Data from 2014 hack of children’s online game Bin Weevils leaked online; hacker claims 20m records

We’ve seen it before – in fact, we seem to be seeing it a lot recently – data from an old hack first being publicly leaked. This time it’s Bin Weevils, a British online children’s game, owned by 55 Pixels.

In September 2014, Bin Weevils posted a note on their site that they had discovered a “vulnerability” affecting usernames and passwords. In response, they forced a password reset and added some unspecified security features. Their note does not seem to inform users that the data were actually hacked and acquired. And based on data provided to DataBreaches.net yesterday and today, they did not fully disclose the types of information that were hacked.

Yesterday, DataBreaches.net was contacted by “ShohidzIslam,” who wrote that he had learned of a database that was now being released to the public by hackers going by the names of “Pure”, “LukeBaxter”, “Akshay”, “Tyrone” and “Philip.” A link to the data had reportedly been posted in an IRC chat.

The file, which DataBreaches.net obtained and inspected, consisted of 1,022,883 records. Each record included the user’s username, encrypted password (salt+hash), and in-game data like their pet’s ID number, pet’s name, and date of registration. A line at the top of the dump credits “jkb, legit, lukebaxter, tyrone, philip, pure, akshay.”

ShohidzIslam informed DataBreaches.net that he asked the hackers if they also had IP addresses and email addresses. In response, they provided a redacted screenshot showing all of the fields, which did include both registration and login IP addresses, as well as email addresses.

“Luke Baxter” allegedly informed him that they were reserving the full data set with the email addresses and IP addresses as they might sell all of the data privately at some future time. The 1-million record sample was to alert the public that the data were out there, but he claimed that the full data set has approximately 20 million records.

Data in the dump were dated from 2014, which would be consistent with the incident reported in September, 2014 by Bin Weevils. Attempts to verify the data by trying to create new accounts using usernames in the dump resulted in messages that the tested usernames were already taken. Data in the redacted screenshot corresponded to data found in the data sample, although it appeared to be from a different database as the order of the rows did not match.

Evidence that the hackers have email addresses obviously raises questions about Bin Weevils’ report that the breach affected (only) usernames and passwords. Based on Bin Weevil’s About page and Privacy Policy, the email addresses are likely the parents’ email addresses. Parents might understandably want to have been informed if their email addresses with some of their children’s information had been acquired by hackers.

DataBreaches.net sent Bin Weevils an inquiry yesterday asking them to confirm whether email addresses and IP addresses were also in the hacked database, and to confirm or deny the claim of approximately 20 million records, but has received no reply other than an auto-responder.

DataBreaches.net will update this post if additional information is obtained.

Update of August 20, 2017: DataBreaches.net received an email from a sender identifying themselves as “Akshay,” that claimed, in part: