Gamepal

We're seeing a resurgence of older breaches surfacing in aggregated credential dumps and stealer logs, often years after the initial incident. This pattern highlights the long tail of risk associated with legacy systems and the enduring value of seemingly "old" data to threat actors. Our team flagged this particular Gamepal breach as notable not just for the volume of exposed credentials, but because of the plaintext passwords, a practice that should have been long obsolete even in 2017. The fact that these credentials are still circulating suggests they may still be effective against users who haven't updated their passwords across different platforms.

The Gamepal Breach: 112K Accounts Compromised with Plaintext Passwords

Gamepal, a now-defunct U.S.-based marketplace for MMORPG in-game assets, suffered a data breach in October 2017, exposing the account details of 112,158 users. The breach was added to the HaveIBeenPwned database on October 19, 2017. What caught our attention was the storage of passwords in plaintext, a highly insecure practice that allowed immediate and direct access to user accounts upon exfiltration. This incident underscores the critical importance of proper password hashing and salting, even for smaller online platforms.

The breach matters to enterprises now because these credentials may still be valid on other platforms where users have reused their passwords. The age of the breach does not diminish the risk; in fact, it may increase it as users become complacent and forget about old accounts. This incident highlights the ongoing threat of credential stuffing attacks, where exposed usernames and passwords are used to attempt unauthorized access to other online services.

Key point: Total records exposed: 112,158

Key point: Types of data included: Email addresses, plaintext passwords

Key point: Source structure: Database

Key point: Leak location(s): HaveIBeenPwned database, various dark web forums and credential stuffing lists.

Key point: Date of first appearance: October 19, 2017 (HaveIBeenPwned)

HaveIBeenPwned lists the Gamepal breach with a detailed summary of the exposed data. The storage of passwords in plaintext is a recurring theme in older breaches, as highlighted in numerous security blogs and reports. For example, Troy Hunt, the creator of HaveIBeenPwned, has frequently discussed the dangers of plaintext passwords and the prevalence of credential reuse across different online services.

While specific forum threads discussing the Gamepal breach are difficult to verify years later, the presence of these credentials in known credential stuffing lists and databases indicates they are actively being used in attempts to compromise accounts on other platforms. This reinforces the need for enterprises to monitor for compromised credentials and implement robust password policies.

Email · Address · Plaintext · Password