Popular free-to-play shooter Warframe has millions of players, across multiple platforms. In 2014, several hundred thousand of them were targeted in a large-scale security breach.
An exploit in web hosting service Drupal was found in November, almost two years ago. While this exploit was patched out two weeks after the breach occurred, the damage had already been done. Through a phishing scam, 775,749 email addresses affiliated with Warframe accounts were retrieved by the scammers.
A Digital Extremes employee tried to assure users, however, that there wasn't much cause for alarm.
"The stolen data DID NOT include any account passwords, variations of passwords, hashed passwords, game account data or personal player information such as full names, addresses or other billing and payment information," said the employee in a forum post. "Note that while there were hashes in the stolen data these were meaningless hashes of Alias names."
Also worth noting is that emails of Xbox One and PlayStation 4 Warframe players were not stored in these servers. Because of this, those emails were apparently not compromised.
In the wake of the scam, Digital Extremes has laid out suggestions for further Warframe account security. This includes activating Two-Factor Authentication for PC users; the feature is unavailable for console players.
This news has a lot to unpack. On the one hand, it is commendable for Digital Extremes to be open with this sort of thing. Many users in the forums expressed thanks for the transparency. It is also reassuring that they're laying out steps to improve security of accounts.
On the other hand, the wait to deliver this news leaves me ambivalent. This was a data-collecting scam that happened almost two years ago. Why is the Warframe community only hearing about it now? Customers deserve to know about any potential data breach, as soon as it happens. Waiting this long is a questionable decision.
Even though the accounts can be secured, that still leaves thousands of people on the mailing lists of phishing scams. It's unfortunate that Digital Extremes waited this long to acknowledge the breach. That said, at least Warframe players are now in the know and can take extra precautions.