What Happened
In June 2016, the online multiplayer game Evony suffered a significant data breach exposing approximately 33.4 million user accounts from its main game database, along with an additional 938,000 forum accounts compromised in August. The exposed data included usernames, email addresses, IP addresses, and passwords stored with weak encryption using unsalted MD5 and SHA-1 hashing, making the passwords easily decryptable. The breach was facilitated by Evony’s lack of advanced encryption and users’ weak, repetitive passwords—with “123456” being the most common password used by over 714,000 accounts. The compromised credentials potentially included Facebook login details for users who had connected their accounts via Facebook Connect.
