An online fashion game and social network provider has been accused of apathy – or ignorance – after it was recently revealed that the details of millions of user accounts were leaked through a data breach that quietly occurred back in 2016. As reported by ZDNet, Fashion Fantasy Game has yet to comment on the purported attack, which left numerous details of 2.4 million of its members exposed. According to a number of data security commentators on Twitter, including Have I Been Pwned’s Troy Hunt, not only has CEO and founder Nancy Ganz failed to acknowledge the attack at all, but the vulnerability that allowed the breach to take place still exists within the live site.
The game in question, Fashion Fantasy Game, was launched in January 2000 and provides players with a virtual world in which they design, create and “sell” their own garments to other players. While the title is free-to-play, it does offer paid VIP memberships. There is no suggestion any payment information was exposed as a result of the data breach, however.
ZDNet’s report stated that an SQL injection vulnerability – a flaw that has frequently topped the Open Web Application Security Project’s ten most prevalent website security holes – led the way for the data breach, apparently caused by the site’s failure to properly validate (or “escape”) database query strings containing user input. The email addresses and passwords of the users affected was also stored as an unsalted MD5 string – a hashing algorithm that has been declared “cryptographically broken and unsuitable for further use” since December 2008 – although as noted in the Vulnerability Notes Database, weaknesses had been reported in the hash function as far back as 1996.
In addition to minimizing the risk of SQL injection through practical programmatic steps, such as adequately encrypting – using a salted, more advanced cryptographic algorithm than MD5 – and escaping user data and input, a number of applications and tools also exist to aid website administrators in implementing these procedures to prevent such attacks. Imperva’s Scuba, for example, is a free data protection tool that provides more than 2,300 assessment tests for detecting a range of security vulnerabilities on database systems including SQL, Oracle and SAP Sybase.
Research would suggest that Fashion Fantasy Game has a history of inadequately storing its users’ data, however. Back in 2013, attackers leaked a full dump of the site’s users table, purportedly containing over 200,000 account details including unsalted MD5-hashed names, usernames, email addresses and passwords. In that particular case, it was suggested that the data breach occurred due to the site’s backup procedure being publicly accessible via a third party domain. The game’s administrators’ apparent unwillingness to comment on the latest data breach has been criticized on ZDNet and elsewhere as showing either apathy or ignorance to the important issue of data protection – and goes to show that users are still at the mercy of site owners’ competency with regards to their personal details.