Skip links

530K people’s info feared stolen from cloud PC gaming biz Shadow

Shadow, which hosts Windows PC gaming in the cloud among other services, has confirmed criminals stole a database containing customer data following a social-engineering attack against one of its employees.

CEO Eric Sele declined to say how many people’s personal information was accessed in the leak even as someone who claimed to have stolen those details on 533,624 customers put the database up for sale on a cybercrime forum.

The French cloud service lets users remotely access their own virtual PCs and stream games to their local devices. Customers can also access remote PC instances for development work and other tasks as well as cloud storage. A company spokesperson declined to answer specific questions about the security breach, including if customers’ remote Windows instances and storage were compromised. 

The Shadow rep did confirm that an email to customers alerting them to the information theft, shared with The Register by readers and posted on Reddit, is legitimate, and gave us a statement from Sele, noting “we will not comment further.”

According to Sele’s missive, Shadow was the “victim of a social engineering attack which led to the exfiltration of the database of one of our service providers, resulting in the unauthorized exposure of certain customer data.”

The stolen data includes full names, email addresses, dates of birth, billing addresses and credit card expiration dates. “Most importantly, no passwords or sensitive banking data have been compromised,” Sele said.

Upon discovering the theft, Shadow took “immediate steps” to lock down its systems and reinforce security protocols it applies with third-party providers.

“Transparency with our community is a key principle at Shadow, and we sincerely apologize to our customers for the inconvenience this incident has caused,” the chief exec said.

In the alert emailed to Shadow customers, Sele provided more details about what happened in the social engineering attack, and said it took place in late September. 

“This highly sophisticated attack began on the Discord platform with the downloading of malware under cover of a game on the Steam platform, proposed by an acquaintance of our employee, himself a victim of the same attack,” according to the notice.

“Despite our actions, the attacker was able to exploit one of the stolen cookies to connect to the management interface of one of our SaaS providers,” it continued. “Thanks to this cookie, now deactivated, the attacker was able to extract, via our SaaS provider’s API, certain private information about you.”

On Monday, a crook listed for sale what they claimed to be an 879 MB Shadow database with details on 533,624 customers. The miscreant said they attempted an “amicable settlement” with Shadow, which the gaming firm “deliberately ignored.”

While The Register has not verified the data, it allegedly includes customers’ date of birth, physical address, full name, last four digits of credit card and expiration date, IP connection log, email address “and more,” according to the miscreant. ®