Cyber Threat Actor: Have I Been Pwned
| Actor Type | Location | Known Incidents |
Hacker
|
Australia
|
1 incident |
|---|
Profile
HaveI Been Pwned is an alias associated with a threat actor known to operate from Australia. The actor’s only publicly documented activity involves the compromise of BlankMediaGames servers in December 2018, which led to the exposure of personal data belonging to roughly 7.6 million users of the Town of Salem browser game. The stolen information included usernames, email addresses, hashed passwords, IP addresses, game activity logs and details of premium feature purchases, although no financial data was accessed because payment processing was handled by a third party. The breach came to light after the exfiltrated dataset was forwarded to DeHashed, which notified the company; BlankMediaGames subsequently secured its systems, removed backdoors and advised affected users to reset passwords via a forum post while delaying broader user notifications. DeHashed later shared the compromised data with Have I Been Pwned to enable breach notifications for the impacted individuals.
The incident indicates a focus on the online gaming sector, specifically targeting a browser‑based game provider with a global user base. The actor’s actions were directed at gathering personal identifiers and credential material rather than financial assets, as no payment information was obtained during the intrusion. This suggests an objective of amassing data that could be reused for credential‑stuffing or account takeover rather than direct monetary gain, espionage or disruption. No public reporting links the actor to state sponsorship, organized criminal groups or any identifiable affiliations.
The only described technique involves unauthorized server compromise followed by data exfiltration; the specific initial access vector, malware families or tooling employed are not disclosed in the available sources. The BlankMediaGames breach serves as the representative operation attributed to the Have I Been Pwned alias, illustrating a pattern in which large‑scale user datasets are acquired and subsequently routed through third‑party breach notification services before wider disclosure.
