Konami, Bro! Another Japanese Game Site Hit by Cyberattack
Maybe Konami needs better security? The main character of Konami's 'Metal Gear' video games is known for hiding in boxes.
Another video game company has been hit with a cyberattack: Japanese video game company Konami, best known in the United States for video games such as "Metal Gear," "Frogger" and "Silent Hill," announced today that more than 35,000 user accounts on the company-run fan site "Konami ID" have been compromised.
Konami said that it first noticed a spike in failed login attempts between June 13 and July 7. A subsequent investigation revealed that 3,945,927 login attempts were made during that time. Out of those, Konami detected 35,252 successful unauthorized logins. That means that the attackers successfully discovered the ID/password combinations of 35,252 Konami ID users and gained access to any personal information stored on their Konami ID accounts.
The news of the attack on Konami comes just a day after Nintendo announced a similar attack had been conducted on its fansite Club Nintendo. There's no evidence that the two attacks are explicitly linked, however. [Hackers Crash the (Mario) Party at Club Nintendo]
Konami ID's compromised user accounts have been frozen and Konami has instructed the users to change their passwords. Konami ID doesn't store any financial information, though the site is tied to an online shopping site, but Konami says that it detected no illicit money transactions in the compromised accounts.
Still, the cybercriminals behind the attack now have a list of usernames, email addresses, and any other personal information such as real names, addresses or phone numbers that the users chose to store on the website. This information could be used for further email-based attacks.
Konami's statement didn't go into details, except to say that that the IDs and passwords for the compromised accounts "appear to have been leaked from an external service provider."
This is a rather vague statement, but it seems that Konami is suggesting the blame for the breach lies in a third-party back-end service that Konami uses to manage login data. Many websites use such services as the building blocks of their websites instead of writing these functionalities from scratch.
However, if the cybercriminals acquired IDs and passwords directly from such a service, you'd think they would have had a higher success rate. Almost 4 million login attempts with 35,252 successful logins is a success rate of less than 1 percent.
These numbers suggest the cybercriminals used a brute force attack to compromise the 35,252 accounts rather than acquiring login details from elsewhere.
In a brute force attack, a computer program algorithmically tries every single possible alphanumeric combination, starting with words in the dictionary and increasing the complexity until it finds a password that works. The lack of finesse in this type of attack — it's the algorithmic equivalent of banging on a door until it falls down — is why it's called "brute force."
The announcement of Konami's data breach comes just a day after another Japanese game developer, Nintendo, announced that its fansite Club Nintendo had been the target of a similar attack.
In Nintendo's case, attackers made approximately 15.5 million login attempts over a similar period of time and succeeded in compromising 23,926 accounts.
The Konami attackers' success rate (0.88 percent) was much higher than Nintendo's (0.15 percent). The reason for that is unclear. Perhaps Konami's breach did involve leaks from an external service provider, which helped the cybercriminals break into accounts. [See also: Goodbye Gibberish: Making Passwords Easier to Remember]
Or, if the same group was behind both attacks, they might have been able to use some of the ID/password combinations gleaned from the Club Nintendo attack to expedite the KonamiID attack. This would be possible if individual users used the same password on both sites.
The week before (July 2), game company Ubisoft also experienced a data breach, but the method of the attack was different from the Nintendo and Konami attacks.