A data breach at French cloud gaming provider Shadow may be worse than the company initially suggested, according to a sample of the stolen data seen by TechCrunch.
In an email sent to affected customers this week, Paris-based Shadow said that a hacker carried out an “advanced social engineering attack” against one of its employees that allowed access to customers’ private data. In the email, Shadow CEO Eric Sèle said this includes full names, email addresses, dates of birth, billing addresses and credit card expiry dates.
TechCrunch obtained a sample of the stolen data containing 10,000 unique records from the hacker who claimed responsibility for the cyberattack. The hacker, who posted about the breach on a popular hacking forum, claims to have accessed the data of more than 530,000 Shadow customers and is offering the data for sale after they say they were “deliberately ignored” by the company.
TechCrunch verified a portion of the stolen records by matching unique staff-related email addresses found in the dataset using the website’s sign-up form, which returns an error if an email address is already found in the system. Several of these Shadow staff accounts were registered using company email addresses with “plus” wildcards containing long strings of letters and numbers unique to Shadow.
Of the data we’ve seen, many of the customer billing addresses correspond with private home addresses. The dataset we have seen also includes private API keys that correspond with customer accounts, though it’s unclear if these keys are accessible by customers. The dataset also includes non-personal information related to customer accounts, such as subscription status and whether accounts have been “blacklisted.”
The most recent record in the stolen data suggests that Shadow was breached on or shortly after September 28. In an email sent to those affected by the incident, which has not yet been published on Shadow’s website or shared on the company’s social media channels, Shadow said it was hacked “at the end of September” after an employee downloaded a malware-laced Steam game via Discord.
Shadow spokesperson Thomas Beaufils would not comment when emailed Friday, but did not dispute the findings. It’s not known if Shadow informed France’s data protection regulator, CNIL, of the breach as required under European law. A spokesperson for CNIL did not immediately return a request for comment.
Separately, Valve this week mandated two-factor authentication checks for developers after the accounts of multiple game developers were recently compromised and used to update their games with malware. It’s unknown if this is related to the Shadow breach, and Valve has yet to respond to TechCrunch’s questions.
Zack Whittaker contributed reporting.