Cyber Incident Victim: Humble Bundle

On or around December 4, 2018, Humble Bundle, a gaming subscription service, notified customers of a data breach involving unauthorized access to user account information. The breach exposed subscription-related details, including whether a user's subscription was active, inactive, or paused; the expiration date of their subscription plan; and whether they had received any referral bonuses. The company confirmed that payment card data, billing addresses, and account passwords remained uncompromised. Attackers exploited a vulnerability in Humble Bundle’s systems, combining it with a credential stuffing attack. This technique involved testing lists of email addresses against Humble Bundle’s login mechanisms to identify valid accounts. The company did not disclose the number of affected users or the exact timeframe of unauthorized access but characterized the incident as a targeted effort to harvest specific account metadata.

The breach’s primary impact centered on the exposure of non-financial account status information, which security analysts assessed as having limited immediate monetary value. Malwarebytes researcher Christopher Boyd theorized that the attackers likely intended to use the stolen data as groundwork for follow-up operations, particularly spear-phishing campaigns. By leveraging knowledge of subscription statuses and expiration dates, attackers could craft convincing emails impersonating Humble Bundle to solicit payment details or credentials under false pretenses—such as warnings about subscription lapses, payment processing issues, or reactivation requirements. The incident highlighted a tactical shift toward harvesting operational metadata to enable more sophisticated social engineering attacks rather than targeting financial data directly. Humble Bundle’s response included direct customer notifications detailing the scope of exposed data and assurances that critical financial information remained secure.