Earlier this month, over 1.5 million accounts of a CSGO League named the E-Sports Entertainment Association League (ESEA) was breached.
A blog post linked here, released by Craig Levine, co-founder of ESEA explained what happened.
On December 27th, 2016 they were made aware of a breach of the ESEA database, and that account information was potentially exposed. They say that account information such as usernames, emails, private messages along with IPs, and mobile phone numbers were some of the information that was available when they were breached.
The good news is that ESEA does not store any sensitive payment information like credit card numbers and bank accounts, so any payment made in ESEA are completely safe. Because of the breach, ESEA required every user to reset their password, their multi-factor authentication reset, and their security question.
It was later revealed that the breach was part of an extortion. The attacker had contacted the company on December 27th and requested $100,000. If the quota wasn’t paid the attacker promised to sell or release the information that was breached.
The attacker also got access to a game server, and edited the “karma” of some users.
ESEA are still looking into this breach and are updating a blog post that contains a timeline of the events that took place after the initial breach.
They reported that on Janurary 8th, the attacker leaked the data on LeakedSource and that various media outlets reported the theft. On January 9th they updated external authorities, such as the FBI, on the current situation.