Humble Bundle, the digital storefront for video games is a blessing for indie game developers for at least 8 years now. The company which now operates as a subsidiary of Ziff Davis since October 2017, has been a strong force of distributing indie game titles that will otherwise are not visible to a typical gamer. Their participation in certain charity activities is also a bonus, as gamers know that a certain percentage of their money used for buying games goes to something beyond pure profit goals.
However, that does not mean that all things are well with Humble Bundle, with the growth of their name as a digital distributor of video games, the risk of attracting malicious 3rd parties becomes more and more feasible. This potential has come to pass, as Humble Bundle has recently revealed that they have encountered unauthorized 3rd party has triggered a previously unknown bug in their system, where referral bonus information gets exposed through a comparison of email address algorithm.
“We discovered someone using a bug in our code to access limited non-personal information about Humble Bundle accounts. The bug did not expose email addresses, but the person exploited it by testing a list of email addresses to see if they matched a Humble Bundle account. Sensitive information such as name, billing address, password and payment information was NOT exposed. The only information they could have accessed is your Humble Monthly subscription status. More specifically, they might know if your subscription is active, inactive, or paused; when your plan expires, and if you’ve received any referral bonuses,” explained Jeffrey Rosen, Chief Executive Officer of Humble Bundle.
The game digital supplier has assured its customers that their corporate server and their retail servers used for processing purchases. The real problem in the nutshell is the hacker has now the knowledge of valid email addresses of a customer of Humble Bundle, which they can use for phishing activities. Fake emails containing social engineering messages can now be sent to the unsuspecting users, claiming to be originating from Bundle, hence the users can be potential victims for further issues like identity theft.
“Even though the information revealed is very limited, we take customer trust very seriously and wanted to promptly disclose this to you. We want to make sure you are able to protect yourself should someone use the information gathered to pose as Humble Bundle. Be careful of emails with links to unfamiliar sites. If you receive a suspicious email related to Humble Bundle, please contact us via our support website so that we can investigate further and warn others,” emphasized Rosen.
The company has also tried to persuade their clients to enable the use of 2FA (2-factor authentication), which can be done by following the instructions they have provided in their website. Two-factor authentication enables stronger security as the user requires submitting a second ‘code’ in order to login as a pair to the user’s password.
“We sincerely apologize for this mistake. We will work even harder to ensure your privacy and safety in the future,” concluded Rosen.