Ubisoft users’ screen names and passwords exposed in hack
A database containing email addresses and passwords belonging to users of the website for Ubisoft, the video game developer behind the hit “Assassin’s Creed,” was accessed illegally in a hack.
The French company said someone used “stolen credentials” to access its “online network.” The company didn’t disclose how many of its users were hit, but it has sold more than 55 million of its top game. Ubisoft said on its website Tuesday that no credit card information is stored with the company and thus users’ financial information was not at risk. Ubisoft website users can buy games and post on its forum.
Many websites automatically reset user passwords after a data breach. But Ubisoft took a different approach, recommending via email that users manually update their passwords on its website and any other websites where users might use a similar password.
One poster on a Ubisoft forum said, “Congrats UBISOFT for making me change all my passwords for everything I use. Bank, Credit Cards, Email, Utilities, Cell Phone, College. How about some compensation! Your ignorance leads to unnecessary burdens on your users. This bit of having accounts compromised has grown old...Played hawx back in 2006 forget I even had a UBISOFT account.”
Ubisoft said it notified “authorities” and is consulting with “internal and external security experts” to sure up security measures.
Computer hacking plays a prominent role in the company’s new game “Watch Dogs,” which will come out in November. In May, Gamespot reported that Ubisoft has worked with the security firm Kaspersky Labs to provide a realistic portrayal of how hacking works.
In a report earlier this year, Kaspersky Labs said that Chinese hackers had attacked at least 35 game developers across the world during the last four years. The hackers, likely looking to make pirated copies of games, were after game code, authentication certificates and in-game currency.
Ubisoft said its breach was unrelated. Kaspersky Labs said it did not immediately have any information on the latest incident at Ubisoft.
Richard Henderson, a security researcher for the cybersecurity firm Fortinet, said some gaming companies are also “under constant assault” from hackers looking to snatch user account databases.
“All of this info is quite valuable in the ‘virtual gold’ and account markets,” Henderson said in an email.
He credited the game developer Blizzard for getting a large percentage of its users to use two-factor authentication, a technology by which essentially two passcodes are required to log into an account.
In Ubisoft’s case, Henderson noted that the company didn’t detail how it stored and encrypted passwords.
This “either means they’re concerned that they are using an encryption method that isn’t particularly strong, or they’re being deliberately quiet to prevent the attacker from determining a best course of action to attack the encrypted files,” Henderson said.
A Twitter post by a self-described “security researcher” in March said that Ubisoft’s website was compromisable through a MySQL injection, in which an attacker is able to communicate with the database. Based on the wording in Ubisoft’s statement, it seems unlikely that this was the method through which the website was hacked. But the possibility of SQL exploits remains problematic for many websites.
“Companies still fall prey to it, no matter how many times we preach for them to ‘validate their inputs,’” Henderson said.