the hashed passwords in order to slow down or halt an attacker.
However, it is unclear whether the salts were also stolen in the breach, which would allow cybercriminals to decipher plain text passwords, albeit with some difficulty.
“If the attacker knows the salts, then they can still perform a dictionary-based attack – but only on a record-by-record basis,” Brown said.
Businesses must recognise that they could be next
Browsing through the recent breaches added to HIBP, it is clear that a large number of online platforms are still using unsafe hash functions such as MD5 to secure stored passwords.
Rather than making use of outdated security tools, this breach, like many others, is likely due to a failure to update legacy systems.
“It would be extremely rare to see new applications making use of MD5 for secure hashing,” Tim Erlin, VP at Tripwire, explained. “The problem is that there are so many legacy systems out there, following the modernised adage ‘if it ain’t down, don’t touch it.’ Until these applications are replaced, or the underlying infrastructure stops supporting MD5, we’ll continue to see this type of persistence.”
Jake Moore, cybersecurity specialist at ESET, agrees: “MD5 hashes are still used by so many companies to store passwords simply because it’s what they are used to. Companies can so often fall into the trap of not updating processes because it feels like hard work to change and update their ways. In fact, there are still some companies who even store their customers’ passwords and other information plain text.”
However, protecting user data is now a necessity for businesses. The introduction of the European Union’s General Data Protection Regulation (GDPR) means that businesses face fines of up to €20m or 4% of global annual turnover for failing to protect user data.
However, Moore believes that many still feel that they are unlikely to be targeted by such attacks, and therefore do not need to worry about the consequences.
“It can take a huge breach of data to wake up a company and make them rethink policies and procedures,” Moore told Verdict. “It should be assumed that any company could potentially be hacked so it comes down to how data is stored internally.”
“Multiple layers of security must be deployed to keep such information protected should it ever be compromised.”