On 12/28/2018 we’ve received an email regarding the popular online RP game “Town Of Salem”s breach. The sender, who wishes to be anonymous at this time, provided DeHashed with evidence of server access and provided the complete database for disclosure. We’ve reached out to BlankMediaGames regarding a statement and to provide assistance with securing their servers.

Town of Salem is a browser-based game that challenges players on their ability to convincingly lie as well as detect when other players are lying. The game ranges from 7 to 15 players. These players are randomly divided into alignments – Town, Mafia, and Neutrals. If you are a Town member (the good guys) you must track down the Mafia and other villains before they kill you. The catch? You don’t know who is a Town member and who is a villain. If you are an evil role, such as a Serial Killer, you secretly murder town members in the veil of night and try to avoid getting caught. – Wikia

Here’s an analysis of what we found. This is the first time the company has ever seen any kind of breach, ironically it was caused by a entree-level vulnerability known as “LFI” / “RFI”.

The data affected, includes but is not limited to:

Usernames, Emails, Passwords (phpass, MD5(WordPress), MD5(phpBB3)), IP Addresses, Game & Forum Activity, & Payment Information. With some of the users who paid for certain premium features having their billing information/data breached as well.

The total row count is: 8,388,894, with 7,633,234 unique email addresses.

Top 50 Email Providers – BlankMediaGames

email count
gmail.com 4530276
hotmail.com 928706
yahoo.com 662824
outlook.com 158033
icloud.com 93557
aol.com 77929
live.com 75164
hotmail.co.uk 63992
comcast.net 26435
web.de 24999
ymail.com 23881
mail.ru 23851
google.ca 20984
seznam.cz 17693
wp.pl 16875
gmx.de 16500
msn.com 15472
googlemail.com 14818
live.co.uk 14800
me.com 14614
yahoo.co.uk 14601
abv.bg 14538
hotmail.fr 14040
rocketmail.com 13263
mail.com 13036
hotmail.ca 11457
live.nl 11094
yahoo.ca 10702
live.ca 9986
o2.pl 9260
hotmail.de 8992
windowslive.com 8910
att.net 8899
live.se 8551
sbcglobal.net 8436
yopmail.com 7938
hotmail.it 7243
verizon.net 7121
yahoo.de 6994
aim.com 6855
trbvm.com 6831
yandex.ru 6785
hotmail.se 6595
mvrht.net 6200
live.dk 5959
cox.net 5741
btinternet.com 5480
live.com.au 5454
hotmail.es 5322
yandex.com 5259

In conclusion, this is the first for BlankMediaGames, with 8M Players being directly affected in the breach. We’ve reached out to them via email, and phone to assist in removing malware from their servers which is still infected, and to notify them regarding the breach. Hopefully they release a statement soon.

We have since provided the data to Troy Hunt of HaveIBeenPwned. We’ve also teamed up with multiple other security researchers in attempts to minimize the damage done by this breach. A special thanks goes out to all those who have provided assistance, the original person who sent us a copy of the data, &  Troy Hunt.

Update: We have made numerous attempts to contact BlankMediaGames, both over phone and over email. They have yet to release a statement, we can no longer wait on publishing this as it has been well over 5 days.

Friday, 12/28/2018 – 11:33 AM PST – Emailed BlankMediaGames
Friday, 12/28/2018 – 12:33 PM PST – Called BlankMediaGames
Saturday, 12/29/2018 – 15:01 PM PST – Emailed BlankMediaGames
Saturday, 12/29/2018 – 15:12 PM PST – Called BlankMediaGames (No Answer)
Sunday, 12/30/2018 – 09:12 AM PST – Emailed BlankMediaGames

They have received our emails per our original voice conversation, but are yet to respond or even acknowledge either the breach or the emails.

Update: We’ve handed over everything to BlankMediaGames, they have found and removed multiple backdoors on their server. They’ve made an official announcement here. Please keep in mind the timing of this incident DID NOT help them at all.

Update: BlankMediaGames asked us to put this part in. Payment information includes Email, Full Names, Billing & Shipping addresses, IP Information, Payment Amount, and other details. No Credit Card Numbers.