— #FreeThePassword

On July 4th, 2018 we received a support ticket by an anonymous user claiming to have obtained access to all databases that belong to a Swedish based game development company known as “Star Vault AB (publ)“. The user, going by the chat handle “Instakilla”  (a Penetration Tester, And Web Developer) offered DeHashed a copy of the data to spread awareness of the breach. The user also appears to have complete access to all their content, including source code to all games produced by the company.

The company has issued a Data Breach Notification On June 17th. The note reads:

Data breach notification
On June 17th, 2018 we were notified that our databases might have been breached.

At that time, we cut access to the website from the outside and started an investigation.
We brought in an external person to look into what happened, and today we sadly must tell you that we have indeed been breached.
An unauthorized third party gained database access to one of our servers containing the shop and forum databases.
We immediately started working on fixing the vulnerabilities in the website to stop this from happening in the future.

We do not store any credit card information on our servers so that information is still completely safe.
The breach has been reported to the authorities, and collected logs have been sent to the police.

If you used a password on the forums or in the shop that you use on other sites, then change them immediately!
We also recommend that you change your account passwords.

If you have further questions, send us an email at info@starvault.se

This is not the first time the game company has been breached, in February of 2012 they were hit with a massive breach, and once again in April of 2015.

Here’s a full analysis of the breach,

The compromised data includes Usernames, Passwords, Forum Activity, Full Names, Emails, Birth Dates, Gender, Full Address, IP Addresses, Facebook Information and much more. Belonging to a total of  609,485 compromised account.

Passwords are stored in the very unsecure hashing method of MD5.

Top 50 Email Providers – Star Vault

Email Provider Count
gmail.com 228587
hotmail.com 106302
yahoo.com 56333
mail.ru 26436
yandex.ru 10021
live.com 9223
web.de 7482
outlook.com 6399
aol.com 5728
hotmail.co.uk 5653
gmx.de 5569
hotmail.fr 4932
msn.com 3675
googlemail.com 3108
wp.pl 2905
seznam.cz 2862
o2.pl 2661
bk.ru 2605
hotmail.de 2560
qq.com 2343
ymail.com 2247
hotmail.it 2234
comcast.net 2190
yahoo.de 2165
naver.com 2155
rambler.ru 2039
gmx.net 1813
inbox.ru 1504
list.ru 1438
yahoo.co.uk 1438
live.co.uk 1407
live.se 1363
abv.bg 1228
yahoo.co.jp 1187
yahoo.com.br 1153
mail.com 1146
icloud.com 1134
live.fr 1093
live.ca 1040
rocketmail.com 1034
live.nl 1017
yahoo.com.tw 977
hotmail.es 971
interia.pl 965
ya.ru 956
Gmail.com 947
yahoo.fr 924
t-online.de 911
libero.it 882
live.de 868

Along with the emails, the poorly hashed passwords that hackers are able to quickly decrypt are included. Here’s an analysis on that:

Most Common Password Analysis – Star Vault

Password Count
123456 1287
1q2w3e4r 344
123456789 311
password 262
123123 243
111111 229
123qwe 217
qwerty 202
1qaz2wsx 188
12345678 175
q1w2e3r4 168
dragon 168
1q2w3e4r5t 162
killer 158
123321 151
mortalonline 137
1q2w3e 136
sharedaccount 135
qwe123 133
1234qwer 132
qwer1234 130
qwerty123 123
dolphin7 122
abc123 121
starwars 114
123qweasd 110
lol123 109
chop123 107
Pa$$word 105
password1 102
12qwaszx 101
666666 100
P@ssw0rd 100
22source12 99
master 99
1234567890 97
159753 95
1234567 95
shadow 92
qazwsx 90
1qazxsw2 86
584511 86
abcd1234 85
12341234 85
pokemon 83
asdf1234 81
rpk1ng 80
q1w2e3 79
mortal 78
121212 76

In conclusion, Star Vault games seems to have failed to protect it’s users for the 3rd time. They insisted on using weak hashing methods that now leaves their users at a greater risk than necessary. Had they used a better hashing method, users would have been somewhat safer, considering their personal data has been breached and is now being spread across the internet by hackers.

We at DeHashed have obtained a copy of the database, We will be notifying users if they have been affected with the next few hours.