Scuf Gaming Data Breach Exposes 128,683 Accounts, Including Emails, Usernames, and Password Hashes
What Happened – In June 2015, Scuf Gaming, a maker of custom gaming controllers, suffered a data breach that leaked 128,683 unique email addresses together with usernames, display names, IP addresses and password hashes. The breach was added to Have I Been Pwned on 26 Mar 2026.
Why It Matters for TPRM –
- Legacy breaches can surface in credential‑stuffing attacks against partner services.
- Exposed credentials may be reused on other vendor platforms, expanding the attack surface.
- Demonstrates the need for continuous monitoring of third‑party breach feeds, even for older incidents.
Who Is Affected – Gaming hardware manufacturers, online retailers of gaming accessories, and any downstream services that accepted Scuf Gaming credentials for authentication.
Recommended Actions –
- Verify that any internal applications that allowed Scuf Gaming credentials have been de‑provisioned.
- Encourage affected users to rotate passwords and enable MFA on all linked accounts.
- Update third‑party risk registers to reflect the breach and reassess Scuf Gaming’s security posture.
Technical Notes – The breach appears to have resulted from unauthorized access to a customer database; no specific CVE or exploit was disclosed. Compromised data includes email addresses, usernames, display names, IP addresses and salted password hashes. Source: Have I Been Pwned – Scuf Gaming Breach