Security Update FAQQ: What has happened? A: On Tuesday, 27 December, 2016 we were made aware of a security breach of an ESEA website database and the theft of certain user account information appears to have taken place.
Q:When did the actual breach take place? A: We were informed about the breach on December 27th. (As part of our investigation we are looking into exact timing for the breach.)
Q: When and how were you made aware of it? A: An unknown individual reached out to ESEA with information about the breach and we confirmed that secure data has been breached.
Q: What does it mean that the passwords and secret question answers are hashed? A: All ESEA user account passwords are hashed using bcrypt, an industry best practice for securing passwords, and cannot be used together with the username as long as hashed.
Q: How many customers are affected and in what way? A: We are still investigating but believe that a large portion of the ESEA community members’ information including usernames, emails, private messages, IPs, mobile phone numbers (for SMS messages), forum posts, hashed passwords, and hashed secret question answers could all have been exposed.
Q: What are customers required to do to avoid their stolen data being used? A: Change your passwords and security questions/answers for any other accounts on which you used the same or similar information used for your ESEA account, and review any such accounts for any suspicious activity. Additionally, be cautious of any unsolicited communications that ask you for personal information or refer you to a website asking for personal information
Q: When and how did you inform your customers/instruct them what to do to assure their user data is not used, and why was there a delay in doing so? A: We have notified our customers as soon as possible, given the time required to investigate the event and assure system security. Since learning about the intrusion, we have identified and secured the cause of the breach in ESEA’s website and have been working closely with legal and security experts to ensure ongoing security and privacy best practices.
Q: How could the data be stolen and what measures have you taken since the data was stolen to assume better system security? A: To be clear, we have worked to identify the source of the vulnerability and have taken the appropriate measures to patch it. Once users have completed the password and information change procedures outlined above, users should feel confident in the ongoing security of their data on ESEA’s systems. We apologize for the incident that has taken place, as it is our responsibility to do everything possible to secure the data of our users. We will continue to work with both our developers and independent security experts to improve our security and invest in strengthening ESEA’s infrastructure going forward.
Q: Are you cooperating with any external authorities to assure your systems are secure? A: Yes, we have already engaged with both technical and legal experts, and are utilizing the full resources of our parent entities to strengthen our systems going forward.
Q: Is there any risk this can happen again? A: No one can ever offer guarantees, but we continue to work with privacy and security experts to secure and protect data. We continue to improve our systems and incidents like this only reaffirm our commitment to further refining our security procedures.
Q: What measures have you taken towards the individual(s) that stole the data – is this a police matter? A: We have reached out to the FBI and will support in their investigation any way we can.
Q: How can your customers trust that the data they store with you is safe going forward? A: As with any tech-based company, we will always strive to be as secure as possible when it comes to user data. Following this event we will be moving forward with an even more enhanced and robust security system. Although no system may ever be 100% secure, we hope our community will trust us that we are taking all the appropriate measures to ensure their data is as safe as possible.