"We would like to inform you of a recent incident affecting the security of certain data hosted by one of our service providers.

What happened?

At the end of September, we were the victim of a social engineering attack targeting one of our employees. This highly sophisticated attack began on the Discord platform with the downloading of malware under cover of a game on the Steam platform, proposed by an acquaintance of our employee, himself a victim of the same attack.

Our security team took immediate action. Despite our actions, the attacker was able to exploit one of the stolen cookies to connect to the management interface of one of our SaaS providers. Thanks to this cookie, now deactivated, the attacker was able to extract, via our SaaS provider’s API, certain private information about you.

The information concerned is your first and last name, e-mail address, date of birth, billing address and credit card expiry date. It is important to note that no passwords or sensitive banking data have been compromised.

What actions have we taken?

As soon as this incident was discovered, we took immediate steps to secure our systems and took all necessary precautions to avoid future incidents. We have also reinforced the security protocols we apply with all our SaaS providers. Finally, we will be upgrading our internal systems to render compromised workstations harmless.

What can you do?

In the wake of this incident, please be very vigilant about the emails you receive, as they could be phishing attempts. In general, for all your accounts, we advise you to protect yourself by setting up multi- factor authentication (“MFA”).

To set up MFA on your Shadow account, please refer to the following

guide: https://shdw.me/HC-B2C-2FA

We are here for you

We sincerely apologize for the inconvenience and assure you that we are doing everything possible to ensure the security of your data.

If you have any questions or concerns, please do not hesitate to contact our customer service department at https://shdw.me/HC- B2C-Support Form

Thank you for your understanding and trust.

Best regards,

Eric Sèle, CEO, Shadow"

    • @Solarius@lemmy.sdf.org
      link
      fedilink
      English
      206 months ago

      I’ve literally had these “hacks” before. They get into one of your friend’s accounts and message you asking to alpha test a game they made. It’s so blatantly fake though it’s embarrassing anyone can get caught by it.

      • @cybersandwich@lemmy.world
        link
        fedilink
        English
        126 months ago

        Sometimes it’s super obviously fake, but if you actually sent alpha test games to your friends semi regularly or it was something not unusual like Gary from accounting “can you sign off on this invoice?” It’s a lot more understandable.

        All it takes is a day when Gary hasn’t had a great night of sleep, had an argument with his wife that morning, and he’s stressed trying to get an annual report to his boss by COB, and BOOM, Gary clicks the ‘obvious’ link trying to know out some low hanging fruit and it’s game over.

      • Chaotic Entropy
        link
        fedilink
        English
        56 months ago

        Naturally, you then download it on to your work PC where you hold/have access to all of your company’s most critical information. :)

    • @skozzii@lemmy.ca
      link
      fedilink
      English
      14
      edit-2
      6 months ago

      Literally the least sophisticated attack.

      Human error, let’s call it what it is.

      It’s like calling these "phishing scammers’ hackers.

      They are not hackers, they are just liars and conmen who got your info.

  • @jmd_akbar@aussie.zone
    link
    fedilink
    English
    266 months ago

    first and last name, e-mail address, date of birth, billing address and credit card expiry date…

    Sure… Totally things that someone can change on the fly…

    • @kn33@lemmy.world
      link
      fedilink
      English
      226 months ago

      Yeah, but also things that were probably out there anyway. They essentially got a customer list.

    • @bitsplease@lemmy.ml
      link
      fedilink
      English
      146 months ago

      Kind of like Nvidia GeForce Now - except that you get a full windows PC environment to play in, so theoretically you can play any game that runs on Windows.

      I used it for a while, it’s pretty good, but the cost has risen a lot faster than the Hardware quality lately and now in order to have a “top spec” gaming pc it’s like $50/month.

      Not a bad deal if you don’t game much, but want to check out a specific game for a month or two - or if you travel a lot but want the power of a full desktop. But if you just want a gaming PC, you’re probably better off building your own

      • Bleeping Lobster
        link
        fedilink
        English
        26 months ago

        Considering how much a ‘top spec’ PC costs (even to build DIY), let’s take a lowball figure of $2000. 2000 / 50 = 40. So 40 months, or 3.3 year of $50 a month is the equivalent of a gaming PC.

        I tend to upgrade every 3-4 years. Even at $50 a month this isn’t necessarily bad value for money (imo). And especially for people who can’t DIY faced with the cost of a custom-build machine.

        • @bitsplease@lemmy.ml
          link
          fedilink
          English
          26 months ago

          Yeah, I don’t disagree - though with a 3070, I wouldn’t quite say their top spec is really top spec, but all in all its really not a bad deal at all.

          And I have to say, being able to game from a super thin laptop with full graphics settings, and low power usage is awesome.

          It’s also really excellent if you’re not sure you’ll actually use a gaming pc much - better to sub for 3 months of shadow then cancel than buy a $2k gaming PC then have it sit idle after a few months

          • Bleeping Lobster
            link
            fedilink
            English
            16 months ago

            The way you describe it, it’s genuinely tempting to me. Mainly I use my PC for making music, and a little animating / graphic design. I tried to avoid installing any games because they just all cumulatively seem to slow down the system with all the little installers / c++ redistributables they seems to need… but of course, not being made of stone I’ve installed many!

            For my next machine… maybe I’ll keep it pristine and use cloud for gaming.

            • @bitsplease@lemmy.ml
              link
              fedilink
              English
              16 months ago

              Pretty sure it’s no commitment, so go try it for a month, you do need a solid internet connection, but nothing insane

    • @ByGourou@sh.itjust.works
      link
      fedilink
      English
      86 months ago

      A cool french company that sell you access to a full pc in the cloud. It was bought by the same guy who own ovh last year.
      Sad to see this leak, I have a few friends that use it, it’s probably the best cloud gaming plateform.

    • @willya@lemmyf.uk
      link
      fedilink
      English
      66 months ago

      I had it when they first came around and it’s a really good cloud pc. Zero lag gaming. Was even able to do PC VR with my Quest 2.

    • @Neon@lemmy.world
      link
      fedilink
      English
      36 months ago

      i mean, you could just google, but here’s what i remember:

      your own gaming PC in the Cloud, long before cloud streaming was cool and Mainstream

      it’s also much better since it’s a whole PC (more like what Microsoft is Planning for the Future) and you can do whatever you like with it. As long as it’s legal, of course.

    • @0xD@infosec.pub
      link
      fedilink
      English
      256 months ago

      These things are often saved in entirely different places, so no, that is not a stretch.

    • TimeSquirrel
      link
      fedilink
      86 months ago

      Even if they got a password, you’d have to be incredibly stupid to store it in clear text on your database in 2023.

      • @TORFdot0@lemmy.world
        link
        fedilink
        English
        -76 months ago

        It’s not exactly that hard to crack passwords from a hash anymore. I don’t know if shadow has MFA but you should assume that if all you have is a password that your account is already compromised.

        • @httpjames@sh.itjust.works
          link
          fedilink
          English
          96 months ago

          It’s actually pretty difficult still if you’re using secure hashing functions like Argon2 and bcrypt because they’re hard on memory and computational power, meaning brute force attacks are pretty much infeasible, both due to hardware requirements and long hashing times.

  • Programmer Belch
    link
    fedilink
    English
    156 months ago

    Waiting for the next hacker film where they get Gary from accounting to give them their password by sending them to a porn website login page

  • @themakara@lemmy.world
    link
    fedilink
    English
    136 months ago

    Honestly, props to them for disclosing this so early. Other companies have waited months to tell their customers about these things, sometimes only because it leaked.

  • @kn33@lemmy.world
    link
    fedilink
    English
    126 months ago

    What I want to know is how malware got on Steam. If it really played out like they say, some of the blame should be on Valve.

    • Chozo
      link
      fedilink
      216 months ago

      It sounds like it was a fake Steam link. At least, that’s what I assume is meant by “under cover of a game on the Steam platform”.

      • @JohnDClay@sh.itjust.works
        link
        fedilink
        English
        16 months ago

        Valve adds new security check after attackers compromise Steam accounts of multiple game devs and update their games with malware

        If anyone is having trouble opening the link

    • @lwe@feddit.de
      link
      fedilink
      English
      12
      edit-2
      6 months ago

      Their VMs are often used for cloud gaming. Your own version of GeForce now essentially. The attacker might have told the employee to check if it works or something of the sort.

      So it’s not to far fetched.