White Wolf Publishing Inc., a company responsible for some of the most popular role-playing game brands, has reset all users' passwords after international hackers exploited a software flaw and stole user data that included user names, e-mail addresses and encrypted passwords.

Following the breach, the company, based in Stone Mountain, Ga., said the hackers attempted to extort money by threatening to post the potentially sensitive user data on the Internet.

"We have no intention of paying this money, and are in contact with the FBI in an attempt to bring these criminals to justice," White Wolf said in a notice posted online.

"As far as we can ascertain, they were unable to access any credit card data (nor have they claimed they did). However, it is possible for the encrypted passwords they accessed to be decrypted given enough time," the company said.

White Wolf recommended that users and fans that may have used the same user name and password for other Internet services change those passwords immediately.

Although Web site breaches and data theft are commonplace, security researchers say the brazen extortion attempt against White Wolf confirms earlier fears that attacks against small-business sites are being done by well-organized international crime groups.

"This started early in 2004 when the botnet owners used mostly denial-of-service attacks to extort money from banks and ISPs. We used to think of those as experimental attacks, but it's become much more brazen and organized today," said John Pescatore, research director for Internet Security at Gartner Inc.

"From the experimenting stage, it moved to vandalism, and we had all these defacement attacks. After that, it became politically motivated and we kind of expected the next phase to be cyber-crime. That's the stage we're in today with these kinds of extortion attacks," Pescatore said in an interview.

He said the White Wolf breach was a classic example of hackers targeting small businesses in extortion schemes.

"They are picking on the smaller businesses that are less likely to defend themselves. Once the banks started paying for distributed denial-of-service protection, the small businesses became a prime target," he said.

Pescatore said pornography and online gambling sites are perennial targets for denial-of-service extortion schemes and pointed out that companies like Prolexic Technologies Inc. have found a lucrative niche in providing DDoS mitigation services.

Andrew Jaquith, senior analyst with Yankee Group Research Inc., said the White Wolf situation is "the equivalent of guys with ski masks running around breaking knees."

"We haven't seen evidence that this is a widespread phenomenon, but there's enough chatter in the security underground that the risk of this happening to any small business is very real," Jaquith said.

He said smaller companies that cannot afford to budget for DDoS mitigation technology should consider perimeter defense from a managed services provider.

"It's hard to defend against something that's already stolen. Once the data is gone, like in White Wolf's case, you're basically at the mercy of the attacker."

"If there's one thing the last 18 months have shown us with botnets and pervasive malware is that hackers will take advantage of whatever angle they think they'll get. If this is what works, we'll see more of it," Jaquith added.

Gartner's Pescatore said companies that collect sensitive data from customers have a responsibility to find and patch software flaws that are exploited by hackers.

Officials from White Wolf did not respond to requests for comment.

On message boards dedicated to role playing games, fans of the site said the breach likely occurred via flaws in the PHPBB software used by White Wolf.

The PHPBB Web forum software has been the target of attacks by an Internet worm known as Net-Worm.Perl.Santy.A or Santy. The worm uses Google search to randomly find sites running PHPBB and overwrites several different files to deface the forums.

"Most of these data breaches occur because companies leave gaping holes unpatched," Pescatore said. "These businesses need to start using vulnerability management and intrusion-detection software, preferably from a managed services provider. They should also be encrypting stored data to provide added protection [for users]."

Check out eWEEK.com's Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's Weblog.

Copyright © 2005 Ziff Davis Media Inc. All Rights Reserved. Reproduction in whole or in part in any form or medium without express written permission of Ziff Davis Media Inc. is prohibited.