Notorious hacking group Lulz Security has put out a release stating that they have broken into the network of Bethesda Softworks, which is owned by ZeniMax Media. The torrent file contains a list of all of the servers that were compromised, as well as admin data, password hashes (no plain text, but some of the hashes are Joomla hashes, which can be easily decrypted), configuration files, and network mappings. The attack was caused by a local file infusion (LFI) vulnerability against the Brink website, after which they were able to SSH into the affected servers.
One thing that is not included is the user database containing 200,000+ Brink users. LulzSec’s release stated that those were held back because they like Bethesda and want the company to speed up the production of The Elder Scrolls V: Skyrim. Earlier, on their Twitter account, they hinted that they might not release the data because they liked Call of Cthulhu. They also stated that they’ve had Brink user data for weeks, and to “please fix (their) junk, thanks! ^_^” They also asked Bethesda to make a LulzSec top hat for Brink. Gaming Bus is unable to confirm if they’re serious or not.
In the same release, the company released a server process list for senate.gov, in the process taunting the US government, asking “is this an act of war, gentlemen? Problem?”. This is once again due to the Obama administration stating that cyber attacks against the United States would be viewed as acts of war in much the same way physical attacks would be.
The Bethesda hack is similar to an earlier hack against Nintendo, in which LulzSec held back because of a respect for the company in question. This is in contrast to their ongoing “Sownage” campaign, which they have promised is the “beginning of the end” to the Japan-based company.
For our coverage on Lulz Security, check out our LulzSec archives here
Analysis: I’m growing a bit weary of the reaction of the gaming press to information like this. Especially now, they have a Nancy Kerrigan-like wail whenever a company gets attacked. “WHYYYYYYY USSSSSS!?!?! WHY ANYBODY!!!!! JUST LET US PLAY OUR GAAAAAAAAAAAAMES!!!! WHYYYY WHYYYYY WHYYYYYYY!”
I’ll tell you why. These companies are getting attacked because they’re easy targets. Simple as that. It is not an optimal priority for companies like this to protect user data, so they don’t really do due diligence against external threats. Any due diligence they do perform is cursory. Due diligence like this costs money. Money for external companies to come in and do audits, money for better trained IT personnel, money for everything involved. That money, in the eyes of many companies who make video games, is better served being put into the games themselves.
Honestly, it’s hard to argue with that line of reasoning. Gamers have shown that they will not stop spending their money on products just because of the minor threat of their information being put online, as well as their (likely reused) passwords. Gamers are notoriously short-sighted about their personal information. Even the ones that traded in all of their PlayStation 3 systems and all of their games did nothing; Sony and their publishers already had their money, and for the pubs, who are likely looking at those same games being purchased for the 360, it’s a double dip of income. Even those people are the vast minority; gamers have continually proven time and time again that they don’t care, so long as they get their shiny toys.
Companies will fix this only when there is a financial stake to do so. For Sony, there is a financial stake. For Bethesda, this will get lost in the news shuffle a day or so later, brought back up only when the next unsuspecting company gets nailed. This won’t hurt them, Brink or Skyrim one iota, and therein lies the problem.
That’s why this keeps happening, gamers and games press. Because YOU enable it.