VPNOverview’s security team earlier this month discovered the personally identifiable information (PII) of thousands of Survival Servers users in a database backup stored improperly in a public bucket. We notified Survival Servers about the leak on June 7.
Survival Servers has confirmed that the breach affects all customers who signed up prior to February 1, 2022. The California-based company hosts and rents private gaming servers.
User Data Exposed in Database Breach
The leaked data includes the full names, email addresses, and IP addresses of 129,087 individuals. It also includes the phone numbers of some customers. The PII was stored alongside receipts of financial transactions.
“I was surprised to find several pieces of easily accessible PII information within the bucket that could be pieced together and misused by ill-intentioned individuals,” cybersecurity expert Mirza Silajdzic, who discovered the exposed data, said.
According to Survival Servers, the leak was caused by a “public policy rule for Amazon web services (where our off-site backups are stored) that was incorrectly set.”
The company said it took immediate steps to remove the database backup and secure its S3 bucket. To prevent hackers from taking advantage of the leaked data to hack its users, Survival Servers has introduced additional steps to validate users’ logins.
Steam RCON and Server Passwords Leaked
In addition to the leaked PII, our team also discovered unencrypted passwords for Steam’s remote console (RCON) service.
RCON is a protocol created by Valve for third parties to communicate with Steam’s game servers. It allows customers to control a server remotely using a web interface.
We found administrative passwords and other credentials to unlock each servers.
According to Survival Servers, the passwords can be used to join game sessions and manage servers. Survival Servers user account passwords were also exposed, but were hashed securely.
Timeline
This is a timeline of the Survival Servers breach:
| Event | Date |
|---|---|
| Discovered the database backup in an insecure bucket. | June 4th, 2022 |
| Discovered PII and details of financial transactions in the database. | June 6th, 2022 |
| Reported the breach to Survival Servers. | June 7th, 2022 |
| Breach was closed. | June 4th, 2022 |
While we were investigating the breach, we found that haveibeenpwned.com was also conducting its own investigation. As a result, we both reported the leak. According to Survival Servers, the breach was fixed before we contacted them.
Gamers’ PII Exposed
Gamers and gaming companies are frequently targeted by cybercriminals. We have reported on phishing, malware, and DDoS attacks targeting gaming platforms like Discord where millions of gamers congregate. The personal data we found was easily accessible and could be pieced together by malicious individuals to launch attacks and scam users.
“So far, we have no indication that any PII we found has been exploited to target or take advantage of Survival Servers’ users. However, finding things like admin unlocks and passwords for several game servers is risky. Worse yet, personal data about users should not be floating around on an exposed database backup,” Silajdzic noted.
