Failure to properly configure authentication led to malicious actors exploiting the database backups of Airsoftc3.com, a popular Airsoft enthusiast community site, according to Cybernews researchers, who discovered the breach in December.

The breach exposed sensitive user data, affecting approximately 75,000 individuals within the community involved with Airsoft, a team-based shooting game. The Airsoftc3 site serves as a primary hub for U.S. Airsoft players to connect, organize games, and share information.

The leaked information, totaling 12GB, included personal email IDs, usernames with hashed passwords, email addresses, phone numbers, home addresses, social media links, and even the credentials of site administrators.

The breach poses severe cybersecurity threats, as the leaked database contains critical operational information necessary for the site’s functionality.

Significant Potential for Abuse

Malachi Walker, security advisor at DomainTools, said the kind of data leaked in this attack has “significant potential” for abuse.

“The data in this leak includes personal emails, login credentials, phone numbers, and home addresses which can all be leveraged against those impacted,” Walker said. “Financially motivated cybercriminals will leverage this data to obtain even more information.”

Those in the Airsoft community should be cautious of emails, calls, or texts asking for personal details by leveraging other information obtained in this breach. “Always verify the source before providing any information,” Walker added.

Given the substantial revenue generated by Airsoft C3—noted in the Cybernews report as between $2-5 million annually—it is essential for companies to scale their cybersecurity and data protection actions with their growth. “Increasing revenue makes an organization more appealing as a target to financially motivated threat actors,” Walker said.

There is a notable tie between the Airsoft community and the Federal space, making related organizations more of a target to state-sponsored threats as they grow and reputation.

“In both cases, these adversaries will be looking to take advantage of an expanding attack surface, and investing in measures to protect user data in light of this is crucial,” Walker said.

From Walker’s perspective, engaging with counsel specializing in cybersecurity and data protection and completing quarterly cybersecurity audits of one’s organization are crucial measures that can be taken to mitigate these risks and to avoid costly data breaches.

“It’s important not to speculate whether or not personal data was stored correctly until all the evidence has been revealed,” Walker said. “Still, improper storage of personal data is taken extremely seriously.”

Administrative disclosure of leaked credentials is an essential first step in securing these accounts, which allows the users impacted to change passwords. “Finally, the organization should notify and cooperate with law enforcement so that they are aware of the danger and can assist in investigations into suspected adversaries,” Walker said.

Larger organizations have faced fines ranging from $100 million to over $1 billion for such breaches. According to the Fair and Accurate Credit Transactions Act (FACTA) of 2003, the federal government can fine $2,500 for each violation, with the state at liberty to add a $1,000 fine.

Ammunition for Social Engineering

Jason Soroko, senior vice president of product at Sectigo, said an important risk is related to social engineering due to the malicious actors now having additional information on a list of targets.

“Thankfully, the passwords associated with the accounts were hashed, which mitigates password reuse,” Soroko said.

However, if simple passwords were used, there is the potential for passwords to be reversed from the hash to ultimately be used for credential-stuffing attacks on other sites. Proper configuration and auditing of cloud storage, especially storage that contains personally identifiable information (PII), should be a priority for all organizations, Soroko added. “Hashing passwords was good but other companies must understand PII is valuable to attackers.” He advised companies to pay close attention to how they secure PII, noting these kinds of incidents seem to be all too common.

“Tools exist to audit cloud storage configurations. Please use those tools,” Soroko said. “Ensuring that there is a strong form of authentication necessary to gain access to storage files and databases is fundamental.”

Unique Passwords, Multi-Factor Authentication

Proactively engaging in threat hunting and adversary infrastructure analysis can help other companies avoid these potential threats to identify relevant adversaries before their launch campaigns are weaponized.

“Customers are trusting you with their data,” Walker said. “It is imperative to engage in best practices to protect customer information and assets.”

Use strong, unique passwords. Organizations should offer multi-factor authentication (MFA) and encourage their customers to enable it. “Keep a close eye on accounts for any suspicious activity,” Walker said. “If you notice anything unusual, report it to law enforcement.”

Photo credit: Specna Arms on Unsplash