Cyber Incident Victim: BlankMediaGames
Date:
Dec 2018
Location:
United States of America
Summary
A hacker compromised the servers of BlankMediaGames, exposing personal data of 7.6 million users of the "Town of Salem" browser game, including usernames, email addresses, hashed passwords, IP addresses, game activity, and premium feature purchase details—though no financial information was accessed due to third-party payment handling. The breach was identified after the stolen data was sent to DeHashed, which alerted the company during the holiday period; BMG subsequently secured its systems, removed backdoors, and advised password resets via a forum post while delaying broader user notifications. DeHashed shared the dataset with Have I Been Pwned to facilitate breach alerts for affected individuals.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
In late December 2018, a hacker compromised servers belonging to BlankMediaGames (BMG), developer of the browser-based game "Town of Salem," exfiltrating personal data of 7.6 million users. The breach was discovered when an anonymous individual submitted the stolen dataset to DeHashed, a commercial breach indexing service, during the Christmas holiday period. DeHashed attempted to notify BMG throughout the holidays and into early January 2019 but initially encountered difficulties establishing contact. The stolen records included usernames, email addresses, passwords stored in multiple hashed formats (phpass, MD5(WordPress), and MD5(phpBB3)), IP addresses, game and forum activity logs, and records of premium feature purchases. Notably, financial data was absent as BMG relied exclusively on third-party payment processors and did not store credit card details or transaction information. BMG confirmed the breach in a January 1, 2019 blog post, disclosing that attackers had implanted multiple backdoors in their systems. Server remediation occurred in early January, with BMG removing the unauthorized access points and securing the compromised infrastructure.
BMG’s initial response included a brief forum notification advising users to change their passwords but did not issue in-game alerts or direct emails to all affected individuals at the time of reporting. DeHashed shared the stolen dataset with Have I Been Pwned (HIBP), enabling broader user notifications through HIBP’s subscription service. The company’s public statement emphasized its lack of access to financial data but provided no immediate details on breach causation or forensic findings. Impacted users faced exposure of login credentials, online activity histories, and association between their gaming accounts and email addresses. BMG remained unavailable for further comment during initial media inquiries, leaving uncertainty regarding the attack’s duration, intrusion methods, and full remediation status. The incident disrupted BMG’s operations during the holiday period, with breach containment and investigation activities extending into January 2019.