The affected site was shut down last year

Apr 3, 2017 20:45 GMT  ·  By

A hacker claims to have managed to get his hands on 6.5 million email addresses and poorly hashed passwords pertaining to users of Dueling Networks, a now-dead Flash game that's based on the Yu-Gi-Oh trading card game. 

Dueling Network shut down in 2016, but its site's forum carried on until recently. "Only our forum site was still up as a way for our users to communicate with each other (login used Dueling Network credentials). Now that is down and warns users to change passwords on any other sites they may have used the same password on," a site admin told Motherboard.

The hacker made away with at least 6.5 million accounts, although the site admin claims that not all those necessarily correspond to individual players, as many of the accounts may have been duplicates owned by the same user, or were never actually logged in. "This number is inflated," the site admin claims.

Weak password hashing makes them readable in plaintext

The data trove the hacker got its hands on includes email addresses and passwords hashed with MD5, which is pretty much useless at this point. This means that hackers are quite likely able to see all the passwords in plaintext, which is bad news for anyone who reuses those passwords for any accounts linked to the same email addresses.

Black Luster Soldier, the admin of Dueling Network, believes the hacker used a vulnerability in MySQL to obtain the data, although nothing is confirmed at this point.

Regardless of how the hack happened, users are advised to change their passwords for any other services they use the same credentials as on Dueling Network. By securing all other accounts, the data from the breach becomes useless for anyone trying to hack you. Of course, even so, people should keep an eye out for phishing schemes landing in their inboxes.