Earlier this week, the popular French cloud gaming service Shadow PC disclosed that it had experienced a cybersecurity incident which resulted in some users’ data being compromised. The breach occurred in late September and was the result of a coordinated social engineering attack that targeted Shadow employees.
According to Shadow's statement, the attack began on the instant messaging app Discord where cybercriminals engaged with a Shadow worker. The attackers manipulated the worker into downloading malware on their computer, which enabled them to get access to Shadow’s system.
Here is a break down of what happened.
Hackers Got Access to Shadow’s Management Interface
While Shadow’s cybersecurity team was able to detect the attack quickly, the attackers were able to steal a cookie which gave them access to the company's management interface.
With this elevated control, the hackers were able to get their hands on sensitive information about Shadow’s customers.
The compromised data includes names, email addresses, birthdates, billing addresses and credit card expiration dates for an unspecified number of Shadow users. Luckily, the hackers weren’t able to get any account passwords, financial information, or government ID numbers.
Shadow’s Response to the Data Breach
In the aftermath of the incident, Shadow has implemented several measures to lock down and monitor its systems. The company is also upgrading its internal software to isolate any computers that may have been affected by the attack.
Additionally, Shadow is reinforcing employee cybersecurity training to prevent similar social engineering attacks in the future.
What Should Affected Users Do?
Shadow is advising all of its users to remain vigilant for any suspicious emails, texts or calls purporting to be from the company. These could be phishing attempts designed to get login credentials or further information.
As an added security measure, Shadow highly recommends users enable multi-factor authentication, which adds an extra layer of account protection beyond just a password.
Make sure you change your password and create a more complex one. Installing an antivirus software will also help, as it will keep you safe from phishing attacks and prevent you from opening suspicious links.
Company Reviews Data Retention Policies
The company has been criticized by some for retaining customer birthdates and credit card expiry dates, data that typically does not need to be collected for gaming services.
In response, Shadow has promised to review its data retention policies to ensure it only keeps user information that’s absolutely necessary.