The official forum for popular mobile strategy game Clash of Kings has reportedly been breached and the hacker has stolen about 1.6 million user accounts. According to data on breach notification site LeakedSource, the breach, which was allegedly carried out on 14 July, was able to steal usernames, email addresses, IP addresses, Facebook data and access tokens.
"Exposing vulnerable applications to the internet is like walking through the hall with a kick-me sign stuck on your back," Tripwire senior security researcher Travis Smith was quoted as saying by VentureBeat.
"Attackers can quickly search the Internet for any system with a known vulnerability, then use readily available tools to exploit and take over the system."
The forum is currently offline and "under maintenance" at the time of publication.
An anonymous hacker told Zdnet that the assault was carried out by exploiting a known weakness in the forum's software - an older 2013 version of vBulletin that includes multiple security flaws that can easily be abused to gain access to and swipe forum data using tools that readily available online.
The vulnerability was found using a technique called "Google dorking" which involves using search engines to find information that won't usually pop up in a normal search.
"With the steady release of patches across a multitude of operating systems and applications, it's incredibly difficult to stay ahead of the patching game," Smith said. "Actively scanning for known vulnerabilities against Internet accessible systems is an efficient way to be aware of what your vulnerable attack surface looks like. With this information the business can focus on installing patches and updates to address what is most important for the business."
The latest breach follows a series of cyberattacks against various developers in the gaming industry.
Hacker group OurMine, the team that recently targeted a long list of tech leaders and celebrities' social media accounts, recently claimed to have broken into popular world-building video game Minecraft's accounts, just days after they allegedly fired a series of DDoS attacks to bring down wildly popular mobile game Pokemon Go's servers. Last week, they also claimed responsibility for taking over Sony's Shuhei Yoshida's Twitter account as well.
In June, notorious hacking collective Lizard Squad claimed to have launched their own DDoS attacks to take down Blizzard's servers and prevent players from logging into its games.