South Korean authorities are investigating a massive and widespread breach of personal information on some 27 million online gamers in that nation in what a report there says makes up more than 70% of South Korea's population of people between the ages of 15 and 65.
According to a report by Korea's JoongAng Daily, the South Jeolla Provincial Police Agency has arrested a 24-year-old man with the last name of Kim, who acquired names, registration numbers, account names, and passwords on the 27 million victims, from a Chinese hacker he met in 2011 in an online game. They have arrested 15 other suspects as well, and are pursuing more.
Kim allegedly used the stolen credentials and information to pilfer hundreds of millions of won, equivalent to around US $400,000, in online gaming currency from six online games in Korea. He gave a cut to the Chinese hacker, according to the report, and sold some of the stolen information to others in the black market.
Online gaming is wildly popular in South Korea, so it's no surprise cyber criminals would target that community, says Adam Kujawa, head of malware intelligence at Malwarebytes.
It's unclear whether the gamers' credentials originally were stolen via a drive by attack on the gaming websites, or if the hacker who grabbed them used a password-cracking tool, he says. "They could have been testing known passwords and usernames, and had a tool that automatically tries to log in using these credentials. Once they worked, they were able to steal money."
Or the attackers used a key logger to sniff the credentials when the victims logged in, says Kujawa.
Regardless, two-factor authentication would have kept the accounts safe from this scam, with a temporary one-time password, for example, he says. "I think two-factor authentication should be required" for gaming. The online gaming community sometimes offers incentives to get users to configure their accounts for two-factor, such as free in-game special items for users who register for two-factor authentication.
"This shows how easy it was for these attackers to exploit" gamers, Kujawa says. "I think it was fairly significant and an eye-opener... The population of people playing [online gaming] is growing, therefore so is the population for potential victims."
Kim reportedly sold some of the stolen information to mortgage fraudsters and phony gambling advertisers as well, and made billions of wons worth of fraudulent transactions.
South Korea has had its share of data breaches: Earlier this year, an employee of the Korea Credit Bureau allegedly stole personal information on some 20 million citizens, and in 2011, personal information of some 35 million users of a social network and search engine was exposed.