Data traders are allegedly swapping the details of over one million user accounts belonging to Supercell, the company behind hit mobile games such as Clash of Clans. The user accounts relate to Supercell’s community forum.
“Our preliminary investigation suggests that the breach happened in September 2016 and it has since been fixed,” Supercell told Motherboard in a statement. The company also posted the statement onto the affected forums, and warned users to change their passwords.
The data, of which Motherboard obtained a small sample of 100 accounts, includes usernames, email addresses, IP addresses, and hashed passwords. Supercell uses the vBulletin forum software, which sometimes hashes passwords in a way that can be relatively easy for hackers to crack.
Paid breach notification site LeakBase provided Motherboard with the data sample. In all, LeakBase claimed the dataset contained some 1.1 million accounts.
Motherboard verified the data by attempting to create accounts on the Supercell forum with email addresses included in the sample. For all of the email addresses tested by Motherboard this was not possible, because the address was already in use.
Motherboard also spoke to eight users whose accounts appear in the data, who confirmed they had signed up to Supercell, and also confirmed some of their other information, such as their username.
“We take any such breaches very seriously and we follow very strict policies when it comes to security. Please note that this breach only affects our Forum service. Game accounts have not been affected,” Supercell’s statement continued.
This seemingly isn’t the first time Supercell has been hacked. In 2014, a hacker claimed to have gained access to the company’s Facebook page and administrator panel.
The lesson: Plenty of other sites that run on vBulletin have been hacked in the past. But even if a site you’re using seems to be running on more secure software, it’s always a good idea to sign-up to each different service with a unique password. That way, when one site is compromised, hackers won’t just be able to go and use your stolen password on another service as well.