Codemasters' Website Hacked

skybon writes "After similar attacks on Sony and Square Enix, Codemasters' website has now been hacked as well. The intrusion took place on 3 June, and is believed to have compromised members' names, usernames, screen names, email addresses, date of birth, encrypted passwords, newsletter preferences, any biographies entered by users, details of last site activity, IP addresses and Xbox Live Gamertags. In a letter sent out to CodeM subscribers, the company recommended changing passwords as soon as possible."

Epic Forums

[Cidolfas]

The Epic forums got hit too, with usernames and encrypted passwords. At least, the UDK forums did, and I assume the Gears and other game-specific ones did too. Got the email about that today. At least they encrypted passwords, hopefully with a good salt.

Re:Epic Forums

*hashed* passwords

Re:Epic Forums

I came here to say that too. I got a password reset e-mail from them.

I first had to check that the mail itself wasn't a phishing attempt. Somebody could have a great deal of fun, sending out such phishing e-mails at the right moment.

Re:Epic Forums

[Konsalik]

Yes please note the difference between *hashed* and *encrypted* as passwords are usually hashed to obfuscate them.

Re:Epic Forums

[DrXym]

Hashing is not obfuscation. It produces a one way digest of your password, which if properly salted and hashed is very difficult to recover. So a site which uses hashes can't send you a password reminder since it doesn't know what your password is. The danger is if the site doesn't salt properly an attacker can use a reverse hash lookup to figure out what the password is. In addition without salting if 2 or more users use the same password you can tell it instantly by looking for duplicate hashes.

Sites that encrypt passwords can recover them and can send you reminders. The danger with sites that use encryption is the key has to be sitting around somewhere on the login server and / or the database in order to make comparisons. If an attacker can hack the site they can probably recover the key. With the key they have plaintext passwords for everyone, even those who bothered to choose a strong password.

The strongest sites are probably those which hash AND encrypt and take care to put the service that does this on another locked down machine.

Re:Epic Forums

[Seumas]

This is yet another reason that the whole idea of forcing users to use their real names on Battle.net and Blizzard/Activision forums was a fucking awful one. And yeah, the problem with the passwords is that they point out that the passwords were hashed, but they don't mention whether they were salted. It seems obvious, but many people who bother to hash their password database don't bother to salt that hash.

Re:Epic Forums

MD* and the SHA* family of hash functions are designed to run as quickly as possible. This is bad. Salting is now mostly irrelevant because the latest consumer ATI card can calculate 5.5 BILLION MD*/SHA* hashes per second.

Just use bcrypt and stop trying to be clever. You're not as smart as you think. In the future, crank up the work factor to keep up with advances in number crunching technology.

http://codahale.com/how-to-safely-store-a-password/

Re:Epic Forums

[DrXym]

I said nothing of the hash algorithm so your point is moot. And bcrypt uses salts too so nothing I said suddenly becomes invalid.

Re:Epic Forums

[blueg3]

Even at that rate, a random 10-character password is essentially uncrackable.

The standard way of artificially strengthening the hash is to N-round HMAC-SHA1 (or HMAC-MD5, I suppose), where N is chosen so that the computation takes a fair amount of time. This is better for client-side encryption, where you have time to waste per request, and less popular for server-side encryption, where you don't want to consume that much processing power. Still usable server-side, though.

Re:Epic Forums

[Khyber]

"Salting is now mostly irrelevant because the latest consumer ATI card can calculate 5.5 BILLION MD*/SHA* hashes per second."

And that's why you write your own non-standard algorithm that makes GPU busting almost impossible due to modern GPU architecture.

Notice how ATi cards are beating nVidia cards in bitcoin generation. It's almost purely an architectural issue.

Re:Epic Forums

[Cidolfas]

I wish. They said encrypted, and warned that they could be cracked. Not that there could be a collision, but outright cracked. I have no idea why it's not standard policy EVERYWHERE just to use hashes. I'm just glad they didn't store in plaintext.

Re:YOU MEAN CRACKED !!

[stonedcat]

But what if I crack your hack when I hack your crack?

--Jack

Codemasters' Rootkit?

[TheVelvetFlamebait]

Hey, you're not allowed to hack companies who aren't flagrantly, explicitly evil! It's almost like you're hacking companies whose security is weak, rather than acting as moral crusaders. How could that be?

Re:Codemasters' Rootkit?

Must be for the "lulz".

*rolls eyes*

Re:Codemasters' Rootkit?

[Kwpolska]

LulzSec is allowed to hack everyone.

Re:Codemasters' Rootkit?

Two words: VIP Pass.

Re:Codemasters' Rootkit?

[RichardJenkins]

Storing personal data without appropriate security controls in place is 'evil'. If companies develop an expectation that they *will* be hacked without good security measues then that is a good thing.

Re:Codemasters' Rootkit?

[syousef]

Hey, you're not allowed to hack companies who aren't flagrantly, explicitly evil! It's almost like you're hacking companies whose security is weak, rather than acting as moral crusaders. How could that be?

No sympathy. Their copy protection bullshit has on more than one occasion caused me more grief than most other company's crap (and I am not a pirate by the way). Hate that my account may have been compromised, especially since I haven't used it in years (quite literally).

Re:Codemasters' Rootkit?

[webmistressrachel]

"LulzSec"

Are they like C-Sec, but just for the "Lulz"?

Re:Codemasters' Rootkit?

[index0]

This hack on Codemasters was days before their new big game came out, Dirt 3. What you may not know about Dirt 3 is the new "online pass" feature used to prevent second hand sales and piracy. What this online pass feature really did was prevent legit purchasers of Dirt 3 from playing online (because PSN was down) and from getting all the single player content (because of the online pass and PSN being down).

This just looks like the world balancing itself out. You know, Karma.

Re:Codemasters' Rootkit?

There are two victimized sets in a hack like this. The 'evil' company, and every poor bastard that ever used the site.

I don't care how evil the company is... I feel bad for the users.

Re:Codemasters' Rootkit?

responsible for maintaining law and order on lulzidel station?

Re:Codemasters' Rootkit?

[webmistressrachel]

Yay! Someone got my geeky reference!

Re:Codemasters' Rootkit?

LulzSec is allowed to hack everyone.

Who allowed that?

#ifndef MASTERS

[waddgodd]

I'm going to go right ahead and say they ain't codeMASTERS if they got hacked....

Re:#ifndef MASTERS

[rust627]

so, let me see
some one has mastered the masters ....................

Re:#ifndef MASTERS

[davidbrit2]

In fairness, they never claimed to be php/SQL masters. They're probably referring to being masters at trying to sell you cheat codes to games they make.

Re:#ifndef MASTERS

[gl4ss]

the website was probably ran by some dweebs they found on the street. but the real lessons they should take here are that they should not even ask for things like date of birth - they could just ask for the year for example, and even then store it ONLY if the user wants it to be shown on the forums. it makes it much easier for someone to do something with the hacked data - and they got about zero guarantee about the data being right so it's not much use for codemasters itself...

Re:#ifndef MASTERS

Absolutely brilliant!

Re:#ifndef MASTERS

[Lilith's+Heart-shape]

I wish they had a cheat code that would make Clive Barker's Jericho not suck Pinhead's balls.

3rd of June?

[Psychotria]

That was 8 days ago! I am so glad they reported this so promptly.

Re:3rd of June?

That was 8 days ago! I am so glad they reported this so promptly.

I got my notice on june 6th. Pretty quick I would say. Not that it makes me happy they have lackluster security, but at least (so far) they haven't been trying to hide the hack and the customers were notified in relatively immediate fashion. 3 days is to me a decent amount of time. Enough to figure out what happened, what was lost and who was affected and notify them.

Now the epic games email was a bit more disheartening because it said something like - "Hey we too have been hacked and the site was down but now it's back and you may have had some personal info stolen" No real insight into how long ago this occurred and how long my info may have been floating around in the wild so I'd like more from them as to timing of the hack and notification.

Re:Too Much Information

Interesting thought, but this is the same public that now accepts getting groped at TSA checkpoints by 300lb, $14/hr rentacops because somebody could be a terrorist. If Anonymous or somebody else were to break into the credit bureaus or some other high-value target - I fully expect there may be a couple of nominal changes, but the anger will be focused squarely on the "terrorists" who are trying to undermine our country's economy.

Epic Games too

[grim-one]

Got a couple of emails from them:

Our Epic Games web sites and forums were recently hacked. After some downtime, they're back up and running now.

The hackers may have obtained the email addresses and encrypted passwords of forum users. Plaintext passwords weren't revealed, but it's possible that those passwords could be obtained by a brute-force attack on the encrypted passwords. Therefore, we have reset all passwords. Your new password at the bottom of this message.

The Unreal Developer Network (UDN) hasn't been compromised. Thankfully, none of our web sites ask for, or store, credit card information or other financial data.

We're sorry for the inconvenience, and appreciate everyone's patience as we wrestle our servers back under control.

Tim Sweeney
Founder, Epic Games Inc

Re:Epic Games too

[maxwell+demon]

The mail omitted a crucial advise:
"Please log in and change your password to a new value as soon as possible."
Since the reset password was transmitted unencrypted over email, it should not be treated as secure.

Not encrypted anymore.

Seeing as a single ATI 6990 can crack a salt with 30length at 3.8billion tries per second.

Re:Not encrypted anymore.

[_Shad0w_]

Encrypted, not hashed. Assuming they actually do mean encrypted. You'd still have to worry about whether they compromised the key as well, unless they're using something like a PrivateServer HSM - although I suspect that might be considered over kill for a games website.

Re:YOU MEAN CRACKED !!

It's just as common to call "tricked" as "hacked," whenever people have obvious passwords or blatantly give them out, the most common thing they say afterwards is "I was hacked!!!"

Valve/Steam

[atomicbutterfly]

If Valve's servers get hacked with disastrous consequences (Steam accounts get deleted/hacked/etc, credit card details, other personal info), all hell will break loose. There will also be much smugness from those who don't use Steam for this very reason.

Re:Valve/Steam

[Richard_at_work]

The fact that they haven't, while smaller targets have fallen already, might be telling...

Re:Valve/Steam

And when your house burns down and you lose all your stuff I'll be there being pretty smug knowing my gaming collection is safe from such a fate... wait, no, I'd probably ask if you needed some help, because that's what decent people do.

Then I'd go home and play GTA.

You can have your system that your comfortable with, Grandpa, sir. I'll go with shiny new world and ride through the hiccups along the way, should they actually occur (note: I'm not saying I'm bleeding edge, but Steam is hardly unproven/new technology)

Re:Valve/Steam

[wo1verin3]

Of course they haven't.

Re:Valve/Steam

[gl4ss]

steam accounts get hacked all the time, but usually through the users computers.. also cs keycodes were rampantly generated and hacked and traded, but the success of counter strike really made steam a target as soon as it started.

Re:Valve/Steam

[Richard_at_work]

Thats hardly Steam, is it?

Re:Valve/Steam

[twocows]

If Valve hasn't been hacked since 2004, I'm perfectly content with their ability to protect my data.

Re:Valve/Steam

[Nemyst]

Steam and Google are the two sole online businesses that I know of (bar, say, banks) that have more than a simple username/password identification. The former forces you to authenticate every PC you use it on, which can only be done through your email. The latter uses 2-factor authentication through smartphones.

I think Steam is fairly safe. You'd have to be able to get the passwords (which are very likely salted and hashed) and could only attack those people who reuse the same password for both their Steam account and their email.

Re:Valve/Steam

[Beelzebud]

Valve's server DID get hacked back before the release of Half Life 2, which resulted in the source code for their Source engine, and an unfinished build of Half Life 2 getting leaked. I have a feeling they learned their lesson after that. They definitely have the money to do security correctly, if they wish.

Re:Valve/Steam

[FutureDomain]

steam accounts get hacked all the time, but usually through the users computers.

Valve has actually been pretty proactive on this front. They recently released their SteamGuard system which authenticates logins from new computers via email. It doesn't help if the user uses one password for both his email and Steam, but it's pretty good against most password thefts.

Re:Valve/Steam

World of Warcraft and Rift both support authenticators as well. I think this will become much more common as time passes.

Re:Valve/Steam

So does Square Enix. Which is why they haven't been hacked.

After similar attacks on Sony and Square Enix...

Oh. Oops. Never mind, then. I guess Square Enix must have gotten theirs from RSA...

Re:Valve/Steam

That is a colorful, but inaccurate description of the HL2 code leak. The way I heard it, the source code was leaked, by an internal staff member, and no personal or other user data was ever compromised what so ever. Nor, was Valve's system ever compromised beyond their internal pool of employees. That's a far cry from their "server" being hacked.

As an aside, what the fuck do you think "server" means? Can you define your usage of that word in a way that makes sense given the subject matter? Because Valve has a lot of servers. Like, several thousand square feet worth, in several major cities, in several major countries. One imagines there is a rather large gulf between the ones used to support STEAM and the ones used for in house development of new products. The former being where any useful personal information is, the latter being where new games exist.

Re:Codemasters had it coming!

[XionOfChaos]

This is one of the reasons why I will not get a credit card!

Eheh, Lotro Online Europe

[SmallFurryCreature]

Evil enough for anyone. You don't get two products taken away from you if you don't suck to high heaven (Turbine took both DDO and Lotro back from Codemasters inept handling).

Re:Too Much Information

The "Big 3" have enough connections not to have to worry. Even if they get hacked, they'll just instruct everybody to direct blame to Anonymous or some other scapegoat. Then they'll have 3-letter agencies publish press releases for them and politicians will pass a few new laws to increase penalties.

Nothing else would change, neither security, amount of data collected or the mindset of consumers.

Re:Codemasters had it coming!

[Ihmhi]

Actually, compared to a debit card a credit card is pretty safe. Debit cards are easier to get but you lack many of the protections (like chargeback) that credit cards offer.

Be careful all in all - not having a credit card might actually bite you in the ass if you ever decide to buy a home or get some type of loan. No credit is practically worse than bad credit.

Re:Codemasters had it coming!

[XionOfChaos]

Have had no problems getting loans without a credit card. Of course you can't buy anything online without one.

Re:Codemasters had it coming!

[_Shad0w_]

It's the reason I use a virtual credit card with one-time numbers online. I only use my real credit card at a limited number of places.

DDOS

[tepples]

If it takes a cracker 0.3 seconds, as described in the article you cited, then it also takes the legit server 0.3 seconds to authenticate the user. If a lot of people submit the login form at once, this becomes a denial-of-service attack against the server.

When eligibility depends on the birthday

[tepples]

the real lessons they should take here are that they should not even ask for things like date of birth - they could just ask for the year for example

Some web sites have legal reasons to require all users to be at least 13, 18, or 21 years old (to use examples of thresholds from U.S. federal law). Say your web site requires all users to be at least 18 years old. If the sign-up form asks for just the Gregorian year, how would the site distinguish an 18-year-old, whose birthday is before today, from a 17-year-old, whose birthday is after today?

Re:Codemasters had it coming!

[sourcerror]

I had no problems buying stuff online with debit card. (from Amazon; for noname shops there's Paypal; I wouldn't trust them with my CVV)

What's the point in hacking?

[Scissorsman]

Why is there so many hacking lately? I really don't understand people's motive to hack some servers, websites. Ok one could be money (credit card info, mail databases to sell, etc.) and maybe the other challenge for someone. But hacking is never harmeless.

Re:What's the point in hacking?

The answer is surprisingly simple.

Hackers have very tiny penises.

Re:What's the point in hacking?

Recognition, attention seeking, boredom.

Re:What's the point in hacking?

[Osgeld]

whats the point of going to slashdot and making a comment? same reason

Re:Too Much Information

[hairyfeet]

I don't know about that, can you imagine if they went in and reset everyone's credit score to be "over 9000!" LOL? Even if they managed to set it back the next day just the sheer amount of chaos they could cause, especially if the group broadcast it all over the net right after (Hey got bad credit? Have fun LOL!) the amount of total pandemonium caused by everyone having wonderful credit might actually make those in power question letting everything be tied into an imaginary number held by three self appointed companies.

There's blood in the water.

Game companys are clueless about security, and the feeding frenzy is just starting.

This shoud get all of us very worried...

[mihamicka]

At least news like this gets me very worried... why? cos all this announcements ware not made by the companies who got their servers hacked... but ware made by the hackers who did that... i wonder how many hackings are done without anyone knowing ... without anyone making those attacks public... and in theory security engineers learn from things like that.... is called Forensics right? hmmm and some ppl say " There is not such thing as ethical hacking..".... why not? i know from experience that you need a thief to catch a thief.... and another things that gets me worried is the fact that many security engineers say " hackers have small penises" and things like that... but they should see them as enemies and and do not underestimate them... some of them are kids who do this to have fun... some of them do hacking shit cos they are payed to do so... and all this attacks who took place lately... all this has on propose : to take somebody else identity.... why? that is the big answer...

I have the best security

[NSN+A392-99-964-5927]

I hack my my own servers daily. My security is 31337 (Pull the Plug)

Re:YOU MEAN CRACKED !!

The meaning of words can change over time. Words can have multiple definitions too. One can discern the meaning from the context. Get over it you illiterate fuck.

Good!

[tittledavid]

Thanks for info, http://exercisesto-reducetummy.com/articles/exercises-to-reduce-tummy-how-i-lost-50-pounds