Popular makers of custom gaming controllers, Scuf Gaming, were recently notified by many service users that their website had been compromised like so:

It still lives on in Google Cache:

Google Cache of hacked website

Hot on the heels of this, numerous Scuf customers report having been sent an email [1], [2], [3], [4], [5] which reads as follows:

Dear Scuf Gaming Customer,

As a valued customer, we take very seriously our duty to protect your privacy and security at all times. As such,we want to
inform you of a potential data breach in a small number of our customer accounts that could
potentially include some of your information.

On the evening of June 2nd our IT security team discovered and reported that a very small number of our data
records may have been compromised. We caught this immediately and rectified the issue. The only information that may
have been compromised included customer names, addresses, email addresses, phone numbers and
Scufgaming(dot)com passwords.

PLEASE NOTE: We DO NOT store customer credit card or payment information on our servers – we interface to
external payment systems including CyberSource, PayPal and Amazon which are fully protected. In addition, your
scufgaming(dot)com password was stored in an encrypted format for added protection.
HOWEVER, to be completely diligent and as a security precaution, we at Scuf Gaming felt strongly that our
customers should be made aware of this potential information exposure. We recommend that you update your password on scufgaming(dot)com and if applicable, to be extra diligent, other sites that may use the same password.

There’s no word yet if they think the website hack and the data swipe are related – they could be entirely separate attacks,with multiple groups / individuals taking advantage of a way in to get up to mischief.

This is a fairly common pattern  – a site running outdated software will be hacked, then another group will come along and replace the original defacement with one of their own.

At this point, your only way of knowing something might have happened is by having seen the email – I had a look at their Twitter feed and website, but there doesn’t appear to be any mention of the June 2nd “incident” or the website defacement.

One thing is for certain – if you have a Scuf account, you should definitely follow their advice and change your password, alongside making sure you’re not reusing the same login details elsewhere.

Password reuse is a major problem where keeping accounts safe is concerned, and there are even extensions available to assist in breaking this bad habit.

Many websites and services are compromised behind the scenes all the time, and you can bet that quite a few of them don’t bother sending anything out in terms of notification.

For as long as you don’t know a service has been popped, the people behind said popping have carte blanche to check for password reuse on your other accounts at their leisure. You can kill this threat to yourself off at the source by avoiding password reuse, and investing in a password management tool such as LastPass.

Go on – give yourself one less thing to worry about…

Christopher Boyd