Armor Games (AG) has confirmed that 100 per cent of its users were caught up in February's mega-leak that saw the details of 617 million online accounts hacked from 16 hacked websites being sold on the dark web.
As exclusively revealed by The Register last month, the haul included account databases for Dubsmash (162 million), MyFitnessPal (151 million) and MyHeritage (92 million) among others.
Some 1.8GB worth of Armor Games data was found by us on sale for 0.2749 BTC ($988) via Dream Market, located in the Tor network.
The company, which runs a portal for a bunch of browser-based games, did not speak to El Reg but cited our article in a confessional email to customers to say it was told on 29 January of a breach that occurred "around" the start of the month.
"This appears to be part of a larger breach affecting 16 companies (see this new article for more information). We are one of the smaller companies affected, apparently holding less than 2 per cent of the total accounts affected between the 16 companies," said AG.
Nevertheless, "the database affected primarily stores all our website users' public profiles, login data (usernames, email addresses, IP addresses, and hashed passwords), birthdays of our administrative accounts, and information about our password protection processes at the time (including the password salt)," the email continued.
Thankfully, the data haul did not include first or last names, credit card data, addresses or phone numbers. But only because AG didn't hold that information in the database.
The advice to users was to "update" passwords on all websites they use, as AG makes "changes on our side to harden our security and fixing any weaknesses found by our audit, including updating our password protection and methods".
AG said it had "started" to notify the relevant authorities and would work with the cops and any of the other 15 corporate victims of the breach.
"Armor Games sincerely apologies for the inconvenience and concern this incident may cause, and remains committed to safeguarding the personal information in its care," it said.
The company claimed none of the data, part of the trove put up for sale in the Dream Market cybersouk, had been misused. ®