Account information belonging to 569,703 players of the Mortal Online massively multiplayer online role-playing game (MMORPG) has been sold online several times since it was leaked as a result of a data breach.
On June 17, an unauthorized third party accessed a server holding shop and forum databases, and pilfered the data.
The developers made the announcement four days after they learned about the breach, following an investigation that found evidence of an intrusion.
"We do not store any credit card information on our servers so that information is still completely safe," the developers informed.
What the intruder(s) managed to get, though, were more than half a million usernames, and passwords that appear to have been saved as MD5 hashes.
MD5 is a hashing function that is currently used mostly as a checksum to verify data integrity against non-intentional corruption. It is susceptible to collision attacks that take seconds to find with low computing power.
The MD5 hash algorithm was declared "not safe" by its own creator in 2012 after research showed how susceptible it was to brute-force attacks.
The Mortal Online database has been added recently to Troy Hunt's Have I Been Pwned collection, provided by Adam Davies, data analyst and security researcher. Users whose data has been exposed online can use Hunt's website to check whether their usernames have been compromised in breaches.
In a conversation with BleepingComputer, Davies said that the Mortal Online data first appeared for sale on an Internet forum where users trade databases.
The information passed through several hands and was even tried on other game accounts, belonging to League Of Legends players, in what is known as a credential stuffing attack, Davies said.
According to Troy Hunt, the database he received contained email addresses and cracked passwords. It is unclear when the hashes were turned into the original tidbit of information, but knowing how easy it is to break MD5, it is safe to assume that the cracking occurred relatively soon after the server breach.
The typical recommendation from security experts is to use unique, strong passwords, specifically because some service providers may not abide by the safest standards for storing user information.
The advice is also useful in case new weaknesses are discovered, as it happened with MD5, and current practices become insecure.
With unique passwords for each online service, you eliminate the possibility of a credential stuffing attack and reduce exposure only to one account.