Koei Tecmo have announced Koei Tecmo Europe’s forums have been hacked, with personal information reportedly leaking online.

The news comes from Koei Tecmo’s Japanese website, in a statement released on December 25th, revealing there was a data breach at Koei Tecmo Europe Limited. The incident was reported on December 22nd, where some user information collected on the website had “possibly” leaked online after a hack.

The information had come from Koei Tecmo’s forums, with 65,000 users having their account names, encrypted passwords, and registered emails at risk. Koei Tecmo state the forum contained no credit card information, and the point of the data breach only extended to the forums.

The matter was still under investigation as of December 25th, and Koei Tecmo Europe’s website remaining closed as of this time of writing. They also state they will “further strengthen its security system while simultaneously taking strict actions against illegal acts such as
unauthorized access.”

The chance of it being a ransomware attack is described by Koei Tecmo as “low,” but this story will nonetheless evoke comparisons to Capcom’s hack and subsequent leaks [1, 2] in late 2020. BleepingComputer report a “threat actor” claimed responsibility for the hack on December 20th- prior to any public statement by Koei Tecmo.

They claimed that on December 18th, they used a “spear-phishing campaign” sent to a Koei Tecmo employee. This allowed them to plant a web shell on the website for continued access.

The hacker then offered to sell the forum database for 0.05 bitcoins (approx. $1,300 USD), and the web shell with FTP credentials and “multiple twitter secrets for their twitter accounts that they have” for 0.25 bitcoins (approx. $6,500 USD). The hacker also reportedly leaked the information for free on the same forum.

BleepingComputer report the data included email addresses, IP addresses, hashed passwords and salts, usernames, dates of birth, and country.

On December 28th, Bleeping Computer reported the hacker had contacted them, and claimed they leaked the data as Koei Tecmo had failed to follow GDPR guidelines, and did not inform their users about the hack sooner. They also claim they were motivated to hack Koei Tecmo due to their lackluster digital security- and how it violated their user’s trust.

“I released it after they removed the web shell but had not let users know or had made GDPR aware within guidelines.

‘From 25 May 2018, the General Data Protection Regulation (GDPR) introduces a requirement for organizations to report personal data breaches to the relevant supervisory authority, where the breach presents a risk to the affected individuals. Organizations must do this within 72 hours of becoming aware of the breach.’

72 hours is key here and while I may not be the most ethical person, I care a lot when it comes to user security and privacy and if companies refuse to use simple encryption techniques to stop user data from the fallout of a cyber attack, I will keep attacking them. If they do not adhere to guidelines set by the people, they will face fallout.

They could spend just a few extra shekels to encrypt user information to ten rounds of bcrypt and WHEN, not IF there is a cyber attack users will be protected to an extent but they refused to do that over costs of processing power and instead chose to use a weak salted MD5 hashing algorithm from 1992. They refused to update their systems to divert a cyber attack, and that was their responsibility with 65,000 user records.”

Image: Dead or Alive 6 via Steam