Cyber Incident Victim: Fashion Fantasy Game
Date:
Jan 2016
Location:
United States of America
Summary
A fashion gaming platform suffered a data breach exposing millions of user accounts, with email addresses and weakly hashed passwords compromised due to unresolved SQL injection vulnerabilities. Security researchers confirmed the legitimacy of the stolen data, noting the use of outdated MD5 encryption without salting, rendering credentials easily crackable. Despite public evidence and prior similar incidents involving insecure password storage, the vendor failed to acknowledge the breach or address persistent security flaws. The exposed records became widely available in underground markets, highlighting systemic negligence in protecting user data and responding to compromises.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In 2016, a data breach compromised over 2.4 million user accounts from Fashion Fantasy Game, an online fashion design and social networking platform. The stolen data included email addresses and passwords secured with the MD5 hashing algorithm without salt, making them vulnerable to rapid decryption. Security researcher Troy Hunt verified the legitimacy of the leaked data samples, which became publicly available for download or sale. Vigilante.pw, a breach tracking service, recorded the incident, while Breach Alarm attributed the leak to a member of the hacking group AnonSquad. Analysis revealed that the breach stemmed from unaddressed website vulnerabilities, including SQL injection flaws. Hunt demonstrated that appending an apostrophe to query strings triggered database errors exposing internal SQL statements, confirming exploitable weaknesses. This incident followed a prior security failure three years earlier, when Reddit users identified a public file dump containing Fashion Fantasy Game user data—including usernames, first names, email addresses, and weakly protected passwords—released as SQL database inserts.
Despite verification of both breaches by independent researchers, Fashion Fantasy Game did not acknowledge either incident through official channels or social media. The company failed to respond to multiple contact attempts by ZDNet and security researchers. Analysis indicated the SQL injection vulnerabilities enabling the 2016 breach remained unpatched over a year after the data theft. The exposed credentials posed ongoing risks to users due to password reuse across services and the weak MD5 encryption. The incident highlighted broader concerns about vendor accountability, as Fashion Fantasy Game neither notified affected users nor implemented basic security measures like modern password hashing or vulnerability remediation. With compromised data permanently circulating in underground markets, the breach’s impact persisted without containment efforts or organizational response.