The E-Sports Entertainment Association said in a statement on Monday that after it refused to pay a $100,000 ransom, hackers released the data of many of its users, including names, email addresses, gaming IDs, hashed passwords, dates of birth and phone numbers.
"We do not give into extortion and ransom demands and we take the security of customers' data very seriously. In addition to investigating the incident and reporting it to the authorities, we have been working to isolate the vector attack and secure the vulnerability," the ESEA said in its statement.
The ESEA, a company that organizes primarily Counter-Strike: Global Offensive matches and tournaments, has not released an official tally of how many accounts were compromised, but it did acknowledge in its statement that LeakedSource.com has the full dataset. LeakedSource.com, a site that collects hacked information so individuals can verify whether they have been compromised, shows 1,503,707 accounts from ESEA.net in its database.
This comes after the ESEA notified its users on Dec. 30 that there was a possibility of accounts being compromised.
The ESEA is best known for its anti-cheat software. It also has a large online community of CS:GO players who can play on its private servers with internal match-making. That is a paid service, so the user base is smaller than what gamers would find on Steam. The ESEA also hosts the ESEA League, an esports tournament series featuring large prize pools.
The main point of concern is if hackers are able to access user accounts because hashed passwords were also leaked. The ESEA said it had encrypted all its user passwords with bcrypt, a cryptographic algorithm that greatly slows brute force methods of breaking into passwords. This means that instead of hackers being able to try hundreds, or even millions, of password combinations per second, they would be able to try just a few. That reduces the number of crack attempts, usually making it not worthwhile.
The ESEA has urged its users to change their passwords, including security questions and answers, and be cautious of unsolicited messages asking for personal information.
"We apologize that this theft has taken place ... we are doing everything in our power to investigate this attack and attempted extortion and are making changes to our systems to mitigate any potential further breaches," the ESEA said in the statement.