We’ve seen it before – in fact, we seem to be seeing it a lot recently – data from an old hack first being publicly leaked. This time it’s Bin Weevils, a British online children’s game, owned by 55 Pixels.
In September 2014, Bin Weevils posted a note on their site that they had discovered a “vulnerability” affecting usernames and passwords. In response, they forced a password reset and added some unspecified security features. Their note does not seem to inform users that the data were actually hacked and acquired. And based on data provided to DataBreaches.net yesterday and today, they did not fully disclose the types of information that were hacked.
Yesterday, DataBreaches.net was contacted by “ShohidzIslam,” who wrote that he had learned of a database that was now being released to the public by hackers going by the names of “Pure”, “LukeBaxter”, “Akshay”, “Tyrone” and “Philip.” A link to the data had reportedly been posted in an IRC chat.
The file, which DataBreaches.net obtained and inspected, consisted of 1,022,883 records. Each record included the user’s username, encrypted password (salt+hash), and in-game data like their pet’s ID number, pet’s name, and date of registration. A line at the top of the dump credits “jkb, legit, lukebaxter, tyrone, philip, pure, akshay.”
ShohidzIslam informed DataBreaches.net that he asked the hackers if they also had IP addresses and email addresses. In response, they provided a redacted screenshot showing all of the fields, which did include both registration and login IP addresses, as well as email addresses.
Bin Tunes Lyrics! On this page, you can find the lyrics to all of the songs in the Bin Tunes Album, so next time you hear it, you can sing along! Get ready to dance Bin Weevils, dance Bin Weevils! Party in the Bin, let the party begin! Got to dance Bin Weevils, dance Bin.
“Luke Baxter” allegedly informed him that they were reserving the full data set with the email addresses and IP addresses as they might sell all of the data privately at some future time. The 1-million record sample was to alert the public that the data were out there, but he claimed that the full data set has approximately 20 million records.
Data in the dump were dated from 2014, which would be consistent with the incident reported in September, 2014 by Bin Weevils. Attempts to verify the data by trying to create new accounts using usernames in the dump resulted in messages that the tested usernames were already taken. Data in the redacted screenshot corresponded to data found in the data sample, although it appeared to be from a different database as the order of the rows did not match.
Evidence that the hackers have email addresses obviously raises questions about Bin Weevils’ report that the breach affected (only) usernames and passwords. Based on Bin Weevil’s About page and Privacy Policy, the email addresses are likely the parents’ email addresses. Parents might understandably want to have been informed if their email addresses with some of their children’s information had been acquired by hackers.
DataBreaches.net sent Bin Weevils an inquiry yesterday asking them to confirm whether email addresses and IP addresses were also in the hacked database, and to confirm or deny the claim of approximately 20 million records, but has received no reply other than an auto-responder.
DataBreaches.net will update this post if additional information is obtained.
Update of August 20, 2017: DataBreaches.net received an email from a sender identifying themselves as “Akshay,” that claimed, in part:
… The information on that link I have given has the name ‘akshay’ in, who did not have anything to do with the games database being released, the name was used to blame another individual.
I have copy and pasted the lines on your website containing the name ‘akshay’ below. You was given this article by someone who was actually involved in what happened and now is trying to cover himself up and blaming others which is really sad.
Get ready to party, weevils! The Club Fling Nest Theme is out now! The following items are available at the Furniture Shop, and the Floors & Walls Shop…
The set includes:
- Dance Podium! – 1,500 Mulch, 45 Exp Gained, delivery time: 1 hour
- Disco Shelf! – 950 Mulch, 28 Exp Gained, delivery time: 30 mins
- Small Dance Floor! – 3,000 Mulch, 90 Exp Gained, delivery time: 1 hour
- Large Disco Floor! – 5,000 Mulch, 150 Exp Gained, delivery time: 1 hour
- Red Carpet! – 800 Mulch, 24 Exp Gained, delivery time: 30 mins
- Club Fling Wallpaper! – 4,500 Mulch, 136 Exp Gained, delivery time: 1 hour
- Club Fling Ceiling! – 8,000 Mulch, 240 Exp Gained, deliver time: 2 hours
You can also put in a few balloons, posters, trophies, and of course…. :
- Disco Ball! – Featured at Gadgets & Gizmos, only 195 Mulch, 6 Exp Gained, delivery time: 20 mins
Binweevils Dancers
-pigster111