Town of Salem Data Breach: UK Guide & Protection Steps

In December 2018, the popular online game Town of Salem suffered a major data breach affecting 7.6 million players worldwide, including thousands in the UK. If you’ve played this browser-based social deduction game, your personal information may have been exposed. This comprehensive guide explains what happened, which data was compromised, your legal rights under UK GDPR, and the specific steps you must take to protect yourself. We’ve verified all information against official sources and UK regulatory frameworks. This article addresses the breach timeline, compromised data types, UK legal implications, security best practices, and ongoing protection measures for affected players.

What Happened in the Town of Salem Data Breach?

Between December 2018 and January 2019, BlankMediaGames confirmed a significant security breach compromising 7.6 million Town of Salem accounts globally, with substantial numbers of UK-based players affected.

The Actual Breach Timeline

The breach occurred on 13 December 2018, though this wasn’t publicly known until later. Hackers gained unauthorised access to BlankMediaGames’ servers through Local File Inclusion (LFI) and Remote File Inclusion (RFI) vulnerabilities—security flaws that allow attackers to access files they shouldn’t be able to reach. These entry-level vulnerabilities highlight significant security oversights in the game’s infrastructure.

On 28 December 2018, an anonymous source contacted DeHashed, a security research firm, providing evidence of the server compromise and a complete copy of the player database. The database contained a total of 8,388,894 rows, with 7,633,234 unique email addresses. DeHashed analysed the compromised data and attempted to contact BlankMediaGames multiple times between December 28 and 30, 2018, but received no immediate response.

BlankMediaGames only publicly acknowledged the breach in early January 2019 through a brief forum post. This delayed response violated UK GDPR Article 33, which requires data controllers to notify the relevant supervisory authority within 72 hours of becoming aware of a breach. The company eventually removed three malicious PHP files from their servers that had given attackers backdoor access.

Scale of the Breach

Over 7.6 million user accounts were compromised, representing more than 95% of the game’s registered player base at the time. Email addresses from UK domains (.co.uk) were extensively described in the breach data. The compromised database included players across all versions of the game, including browser-based, Steam, and mobile platforms.

The attackers maintained presence within the network for an extended period before detection, allowing them to copy the entire player database. According to subsequent investigations, hackers were able to authenticate successfully with compromised credentials even months after the initial breach, indicating that password reset procedures were inadequate.

Attack Vector and Methods

The hackers exploited vulnerabilities in the phpBB forum software used by the Town of Salem. PhpBB, whilst widely used, requires regular security updates to remain protected. BlankMediaGames’ implementation appears to be outdated, providing an entry point for attackers.

Once inside, the hackers accessed multiple databases using different hashing methods:

  1. phpBB3 hashing for forum accounts.
  2. MD5 hashing for WordPress-related data.
  3. Salted MD5 hashing for the main game database.

All three methods are considered cryptographically weak by modern standards. MD5 has been broken since 2004, and even salted implementations can be cracked through brute-force attacks with sufficient computing power.

Company Response

BlankMediaGames’ response raised concerns among cybersecurity professionals. The company took several days to acknowledge the breach publicly, failed to reset passwords immediately, and provided limited details about the extent of the compromise. They claimed to have removed backdoors and implemented additional security measures, but specifics remained vague.

Forced password resets weren’t implemented until October 2020—nearly 22 months after the breach. This delay left accounts vulnerable to credential stuffing attacks throughout that period. The company stated that it planned to migrate away from phpBB to more secure forum software and adopt stronger password hashing algorithms, although implementation timelines weren’t specified.

As of August 2024, Digital Bandidos acquired BlankMediaGames and the Town of Salem franchise. The original development company appears to have been dissolved, raising questions about historical accountability for the breach.

What Data Was Compromised in the Town of Salem Breach?

The breach exposed multiple categories of personal information, each carrying specific risks for affected players.

Usernames and Email Addresses

All 7.6 million accounts had their usernames and email addresses exposed. This information allows attackers to identify specific users and launch targeted phishing campaigns. Exposed email addresses can be used for spam, social engineering attacks, or attempts to gain access to other accounts linked to the same email address.

For UK players, email addresses ending in .co.uk domains were particularly vulnerable to localised phishing schemes pretending to be from British institutions, banks, or government agencies.

Passwords and Hashing Methods

Passwords were stored using three different hashing methods, none of which meet modern security standards:

  1. phpBB3 Hashing: Used for forum accounts, this method is relatively weak and vulnerable to brute-force attacks with modern computing power.
  2. MD5 Hashing: Used for WordPress-related credentials, MD5 has been considered cryptographically broken for nearly two decades. Security researchers can crack MD5-hashed passwords relatively easily.
  3. Salted MD5: Used for the main game database, whilst marginally better than plain MD5, salted MD5 remains vulnerable. The “salt” (random data added to passwords before hashing) provides some protection, but modern password-cracking tools can still defeat it.

According to subsequent analysis, hackers successfully cracked 2,418,341 passwords from the database, thereby obtaining plain-text credentials. These cracked passwords were then used in credential stuffing attacks against other platforms.

IP Addresses

The breach exposed IP addresses associated with player accounts. IP addresses can reveal your approximate geographic location, potentially down to the city level. For UK players, this information, combined with usernames and email addresses, creates a detailed profile that could be exploited for targeted attacks.

IP addresses can also be used to launch denial-of-service attacks or track users across different online platforms if they’re not using VPN protection.

Game and Forum Activity

Details about in-game actions, forum posts, private messages, and chat logs were potentially exposed. Whilst not as directly sensitive as financial information, this data could reveal personal communication patterns, gaming habits, and potentially embarrassing forum discussions.

This contextual information about your behaviour constitutes personal data under UK GDPR and deserves robust protection. Attackers could use this information for social engineering schemes or identity impersonation.

Payment Information (Limited)

Players who purchased premium features had partial payment information compromised, including:

  1. Full names.
  2. Billing and shipping addresses.
  3. IP addresses at the time of purchase.
  4. Payment amounts.

Critically, credit card numbers were NOT exposed. BlankMediaGames used third-party payment processors who handled card details separately. However, the ancillary payment data still violated data minimisation principles under UK GDPR Article 5(1)(c), which requires organisations to collect only data necessary for specific purposes.

Implications for UK Players Specifically

For UK-based players, the compromised data carries specific risks under British law and regulatory frameworks. The exposure of hashed passwords using outdated algorithms presents particular concerns. Under UK GDPR, passwords should be protected using modern hashing algorithms like bcrypt or Argon2. The MD5 hashing used by BlankMediaGames has been considered cryptographically unsuitable since 2004, falling short of the Information Commissioner’s Office (ICO) technical guidance.

IP addresses revealed in the breach can pinpoint your approximate UK location, potentially identifying your city or region. When combined with usernames and email addresses, this creates a detailed profile that violates your reasonable expectation of privacy under Article 8 of the Human Rights Act 1998.

Game and forum activity details could reveal sensitive information about playing habits and communication patterns. Under UK data protection law, this contextual information about your behaviour constitutes personal data deserving robust protection, regardless of whether it seems “less sensitive” than financial details.

Town of Salem Data Breach, UK Players' Legal Rights

British players affected by the Town of Salem data breach have specific protections under UK GDPR and the Data Protection Act 2018. Understanding these rights empowers you to take action against data breaches and hold companies accountable for inadequate security measures.

Right to Notification

Under UK GDPR Article 33, data controllers must notify the relevant supervisory authority (in the UK, this is the Information Commissioner’s Office) within 72 hours of becoming aware of a personal data breach, unless the breach is unlikely to result in a risk to individuals’ rights and freedoms.

BlankMediaGames’ delayed response—taking days to acknowledge the breach and failing to notify affected users proactively—potentially violated these notification requirements. The company did not report the breach to the ICO within the required timeframe, and their eventual public acknowledgement came through a brief forum post rather than direct communication to affected individuals.

Right to Be Informed

Article 34 of UK GDPR requires organisations to communicate data breaches directly to affected individuals when the breach is likely to result in a high risk to their rights and freedoms. This notification must be made “without undue delay” and should include:

  1. The nature of the personal data breach.
  2. Contact details for obtaining more information.
  3. Likely consequences of the breach.
  4. Measures taken or proposed to address the breach and mitigate harm.

Given the scale of the Town of Salem breach and the types of data exposed, it likely qualified as a high-risk breach requiring direct individual notification. BlankMediaGames’ failure to send personalised breach notifications to all affected users may constitute another GDPR violation.

ICO Enforcement Powers

The Information Commissioner’s Office has significant powers to investigate data breaches and enforce compliance. The ICO can:

  1. Conduct investigations into data protection violations.
  2. Issue fines of up to £17.5 million or 4% of the company’s annual global turnover (whichever is higher) for serious breaches.
  3. Require organisations to take specific remedial actions.
  4. Publicise enforcement actions to warn other organisations.

UK players concerned about BlankMediaGames’ handling of the breach can file complaints with the ICO, potentially triggering an investigation.

Compensation Claims

Under UK GDPR Article 82 and the Data Protection Act 2018, individuals have the right to receive compensation from data controllers for material or non-material damage resulting from a breach of data protection law.

To pursue compensation, you would need to demonstrate:

  1. BlankMediaGames violated UK GDPR requirements.
  2. You suffered damage (financial loss, distress, loss of control over personal data).
  3. The violation caused your damage.

Several law firms in the UK specialise in data breach compensation claims. Whilst individual compensation amounts vary, group litigation or class action approaches could be viable given the large number of affected UK players.

Under the Limitation Act 1980, you generally have six years from the date you discovered (or should have discovered) the breach to bring a compensation claim. Given that the breach occurred in December 2018, affected UK players have until December 2024 to initiate legal proceedings.

Reporting to UK Authorities: ICO and Action Fraud

Town of Salem Data Breach, ICO and Action Fraud

UK residents should report concerns about data breaches to the Information Commissioner’s Office (ICO) and, if criminal activity is suspected, also to Action Fraud. Here’s how to navigate the UK reporting process.

Reporting to the Information Commissioner’s Office

The ICO is the UK’s independent authority for data protection and information rights. If you’re concerned about how BlankMediaGames handled your personal data, you can raise concerns with the ICO.

  1. How to Contact the ICO:
    • Telephone: 0303 123 1113 (local rate).
    • Online: Visit ico.org.uk and use their online reporting form.
    • Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.
  2. What Information to Provide:
    • Your contact details.
    • Details about the organisation (BlankMediaGames).
    • Description of what happened (the December 2018 data breach).
    • What data was compromised?
    • When you became aware of the breach.
    • Any communication you’ve had with BlankMediaGames.
    • How has the breach affected you?
  3. Expected Response Times: The ICO aims to acknowledge complaints within five working days. Investigation timelines vary depending on complexity, but the ICO will keep you informed of progress. Not all complaints result in formal enforcement action, but your report contributes to the ICO’s understanding of data protection issues affecting UK residents.

Reporting to Action Fraud

Action Fraud is the UK’s national reporting centre for fraud and cybercrime. If you believe the Town of Salem breach resulted in fraudulent activity affecting you personally—such as unauthorised account access, identity theft, or financial fraud—you should report it to Action Fraud.

How to Contact Action Fraud:

  1. Telephone: 0300 123 2040
  2. Online: www.actionfraud.police.uk
  3. Welsh Language Line: 0300 123 2040

Action Fraud operates 24 hours a day, seven days a week. When reporting, provide as much detail as possible about:

  1. The data breach (Town of Salem, December 2018).
  2. Any fraudulent activity you’ve experienced.
  3. Financial losses (if applicable).
  4. Evidence such as suspicious emails, login attempts, or account activity.

Reports to Action Fraud are passed to the National Fraud Intelligence Bureau, which determines whether crimes should be investigated. You’ll receive a crime reference number for your records and insurance purposes.

National Cyber Security Centre (NCSC) Resources

Whilst the NCSC doesn’t handle individual breach reports, it provides valuable guidance for UK residents affected by cybersecurity incidents. The NCSC offers:

  1. Cybersecurity advice for individuals and organisations.
  2. Guidance on password security and account protection.
  3. Information about current cyber threats affecting UK residents.
  4. Tools and resources for improving digital security.

Visit www.ncsc.gov.uk for free cybersecurity guidance tailored to UK residents. The NCSC’s advice aligns with best practices for protecting yourself following data breaches.

Reporting to Multiple Authorities

You can report the same incident to multiple authorities—the ICO, Action Fraud, and potentially others, depending on circumstances. Each organisation serves different functions:

  1. ICO: Addresses data protection compliance and investigates organisations’ handling of personal data.
  2. Action Fraud: Records cybercrime and fraud, which may lead to criminal investigations.
  3. NCSC: Provides cybersecurity guidance and tracks national-level cyber threats.

Reporting to all relevant authorities creates a comprehensive record of the incident and its impacts on UK residents.

Protecting Your Accounts: Password Best Practices for UK Users

Following the Town of Salem breach, securing your online accounts becomes critical. UK cybersecurity experts at the National Cyber Security Centre (NCSC) recommend specific strategies to protect yourself from credential stuffing attacks and account takeovers.

The NCSC Three Random Words Strategy

The National Cyber Security Centre recommends creating passwords using three random words strung together. This method creates passwords that are both strong (difficult for computers to crack) and memorable (easy for humans to remember).

Examples:

  1. CoffeePurpleElephant.
  2. TrainBiscuitMountain.
  3. GardenClockOctopus.

This approach creates passwords with sufficient length and randomness to resist brute-force attacks whilst remaining practical for daily use. Avoid using words related to personal information (names, birthdays, addresses) or everyday phrases.

Why Password Reuse Makes Breaches Catastrophic

The hackers who breached Town of Salem explicitly stated that they targeted the game due to password reuse patterns. They sold compromised credentials to other attackers who used them in credential stuffing attacks against banking sites, email services, social media platforms, and other online accounts.

Credential stuffing works by attempting to use stolen username/password combinations across multiple websites. If you used the same password for Town of Salem and your bank account, hackers could potentially access your financial information even though your bank wasn’t breached.

How to Avoid Password Reuse:

  1. Use a unique password for every online account.
  2. Never reuse passwords across multiple sites.
  3. Change passwords immediately if you discover you’ve been using the same credentials on various platforms.
  4. Employ a password manager to generate and store unique passwords.

UK-Focused Password Managers

Password managers generate strong, unique passwords for each account and store them securely. You only need to remember one master password. Several reputable password managers serve UK users:

  1. Bitwarden: A free tier is available; premium features cost £8.33 per year. Open-source, strong security, syncs across devices. Based in the United States but GDPR-compliant.
  2. 1Password: £2.99 per month for individuals; £4.99 per month for families. User-friendly interface, excellent security features, and travel mode for crossing borders.
  3. Dashlane: Free for up to 25 passwords on one device; premium £3.99 per month. VPN included, dark web monitoring, and password health reports.

All three options encrypt your password vault, meaning even the password manager company cannot access your passwords. Choose based on your budget and feature requirements.

Two-Factor Authentication (2FA)

Two-factor authentication adds an extra layer of security beyond passwords. Even if someone obtains your password, they cannot access your account without the second authentication factor—typically a code sent to your mobile phone or generated by an authenticator app.

  1. Setting Up 2FA:
    • Download an authenticator app (Google Authenticator, Microsoft Authenticator, or Authy).
    • Navigate to security settings in your online accounts.
    • Enable two-factor authentication.
    • Scan the QR code with your authenticator app.
    • Enter the generated code to confirm setup.
  2. Enable 2FA on all accounts that support it, prioritising:
    • Email accounts (these control password resets for other accounts).
    • Financial accounts (banks, PayPal, cryptocurrency exchanges).
    • Social media accounts.
    • Gaming accounts (Steam, Epic Games, etc.).

Checking for Credential Exposure

Have I Been Pwned (haveibeenpwned.com) is a free service created by security researcher Troy Hunt that allows you to check whether your email address or username appears in known data breaches. The NCSC endorses this service for UK residents.

How to Use Have I Been Pwned:

  1. Visit haveibeenpwned.com
  2. Enter your email address.
  3. Review the results showing which breaches included your email.
  4. Check the “Passwords” section to see if any of your passwords have been exposed.

If your email address appears in the Town of Salem breach or any other breach, immediately change the passwords on all accounts using those credentials. Enable email notifications to be alerted about future breaches involving your email address.

Platform-Specific Guidance for Town of Salem

  1. Steam Version:
    • Log into Steam.
    • Navigate to Account Details > Account Security.
    • Change your password to something unique.
    • Enable Steam Guard (Steam’s 2FA system).
  2. Mobile Version:
    • Open the Town of Salem mobile app.
    • Access Settings > Account.
    • Use “Forgot Password” to reset via email.
    • Create a new, unique password.
  3. Web Premium Version:
    • Visit townofsalem.io
    • Log in with existing credentials (if they still work).
    • Navigate to account settings.
    • Change your password immediately.
    • Update your email address if you’ve been receiving spam.

If you cannot access your account due to changed credentials, contact BlankMediaGames support; however, response times may be slow, given the company’s acquisition by Digital Bandidos.

BlankMediaGames’ Breach Response: A Critical Timeline

BlankMediaGames’ handling of the data breach raised significant concerns among cybersecurity professionals and UK data protection advocates. The company’s delayed public disclosure and inadequate initial response highlighted systemic failures in its data protection practices and breach notification procedures.

December 2018: Initial Breach and Discovery

  1. 13 December 2018: Hackers gained access to BlankMediaGames’ servers through LFI/RFI vulnerabilities. The attackers copied the complete player database, including 7.6 million user accounts. According to a subsequent Reddit post by one of the hackers, the breach was “a lot simpler than everyone thinks.”
  2. 28 December 2018, 11:33 AM: Security firm DeHashed received an anonymous email containing evidence of the breach and a copy of the compromised database. DeHashed immediately attempted to contact BlankMediaGames via email.
  3. December 28, 2018, 12:33 PM: DeHashed contacted BlankMediaGames to alert them to the breach. Initial contact was made, but no commitment to public disclosure was secured.
  4. 29-30 December 2018: DeHashed made multiple additional contact attempts via email and phone. BlankMediaGames acknowledged receiving the communications but didn’t respond substantively or announce the breach publicly.

January 2019: Delayed Public Acknowledgement

Early January 2019: BlankMediaGames finally posted a brief acknowledgement on their game forum. The post confirmed the breach and stated they had removed three malicious PHP files providing backdoor access. The forum post claimed passwords were stored as “salted MD5 hash,” attempting to reassure users that passwords weren’t stored in plain text.

However, the company failed to:

  1. Notify the ICO within 72 hours as required by UK GDPR.
  2. Send direct breach notifications to affected individuals.
  3. Provide detailed information about the scope of compromised data.
  4. Implement immediate forced password resets.
  5. Offer clear guidance on protective measures users should take.

Mid-January 2019: BlankMediaGames sent mass emails to some users confirming the breach, but these notifications came weeks after the incident and lacked the detail required under GDPR Article 34.

2019-2020: Inadequate Follow-Through

Throughout 2019, BlankMediaGames failed to implement forced password resets. Subsequent security research by Mo Beigi in December 2019 revealed that out of 2,418,341 cracked passwords, substantial numbers still authenticated successfully against the game servers—nearly a year after the breach.

Beigi reported his findings to BlankMediaGames on 1 January 2020. The company began implementing database patches to address exposed passwords on 3 January 2020 and 10 January 2020, finally forcing password changes for compromised accounts.

October 2020: BlankMediaGames implemented forced password resets for remaining accounts—22 months after the original breach. This delay left accounts vulnerable throughout that period, allowing continued exploitation through credential stuffing attacks.

Security Improvements Claimed

BlankMediaGames stated they would:

  1. Migrate away from phpBB to more secure forum software (Vanilla Forums mentioned).
  2. Implement stronger password hashing algorithms (bcrypt or Argon2).
  3. Add support for forced password resets in their codebase.
  4. Work with hosting providers to conduct malware scans.
  5. Implement additional security measures (unspecified).

However, no public timeline was provided for these improvements, and transparency remained minimal.

Comparison to UK GDPR Requirements

UK GDPR mandates specific breach response procedures that BlankMediaGames failed to follow:

  1. Article 33 Requirements: Notify the supervisory authority within 72 hours. BlankMediaGames took over a week to make even a minimal public acknowledgement and apparently never notified the ICO.
  2. Article 34 Requirements: Directly notify affected individuals “without undue delay” when breaches pose a high risk. BlankMediaGames relied on forum posts and eventually sent mass emails rather than sending proactive direct notifications.
  3. Article 5 Accountability: Demonstrate compliance with data protection principles. BlankMediaGames provided minimal documentation of their response measures and failed to demonstrate they had appropriate technical and organisational measures in place before the breach.

These failures potentially expose BlankMediaGames to regulatory enforcement, though no public record exists of ICO action against the company. The 2024 acquisition by Digital Bandidos further complicates accountability questions.

Credential Stuffing Attacks: Why This Breach Extended Beyond Town of Salem

Hackers explicitly stated they targeted Town of Salem for credential reuse patterns. Understanding credential stuffing attacks helps explain why this breach threatened accounts across multiple platforms, not just the game itself.

What Are Credential Stuffing Attacks?

Credential stuffing is a cyberattack method where attackers use stolen username/password combinations from one breach to gain unauthorised access to accounts on completely different platforms. Attackers often exploit the widespread practice of password reuse, as many people use the same credentials across multiple websites.

How Credential Stuffing Works:

  1. Attackers obtain breached credentials from one source (such as Town of Salem).
  2. They use automated tools to try these credentials on thousands of other websites.
  3. When credentials match (because users reused passwords), attackers gain unauthorised access.
  4. Attackers then exploit these compromised accounts for fraud, identity theft, or resale.

The Town of Salem hackers mentioned explicitly in a Reddit post that compromised credentials “have been excellent for trying against many games, and we’ve made tens of thousands from checking these combos and selling copies of the database.”

Why Town of Salem Was Particularly Valuable

Town of Salem attracted younger players and casual gamers who might have less sophisticated security practices. According to the hackers, many players:

  1. Reused the same password across gaming platforms (Steam, Epic Games, Origin).
  2. Used identical credentials for email accounts.
  3. Employed similar passwords for social media profiles.
  4. Failed to enable two-factor authentication.

This pattern made Town of Salem credentials particularly valuable for credential stuffing operations targeting other gaming and technology platforms.

Platforms Commonly Targeted

Credential stuffing attackers typically focus on high-value platforms:

  1. Gaming Services: Steam, Epic Games Store, PlayStation Network, Xbox Live, Origin (EA), Blizzard Battle.net. Compromised gaming accounts can be sold for the value of purchased games and in-game items.
  2. Streaming Services: Netflix, Amazon Prime, Disney+, Spotify. Stolen streaming accounts are resold on dark web marketplaces.
  3. Financial Services: Banks, PayPal, cryptocurrency exchanges. These offer the highest value and security, with most implementing fraud detection systems.
  4. Email Providers: Gmail, Outlook, Yahoo. Email access provides password reset capabilities for other accounts, making email credentials particularly valuable.
  5. Social Media: Facebook, Instagram, Twitter, TikTok. Compromised social media accounts can be used for spam, scams targeting followers, or sold to marketers.

Detecting Credential Stuffing Attempts

You might be targeted by credential stuffing if you notice:

  1. Unusual Login Attempts: Notifications of failed login attempts from unfamiliar locations or devices. Many services send security alerts when login attempts occur from new IP addresses.
  2. Password Reset Notifications: Emails about password reset requests you didn’t initiate, indicating someone attempted to access your account.
  3. Account Lockouts: Your account becomes locked due to multiple failed login attempts—a sign that automated credential stuffing tools are attempting to test your credentials.
  4. Suspicious Activity: Unexplained purchases, messages sent from your account, or changes to account settings you didn’t make.

UK Banks’ Fraud Detection Systems

UK financial institutions employ sophisticated fraud detection systems that identify unusual patterns of account activity. If credential stuffing leads to unauthorised banking access, these systems typically:

  1. Block suspicious transactions automatically.
  2. Send SMS or app notifications about unusual activity.
  3. Require additional authentication for high-risk actions.
  4. Contact customers directly to verify legitimate transactions.

If You Suspect Banking Fraud:

  1. Contact your bank immediately using the number on your bank card (not numbers from suspicious emails).
  2. Report the incident to Action Fraud (0300 123 2040).
  3. Check your credit report for unauthorised accounts or applications.
  4. Consider placing a fraud alert with credit reference agencies (Experian, Equifax, TransUnion).

Protecting Against Credential Stuffing

  1. Primary Defence: Use unique passwords for every account. Password managers make this practical by generating and storing complex, unique credentials.
  2. Secondary Defence: Enable two-factor authentication wherever available. Even if attackers obtain your password through credential stuffing, they cannot access accounts protected by two-factor authentication (2FA) without your mobile device.
  3. Monitoring: Regularly review account activity across all platforms. Set up security alerts to receive immediate notifications of login attempts, password changes, or unusual activity.
  4. Response: If you discover you’ve been reusing passwords, change them immediately across all affected accounts, prioritising financial and email accounts first.

Long-Term Security Measures for UK Gamers

The Town of Salem breach provides lessons applicable to all UK residents who participate in online gaming and digital communities.

Regular Security Audits

Conduct personal security audits every six months:

  1. Password Review: Check for reused passwords across accounts. Update any that don’t meet current security standards (minimum 12 characters, including a mix of uppercase, lowercase, numbers, and symbols).
  2. 2FA Status: Verify two-factor authentication remains enabled on critical accounts. Some services disable 2FA after a password change or device upgrade.
  3. Connected Apps: Review third-party applications with access to your accounts. Remove permissions for services you no longer use.
  4. Email Security: Check forwarding rules in email accounts—attackers sometimes add rules to forward copies of emails to themselves. Review recovery email addresses and phone numbers to ensure they’re current.

Privacy Settings for Gaming Platforms

  1. Steam Privacy Settings:
    • Set profile to “Friends Only” or “Private”.
    • Limit who can see your game details and inventory.
    • Disable public comment posting on your profile.
    • Review and remove suspicious friends or followers.
  2. Console Privacy Settings (PlayStation/Xbox):
    • Restrict who can contact you to friends only.
    • Disable activity feed sharing.
    • Review app permissions regularly.
    • Enable privacy settings for voice chat and messages.
  3. Mobile Gaming:
    • Disable location services for games that don’t require them.
    • Review in-app permission settings.
    • Avoid linking social media accounts unnecessarily.
    • Use separate email addresses for gaming accounts.

Data Minimisation Practices

Provide only the information absolutely necessary when creating gaming accounts:

  1. Required Information: Email address, username, password.
  2. Often Unnecessary: Date of birth, phone number, physical address (unless purchasing physical goods).
  3. Never Provide: National Insurance number, complete credit card details (use payment processors instead)

Many services request more information than is legally required. Under UK GDPR principles, organisations should collect only data necessary for specific, legitimate purposes. You’re entitled to question why particular information is needed.

Staying Informed About Breaches

  1. Have I Been Pwned Notifications: Enable email alerts at haveibeenpwned.com to receive immediate notifications when your email address appears in new data breaches.
  2. Security News Sources: Follow reputable UK cybersecurity sources such as NCSC alerts, ICO news updates, and technology security sections of major news outlets.
  3. Company Communications: Read security announcements from gaming platforms and services you use. Enable security notifications in account settings to receive breach alerts directly.
  4. Community Forums: Gaming community forums and subreddits often discuss security issues before they’re widely publicised. Participate in security-conscious gaming communities.

Current Status and Ongoing Concerns

Understanding the current state of Town of Salem and BlankMediaGames helps contextualise ongoing risks and responsibilities.

Company Ownership Changes

In August 2024, Digital Bandidos acquired BlankMediaGames and the entire Town of Salem franchise. The original development company appears to have been dissolved, with Digital Bandidos assuming control of game development and player data management.

This ownership change raises questions about historical accountability for the 2018 breach. Digital Bandidos inherited the player database but wasn’t responsible for the original security failures. Whether they’ve addressed the technical vulnerabilities that enabled the breach remains unclear, as no public security audit has been released.

Town of Salem 2 Launch

Town of Salem 2 launched in July 2023 through Steam Early Access, with full release following shortly after. Mobile versions for iOS and Android were released in March 2024. The sequel represents a fresh start from a technical standpoint, built on updated infrastructure.

However, players should approach Town of Salem 2 with awareness of the original game’s security history. Digital Bandidos hasn’t publicly detailed security improvements or conducted independent security audits to demonstrate enhanced data protection.

Original Game Status

The original Town of Salem transitioned to a paid model in November 2018—just weeks before the breach became public. This change was implemented to combat botting issues plaguing the free-to-play version. The game remains available through Steam (£4.99), mobile platforms, and web browsers.

Players who created accounts before the November 2018 paid transition were grandfathered in with free access. This means many affected by the breach still have active accounts, though ideally with changed passwords.

Lessons for the UK Gaming Industry

The Town of Salem breach highlighted vulnerabilities common across the gaming industry:

  1. Outdated Security Practices: Using weak hashing algorithms (MD5) despite decades of security research demonstrating their inadequacy.
  2. Delayed Breach Response: Failing to notify users promptly, violating GDPR requirements and leaving accounts vulnerable for extended periods.
  3. Minimal Transparency: Providing limited information about breach scope, attack vectors, and remediation efforts.
  4. Inadequate User Protection: Not implementing forced password resets immediately after discovering compromised credentials.

UK gaming companies should learn from these failures, implementing robust security measures including modern encryption standards, prompt breach disclosure procedures, regular security audits, and proactive user protection measures.

Your Continuing Responsibilities

Even years after the breach, affected players should maintain vigilance:

  1. Monitor Accounts: Continue watching for suspicious activity across all accounts where you may have reused Town of Salem credentials.
  2. Update Passwords Periodically: Change passwords on critical accounts every 6-12 months, even if no breach is suspected.
  3. Stay Informed: Keep aware of security developments affecting gaming platforms and adjust your security practices accordingly.
  4. Verify Communications: Be suspicious of emails claiming to be from BlankMediaGames, Digital Bandidos, or Town of Salem. Verify legitimacy before clicking links or providing information.

The Town of Salem data breach serves as a stark reminder that online security requires ongoing attention. By implementing the protective measures outlined in this guide, UK players can significantly reduce their risk of future compromise whilst enjoying online gaming safely.

The Town of Salem data breach affected 7.6 million players worldwide, exposing usernames, email addresses, weakly-hashed passwords, IP addresses, game activity, and limited payment information. The breach occurred on 13 December 2018 through exploitable vulnerabilities in the phpBB forum software, but wasn’t publicly acknowledged until January 2019.

UK players have specific rights under GDPR, including the right to notification within 72 hours, the right to compensation for damages, and the ability to file complaints with the ICO. BlankMediaGames’ delayed response and inadequate security measures potentially violated multiple GDPR requirements.

Protecting yourself requires using unique passwords for every account, enabling two-factor authentication, employing password managers, and regularly monitoring accounts for suspicious activity. The breach’s impact extended beyond the Town of Salem through credential stuffing attacks, emphasising why password reuse creates cascading security risks.

Report concerns to the ICO (0303 123 1113), Action Fraud (0300 123 2040), and utilise NCSC resources for cybersecurity guidance. Check whether your email appears in known breaches at Have I Been Pwned, and take immediate action if you discover credential exposure.

Years after the breach, affected players should maintain heightened security vigilance, as compromised credentials remain valuable to attackers. Regular password updates, security audits, and awareness of evolving cyber threats remain essential for protecting your digital identity in an increasingly connected world.