Personal details belonging to approximatively 2.2 million user accounts from GateHub and EpicBot were leaked online, according to Troy Hunt, creator of the Have I Been Pwned? Data breach search website.
The websites of GateHub, a cryptocurrency wallet service,
and EpicBot, a RuneScape bot service, were compromised sometime this year. It’s
difficult to say when the incidents happened precisely, but there’s a bit of
good news as well. Both websites were using bcrypt, a password hashing function
that can prevent bad actors from reading the actual data, or at least delay
them for a very long time.
According to an Ars Technica report, the hackers took wallet hashes, mnemonic phrases, and two-factor authentication keys for 1.4 million accounts from the cryptocurrency wallet GateHub. The EpicBot hack was a little bit smaller, with 800,000 accounts leaked, including usernames, IP addresses, and encrypted passwords.
Of the two services, only GateHub admitted to being
hacked, but when they initially announced it back in August, they only
mentioned around 18,000 being compromised.
“On affected accounts, the following data was being
targeted: email addresses hashed passwords, hashed recovery keys, encrypted XRP
ledger wallets secret keys (non-deleted wallets only), first names (if
provided), last names (if provided),” GateHub said a few months ago.
While it’s good that the services encrypted some of the
data, even leaking user names is a problem. Many people have the same user
names and passwords for multiple online accounts, and other websites might not take
care to encrypt their data. Matching user names from multiple leaks is not difficult.
GateHub sent notices telling users to change their
passwords when the breach was announced, but if you didn’t change your password
then, you should do it now. More importantly, users should consider changing
their mnemonic phrases.
For EpicBot, things are a little bit more complicated
since the people running the bot service have yet to acknowledge any intrusion,
which means that they haven’t notified their users. So, if you have an EpicBot
account, you need to change your password now.