Koei Tecmo discloses data breach after hacker leaks stolen data


Atelier Ryza
Source: Atelier Ryza screenshot

Japanese game developer Koei Tecmo has disclosed a data breach and taken their European and American websites offline after stolen data was posted to a hacker forum.

Koei Tecmo is known for its popular PC and console games, including Nioh 2, Hyrule Warriors, Atelier Ryza, Dead or Alive, etc.

On December 20th, a threat actor claimed to have hacked into the koeitecmoeurope.com website on December 18th through a spear-phishing campaign sent to an employee. As part of this attack, a forum database with 65,000 users was stolen, and the actor claims to have planted a web shell on the site for continued access.

“There are FTP credentials on the shell I found and I would be happy to share those with you if you bought the shell as well as multiple twitter secrets for their twitter accounts that they have,” the threat actor stated as part of their sales pitch.

In a post on a hacker forum, the threat actor was attempting to sell a forum database for 0.05 bitcoins, or approximately $1,300, and web shell access for 0.25, or approximately $6,500.

On December 23rd, the same threat actor leaked the database for free on the same hacker forum.

Koei Tecmo database leaked for free
Koei Tecmo database leaked for free

The samples of the database seen by BleepingComputer include forum members’ email addresses, IP addresses, hashed passwords and salts, usernames, date of births, and country.

Koei Tecmo takes websites offline 

After learning of the leaked data, Koei Tecmo took the American (https://www.koeitecmoamerica.com/) and European (koeitecmoeurope.com) websites offline with the following message:

“Due to the possibility of an external cyberattack on this website, it is temporarily closed as we investigate the issue.”

Koei Tecmo America's website was taken offline
Koei Tecmo America’s website was taken offline

Since learning of the attack, Koei Tecmo released a data breach advisory stating that a forum on a UK subsidiary’s website was compromised and the stolen data was leaked online.

“Within the website operated by KTE, the “Forum” page and the registered user information (approximately 65,000 entries) has been determined to the data that may have been breached. The user data that may have been leaked through hacking is perceived…

Source…