Cyber Incident Victim: Reality Squared Games
Date:
Apr 2017
Location:
China
Summary
R2Games experienced a second security compromise, exposing over one million user accounts. The breach involved forum and website data across multiple regions, including usernames, email addresses, IPs, weakly hashed or plaintext passwords (notably "admin" and "sync"), and optional personal details like instant messenger IDs and Facebook access tokens. Independent verification confirmed valid accounts, with over 540,000 unique emails added to breach databases. The company had previously denied an earlier incident impacting millions and did not respond to inquiries regarding the latest event. Security researchers criticized repeated failures to address vulnerabilities, noting outdated forum software with known exploits as potential attack vectors.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In April 2017, Reality Squared Games (R2Games), a Shenzhen-based online gaming company operating 19 free-to-play titles across mobile and browser platforms, suffered its second major data breach in two years. A hacker provided records of the incident to LeakBase, a for-profit breach notification service, claiming the compromise occurred earlier that month. The breach impacted R2Games' regional forums for the U.S., France, Germany, and Russia, which ran on outdated vBulletin software versions containing known vulnerabilities. The attacker also compromised the Russian-language r2games.com domain. Exposed data included usernames, email addresses, IP addresses, weakly hashed or plaintext passwords (including large volumes using "admin" or "sync"), instant messenger IDs, birthdays, and Facebook access tokens. LeakBase shared the dataset with security researcher Troy Hunt, who validated its authenticity by confirming active accounts through R2Games' password reset function and identified 5,191,898 unique email addresses in the records.
Hunt's analysis revealed 3,379,071 email addresses used R2Games' internal domains (mail.ar.r2games.com or mail.r2games.com), while 789,361 appeared to be algorithmically generated @vk.com addresses. After excluding these, 1,023,466 valid external email addresses remained, with 541,392 being new entries to Hunt's Have I Been Pwned (HIBP) breach notification service. R2Games had previously experienced a larger breach between December 2015 and July 2016 affecting 22 million accounts, which exposed similar data types including weakly protected passwords. The company publicly denied the earlier breach, asserting its systems were "safe and secured," and did not respond to inquiries about the 2017 incident. LeakBase opted not to publish the dataset publicly but planned direct notifications to affected users, while HIBP incorporated the validated records into its searchable database. The incident left compromised accounts vulnerable to credential-stuffing attacks and phishing attempts leveraging the exposed personal information.