Brinztech Alert: 2018 Breach Data from Funny Games Resurfaces Online

Dark Web News Analysis

A database originating from an April 2018 data breach of Funny Games, an online entertainment website, is being actively circulated on cybercrime forums. The dataset contains approximately 764,000 user records. The compromised information includes usernames, email addresses, IP addresses, and, most importantly, passwords that were hashed using the outdated salted MD5 algorithm. The original breach was reportedly caused by vulnerabilities within the site’s legacy code.

Although the breach is several years old, the re-emergence of this data poses a fresh threat. The primary danger stems from password reuse, a common practice among users of non-critical websites. The use of salted MD5 for password protection is a major concern; this hashing algorithm is now considered weak and can be cracked with relative ease by attackers using modern hardware. This allows criminals to convert the hashes back into plaintext passwords, creating a newly potent list for launching widespread credential stuffing attacks.

Key Cybersecurity Insights

This resurfaced data breach highlights several critical security risks:

• High Risk of Credential Stuffing from Password Reuse: The main threat is that the affected users likely reused their Funny Games password on other, more sensitive accounts like email, e-commerce, or social media. Attackers will use automated tools to test these email and cracked password combinations across the web to hijack other accounts.
• Weak MD5 Hashing Exacerbates Compromise Risk: The use of MD5, even with a salt, is a significant security flaw by modern standards. This algorithm is computationally inexpensive and vulnerable to attacks, which means attackers can crack a large number of these passwords in a short amount of time, rendering the hashing almost useless as a protective measure.
• Dangers of Unsecured Legacy Systems: The attribution of the breach to legacy code is a critical lesson. Older systems and applications that are not actively maintained or built with modern secure coding practices often contain significant vulnerabilities. This incident underscores the importance of including all assets, regardless of age, in a comprehensive vulnerability management program.

Mitigation Strategies

In response to this and similar resurfaced breaches, a multi-layered defense is essential for both users and organizations:

• Implement Multi-Factor Authentication (MFA) as a Standard: MFA is the most effective defense against credential stuffing. Even if an attacker obtains a correct password, they are blocked from accessing the account without the second authentication factor. Organizations must enforce MFA on all critical systems as a baseline security control.
• Utilize Continuous Credential Monitoring: Organizations should leverage services that continuously scan the dark web and cybercrime forums for their corporate domains and employee email addresses. Receiving an alert when credentials appear in a breach allows security teams to proactively force a password reset before an account is compromised.
• Promote Strong Password Hygiene and Retire Weak Algorithms: Any individual who had a Funny Games account should change their password immediately on any other site where it might have been reused. For organizations, this is a reminder to audit their own password storage practices, immediately retire weak hashing algorithms like MD5, and enforce strong, unique password policies for all users.

Secure Your Organization with Brinztech As a cybersecurity provider, we can protect your business from the threats discussed here. Contact us to learn more about our services.

Questions or Feedback? For expert advice, use our ‘Ask an Analyst’ feature. Brinztech does not warrant the validity of external claims. For general inquiries or to report this post, please email us: contact@brinztech.com