Included are email addresses, IP addresses, usernames and passwords. All passwords were protected using MD5 hashing which is easy to break. The existence of the details came to light on the weekend.
The two sites were used to share pirated copies of games for Microsoft and Sony gaming platforms.
Australian Web security expert, ethical hacker and Microsoft Regional Director Troy Hunt maintains a website of the known breaches. Gamers using Xbox, PlayStation, Pokemon, Minecraft and more will need to change passwords.
The Xbox hacks happened in September 2015 involving Xbox 360 ISO accounts and Xbox scene accounts. The Sony PlayStation hacks happened in July 2015 and involved its PS3Hax, PSX-Scene, PSP ISO databases.
The Pokemon hacks happened in August 2014 and October 2016, exposing email addresses, genders, IP addresses, passwords, usernames, and website activity.
Mark James, security specialist at ESET, said: “Often people using seemingly low-security websites don’t enforce good password security because it’s not a financial target. But all data has a value and will be re-used for other purposes. Every website should be treated as unique and require different passwords with a mix of usernames if possible.”
Hunt said, “Data breaches are often sold via dark websites or within closed trading circles. The prevalence of password re-use means that a relatively benign site can hold credentials that unlock far more valuable resources, for example, email or social media accounts.”