14 DAY TRIAL // The gaming-oriented services of messaging platform Raptr have been accessed without authorization by an unknown entity and information belonging to users may have been exposed.
Raptr is designed to help gamers communicate with each other, record their sessions and share them online, as well as broadcast a live stream of the gameplay.
Accounts with weak passwords are vulnerable
It is unclear when the intruders managed to gain access to the network, but according to founder and CEO Dennis Fong, the attack may have resulted in exposing information that could allow unauthorized log-in to the accounts. This consists of usernames, email addresses and password hashes.
In an official announcement, Fong says that “although the passwords are hashed, users with weak passwords are vulnerable to unauthorized access,” suggesting that salt was not applied to protect the information.
For security reasons, services do not store the passwords in plain text, but only their hash values, which have been designed as a one-way function. In theory, this means that the hash output cannot be converted to the original input.
However, if the hash algorithm is known, it is possible to run a dictionary attack to calculate the hashes of a set of strings, and match them with the stolen data, thus revealing the password.
A “salt” represents random data that is added to the password before it is hashed in order to thwart dictionary-attacks. Also, if two individuals have the same password, the resulting hash would be different because of the salt.
Reward points are not at risk
Through the Raptr service, users also receive some reward points, earned for contributing to the Raptr community (playing games with the app running, streaming videos), which can be used to enter different sweepstakes.
Fong informs that the hack did not affect this component because the service relies on a two-factor authentication (2FA) system to redeem Raptr Reward Points associated with an account.
“Although the potential risk to Raptr users is pretty minimal, we urge you to access any accounts on other sites and services in which you use the same login and password associated with your Raptr account and change the related password(s) immediately,” the CEO advises.
Raptr has started to inform its users of the incident, recommending them to choose a strong password that would stand the test of a brute-force attack. Security experts point to selecting a sentence as the passphrase, which would provide sufficient security and would also be easier to remember.