50,000 user account details, including usernames, passwords, security questions, answers, subscription status, and expiration dates, were found in plaintext format in a publicly available database discovered by Cybernews. Ankama Games’ Play Glory and Play Astra were identified as the database owners by researchers.
The database also exposed proxy addresses, credentials, and IP addresses for testing and live servers. The leak was initially discovered on October 21, 2022, and the database was hosted by Hetzner in Germany. The developers secured access to the database after Cybernews contacted them.
The exposed plaintext credentials in the database put users at risk of account hijacking, according to experts. Attackers could use tools like Sherlock to match usernames found in the database and launch credential-stuffing attacks using the leaked passwords.
Reusing security-question answers could enable attackers to reset the password for targeted accounts, locking out rightful users. Additionally, leaked proxy addresses and credentials could be exploited by attackers to use a compromised proxy for attacks, making it harder to trace the source of the attack.
Storing passwords in plaintext is a security risk that can lead to hacking and data breaches, warn Cybernews researchers. Passwords should be hashed and salted to reduce the likelihood of being cracked. Major companies are not immune to such mistakes, with Thomson Reuters previously leaking third-party server passwords in plaintext format through a publicly accessible database.
Weak passwords are still common and easy for cybercriminals to breach, so strong and unique passwords are essential. Cybernews recommends using a password generator and checking personal data or passwords for potential compromise.