Last night, while investigating lag occurring across all IRE games, we discovered an unmitigated SQL injection vulnerability in the gamefeed processing on the games' websites, which was being actively used by an attacker. In an abundance of caution, we disabled the gamefeed functionality across all games and sinkholed the vulnerable API endpoint. We have now fixed the faulting code and reenabled the gamefeed.
We are still investigating the full impact of the vulnerability, but at this time it does not appear any customer data was accessed. It appears to have been a blind attack that didn't get beyond an attempt to identify access limitations, so no critical information was accessed whatsoever.
Special thanks to Razmael of Aetolia for identifying the initial impact, and Phaestus of Achaea and Eoghan of Imperian for identifying the SQLi and creating a mitigation.
4