bit-gamer.net

Ubisoft coughs to major data breach

Ubisoft coughs to major data breach

Ubisoft has admitted that an attacker has made off with a database containing usernames, email addresses and encrypted passwords of its entire user base.

Ubisoft has admitted that an attack on its network has resulted in the personal details of all its customers being accessed by a third party, in what has become a string of security problems for the company.

The game publishing giant has emailed its customers to warn that an attack, the details of which it is refusing to divulge beyond claims that 'credentials were stolen and used to illegally access our online network,' has given unknown third parties full access to its user account database. While the database does not contain financial information - credit card details are held on the network of a third-party payment processing company, not by Ubisoft itself - it has resulted in user names, email addresses and encrypted passwords being stolen.

To Ubisoft's credit, the passwords were not being stored as plain-text values but as a hash - a process often incorrectly termed 'encrypting.' A hash value is a gibberish string which is near-impossible to turn back into its original human-readable plain text equivalent. When a user enters his or her password to log in, the system creates a new hash and compares it to the stored hash; if the values match, the user is allowed access.

While a one-way hash function is secure from computational reversal, it's not a complete protection: tools exist to run brute-force or dictionary attacks against password hashes, where strings are rapidly hashed and compared to the stolen database in order to find matches. If your password is "password," in other words, the hashing function will barely slow the attacker down. For smaller passwords, typically below eight alphanumeric characters, there are also 'rainbow tables' which store the pre-computed hash values and their plain-text equivalents - allowing an attacker to find the plain text password associated with an account instantly.

The security of hashes can be improved by using a 'salt' value, which differs from user to user and which alters the final hash considerably. Using salted hashes greatly increases the computational effort needed to crack the passwords, and ensures that users who have chosen the same password do not receive the same hash. Ubisoft has not, sadly, confirmed whether or not its password database was salted.

'We sincerely apologise to all of you for the inconvenience,' Ubisoft told its users of the breach. 'Please rest assured that your security remains our priority. Ubisoft’s security teams are exploring all available means to expand and strengthen our security measures in order to better protect our customers. Unfortunately, no company or organisation is completely immune to these kinds of criminal attacks.'

This attack represents the third major security breach suffered by the company in the last year, following a bug in the Uplay browser plug-in which one security research compared to a 'rootkit' and a hole in the Uplay digital rights management (DRM) implementation which allowed attackers to download the unreleased Far Cry 3: Blood Dragon conversion.

Ubisoft is recommending that all its users change their passwords immediately, and further warns those silly enough to re-use the same or similar password on multiple sites to do the same anywhere else the password has been used.

19 Comments

Discuss in the forums Reply
mi1ez 3rd July 2013, 09:47 Quote
At least passwords were hashed. Would rather all details were, and (as stated) salted too, but we've seen worse!
Gareth Halfacree 3rd July 2013, 09:55 Quote
Quote:
Originally Posted by mi1ez
At least passwords were hashed. Would rather all details were, and (as stated) salted too, but we've seen worse!
You can't really hash all details: what use would a hashed email address be to Ubisoft? It can't send adverts to 677b5891ea278a439b8539b438d82a08...
Andy Mc 3rd July 2013, 10:01 Quote
Yeah got an email yesterday evening telling me to change my password, which I did.

Pro tip: if you use the same password for the email account as your Ubisoft account, then you may want to change your email password too.
mi1ez 3rd July 2013, 10:06 Quote
Quote:
Originally Posted by Gareth Halfacree
You can't really hash all details: what use would a hashed email address be to Ubisoft? It can't send adverts to 677b5891ea278a439b8539b438d82a08...

We'll just call that a cheeky bonus!
CrazyJoe 3rd July 2013, 10:29 Quote
It's all just a stunt to advertise Watch Dogs.
rpsgc 3rd July 2013, 11:27 Quote
I think enforcing the death penalty for these kinds of actions would be a good dissuader.


No, I'm serious. These hackers are scum and deserve whatever they get.
miller 3rd July 2013, 11:46 Quote
I wonder if companies like Ubisoft, Sony, MS, etc, that store this info were to use similar security measures that online banking uses if people would actually pay for that level of security to keep their data secure, agreed some companies like Sony who were hacked made little attempt at security but if we want serious data security maybe we should expect to pay a little for it?

INCOMING
forum_user 3rd July 2013, 14:21 Quote
It'll be the NS* collecting more data on us.
Fingers66 3rd July 2013, 14:24 Quote
Quote:
Originally Posted by miller
I wonder if companies like Ubisoft, Sony, MS, etc, that store this info were to use similar security measures that online banking uses if people would actually pay for that level of security to keep their data secure, agreed some companies like Sony who were hacked made little attempt at security but if we want serious data security maybe we should expect to pay a little for it?

INCOMING

Surely the money we are paying them for the games and DLC, which is a lot more than the annual fees we pay our banks, is enough to expect them to keep our details secure?
jimmyjj 3rd July 2013, 14:51 Quote
Those wank*rs (ubisoft)

I only have an Ubisoft account because of their shitty DRM and now they go and lose my data.
liratheal 3rd July 2013, 15:06 Quote
It's been so long since I used my ubisoft account I can't remember what my password was before today anyway..
Artanix 3rd July 2013, 16:03 Quote
Quote:
Originally Posted by rpsgc
I think enforcing the death penalty for these kinds of actions would be a good dissuader.
No, I'm serious. These hackers are scum and deserve whatever they get.

I know of at least a few places where people will hack something, and then notify the company of the vulnerability in their network. Just because something has been "accessed" doesn't always mean a bad thing.

If I told you I could break into your car in 5 seconds, you wouldn't believe me until I showed you.

Just for the record, I'm not saying this happening in this instance, and I'm not supporting "hacking", but seriously, people need to stop being so naive.
Gareth Halfacree 3rd July 2013, 16:15 Quote
Quote:
Originally Posted by Artanix
If I told you I could break into your car in 5 seconds, you wouldn't believe me until I showed you.
Brick. Window. Job's a good 'un.
Dave Lister 3rd July 2013, 16:24 Quote
I had an email about this - this morning, encouraging me to change my password. The problem is when I try, it asks me to enable cookies (chrome with adblock & donottrackme) is that itself not a security risk ?
miller 3rd July 2013, 16:40 Quote
Quote:
Originally Posted by Fingers66
Surely the money we are paying them for the games and DLC, which is a lot more than the annual fees we pay our banks, is enough to expect them to keep our details secure?

That would the argument that many people, myself included would say but clearly these companies are not prepared to spend the time, money and resources on data security, I wonder just how much money these companies make from online gaming as it can't be cheap to buy and maintain all the infrastructure.

I'd pay an extra say £5 a year for decent security and if the company still got hacked then they should have to give their customers some free gaming time, obviously it would not be popular but it was just a thought
PabloFunky 3rd July 2013, 17:50 Quote
Created reset password.

Now when i try to log in, it says my email or password is incorrect.

What now?
coyote 3rd July 2013, 18:38 Quote
I get the same when I try a cancel my? account. What's really worrying is that I have never played a Ubisoft game on line or otherwise. I have also never opened a Ubisoft account. I don't play games, never have really bothered with them. How the hell did Ubisoft get my e mail address? Very worrying and they are not being helpful at all.

My now departed (died a few years ago) brother hated games, his illness made him very bad tempered and his version of hell was playing an on line game, so I'm sure it nothing to do with him.
Eiffie 3rd July 2013, 18:41 Quote
Got the e-mail about this as well early in the day as others have said. I don't really use UPlay anymore, not since Might & Magic Heroes 6 which I wish I could have fonder memories of. Changed my password anyway in case I need to use that service again. At least UPlay was pretty minimal and just did it's job when running along with steam. Maybe it's time to jump into Far Cry 3 later this year when the price drops.
bawjaws 3rd July 2013, 20:08 Quote
As an aside, I really don't like the way you guys now constantly use "coughs to" instead of "admits to" or "teases" instead of "previews". Is it because you're trying to fit in with the cool crowd? :D
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.



Discuss in the forums