Guide-HS HKeSports Breach: 23,503 Hong Kong Card Game Accounts Exposed (2018)

Hearthstone Guides, Hacked: When Card Game Communities Become Targets

Guide-HS, a Hong Kong Hearthstone and collectible card game guides platform under the HKeSports umbrella, wasn't the kind of site that made security headlines. It was a niche resource for competitive card game players -- guides, tier lists, deck builds, community discussion. But in July 2018, 23,503 user accounts from Guide-HS were exposed, with email addresses and MD5-hashed passwords leaking from a Chinse-language gaming community that had no reason to expect it was a target.

Guide-HS / HKeSports (July 2018): Breach Summary

• Records Exposed: 23,503
• Data Types: Email addresses, MD5 password hashes
• Breach Type: Database breach
• Country Affected: Hong Kong
• Date Leaked: July 12, 2018

Competitive Gaming Credentials and the Blizzard Problem

Hearthstone is a Blizzard Entertainment game. Players who used Guide-HS to improve their gameplay were, by definition, active Blizzard.net account holders -- the same platform used to access World of Warcraft, Overwatch, Diablo, and the Battle.net store. When credentials from a third-party Hearthstone guide site are cracked (MD5 hashes crack quickly against rainbow tables), the first thing any attacker tries is those credentials on Blizzard.net itself. Password reuse across gaming platforms is extremely common, and a guide site breach becomes a de-facto gaming account harvest for anyone willing to run credential stuffing attacks against Blizzard, Steam, or any other platorm the affected users might have registered on.

MD5 and the Niche Community Vulnerability Pattern

Small niche gaming communities often lack the security resourcing of major platforms. They're frequently built on open-source forum or CMS software with default or minimal security configurations, and they rarely have dedicated security staff. MD5 password hashing in 2018 was a legacy choice reflecting exactly this pattern: a platform that was configured once, never updated, and never audited. The Guide-HS breach fits a broader pattern of niche gaming community breaches where phpBB, vBulletin, or similar forum software with default MD5 hashing becomes the weakest link for a dedicated user base.

July 2018: Preceding the August Cluster

The Guide-HS breach leaked on July 12, 2018 -- a month before the larger coordinated August 2018 multi-wave release event that would surface dozens of platforms across five days. This earlier timing suggests Guide-HS may have been part of a different collection batch, aggregated separately before eventually circulting in the same breach marketplaces as the larger August cluster. The Hong Kong gaming community that trusted this platform had already been exposed before the major wave began.

Check If Your Credentials Were Exposed

HEROIC's free breach scanner searches across more than 400 billion exposed records -- including gaming platforms, esports communities, and card game forums. If you've ever registered on Guide-HS, HKeSports, or similar gaming platforms, check now to see if your data is circulating in breach databases.