Before you carry on reading this blog post, if you have an account with GAME.co.uk go there NOW and change your password and/or username.
Have you done it?
Good, then read on...
Back in January 2012, GAME denied reports of being hacked, as 200 usernames and passwords were posted online by hackers. GAME denied this and said that they were not authentic. This may be the case or not, but what I can tell you is the following...
On Wednesday the 20th March 2013 at 18:10. My wife received an email from GAME stating that her GAME.co.uk account username has been updated to a different email address. My wife doesn't own the new email address nor did she sign into GAME to change it.
The first thing we did before clicking on any links was to ensure the email looked genuine, it could after all be a phishing attempt. I looked at the message headers and the source of the HTML email. It looks authentic. However the in their source the link to their "Online Contact Form" is a link to {contactUsURL} a templated value that has not been filled in. Very helpful guys, well done.
I have received emails in the past from different companies when I myself have changed my own details. They usually contain a link for you to click on just in case it wasn't you that made the change. GAME however do not have this feature. Again, very helpful guys, well done.
So next, we go to the website and find the Online Contact Form which was missing from the email. There's an address to write to, an email contact us form, some phone numbers for store and product information, and a live web chat, which closes at 5pm. Remember we received this email after 6pm.
So my wife fills in the email contact us form, explaining what has happened, we get an automated response back saying someone will be contacting us within the next 7 working days. What about the mean time while somebody else now has access to our home address, and the card details that were stored there?
We decide we should really speak to somebody in person about this, so we look at these phone numbers, there are two of them on the contact us page and one on the email we received. The numbers cost 10p a minute to ring, and do not give the option to be able to speak to a human being. They just tell you to visit the website as they have now moved to an email and web chat service. We had no choice but to wait until the next morning to see if we can web chat with somebody, I've used these services before for other companies and they usually work quite well.
In the mean time, we look through the emails we have previously received from GAME. The last order we made was in November and part of the card number used to buy the goods was in the email, this was actually quite helpful, we got onto the bank straight away and cancelled that particular card.
The next day we discover that the web chat facility simply does not work. My wife spent most of Thursday 21st March connected to their web chat service waiting for someone answer, however each attempt would last for an hour where a message about the service being in high demand would be given and then eventually time out. We have tried it again today without success.
Inbetween waiting for the web chat she then proceeded to try and contact them through Facebook and Twitter. No response from there either initially. They did reply on twitter asking us to send an email to their specific twitter email account. Which we did, only to receive back.... nothing (yet). Later when we looked back through the GAME Facebook and Twitter pages we discovered the messages we had sent had mysteriously disappeared. Something to hide GAME?
Now there doesn't appear to be a cry of people that this has happend to when you do a search on the web, but we have been contacted on twitter by someone else who is going through the same thing, and there is a thread on moneysaving expert about it which my wife has also commented on.
Having recently started work for a software company that specialises in security software this kind of thing is all too familiar with what I have been reading for my work. I would advise everybody to use a password manager like LastPass or 1password or even a the handy little password composer greasemonkey script in order to create and easily use a unique password on each website you use.
The most frustrating thing about this, and the ultimate reason why I wrote this blogpost, is that we are helpless, there's nobody to physically talk to about how to regain access to our account (which will be promptly closed when we do), and we are forced to play a waiting game. Whoever is hacking into these accounts knows this and is taking full advantage of that fact that there is no help for people who have their account stolen.
At the time of writing two days have past since we first reported this, and now it's the weekend. I think we may even pay a visit to an actual GAME store this weekend to see if the staff there can be anymore helpful, or at least be able to contact the right people within their website department.
Labels: GAME UK Hacked, GAME.co.uk Hacked, Stolen GAME Account
