Game streaming giant Shadow confirms data breach, users personal info stolen

News
By
published

Employee played a compromised game on a computer with access to sensitive information

A white padlock on a dark digital background.
(Image credit: Shutterstock.com)

Shadow PC, which allows users to run demanding PC games on a lower-end device, has confirmed it suffered a security breach that saw unnamed attackers steal enough user data to run phishing attacks, identity theft, and more. 

The stolen data includes full customer names, email addresses, dates of birth, billing addresses, and credit card expiration dates. More than 500,000 customers were affected by this incident. 

Account passwords and payment data were not accessed, the company confirmed.

Highly sophisticated attack

The company reached out to affected customers to explain what had happened, describing the attack as “sophisticated”. In the breach notification letter, Shadow PC said one of its employees was a “victim of a social engineering attack” at the end of September.

"This highly sophisticated attack began on the Discord platform with the downloading of malware under cover of a game on the Steam platform, proposed by an acquaintance of our employee, himself a victim of the same attack." When this employee infected their computer with malware, it stole (among other things, presumably) an authentication cookie that allowed the attackers to log into a software-as-a-service (SaaS) tool the company used.

Since then, Shadow revoked the authentication cookie, effectively locking the threat actors out of its systems. Shadow also said it introduced “additional measures” to make sure incidents like these don’t happen again.

While Shadow was busy dealing with the aftermath of the breach, a hacker took to a popular dark web forum to claim responsibility for the attack. They said that a total of 533,624 users have had their data stolen, and claimed they tried to come to an agreement with Shadow, which the company “deliberately ignored”. Now, they’re selling the database. The media were not able to independently confirm if the database was legitimate or not.

Via BleepingComputer

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.