PC streaming service Shadow has disclosed a security breach that exposed the personal information of over 500,000 customers.
The breach occurred at the end of September when an attacker gained access to Shadow’s management interface by exploiting a stolen cookie.
Shadow says that the attacker was able to access customer names, email addresses, IP addresses, and Shadow account IDs, date of birth, billing address, and credit card expiration date.
Here’s what happened, according to the email sent to customers (which you can see on Reddit):
At the end of September, we were the victim of a social engineering attack targeting one of our employees. This highly sophisticated attack began on the Discord platform with the downloading of malware under cover of a game on the Steam platform, proposed by an acquaintance of our employee, himself a victim of the same attack.
Our security team took immediate action. Despite our actions, the attacker was able to exploit one of the stolen cookies to connect to the management interface of one of our SaaS providers. Thanks to this cookie, now deactivated, the attacker was able to extract, via our SaaS provider’s API, certain private information about you.
Shadow has taken steps to secure its systems and prevent similar incidents from occurring in the future. The company has also revoked the stolen authentication cookie and blocked the attacker’s access to its systems.
