Ubisoft Hacked, Account Data Compromised

← Back to Stories (view on slashdot.org)

Ubisoft Hacked, Account Data Compromised

Posted by Soulskill on Tuesday July 2, 2013 @06:58AM from the another-one-bites-the-dust dept.

Freshly Exhumed writes "There's a new security breach announcement over at the website of game publisher and developer Ubisoft today. Quoting:: 'We recently found that one of our Web sites was exploited to gain unauthorized access to some of our online systems. We instantly took steps to close off this access, to begin a thorough investigation with relevant authorities, internal and external security experts, and to start restoring the integrity of any compromised systems. During this process, we learned that data were illegally accessed from our account database, including user names, email addresses and encrypted passwords. No personal payment information is stored with Ubisoft, meaning your debit/credit card information was safe from this intrusion. As a result, we are recommending you to change your password by clicking this link.'"

138 comments

Min score:

Reason:

Sort:

should of killed the DRM system by Joe_Dragon · 2013-07-02 07:03 · Score: 4, Funny

at the same time they got in
1. Re:should of killed the DRM system by Anonymous Coward · 2013-07-02 07:20 · Score: 5, Funny
  
  Right, because that's how hacking works. After the bright red meter labeled "Accessing Secret Files From Gibson" filled up, they could have just pressed the glowing green button that said "Kill The DRM System". How silly of them to have missed that.
2. Re:should of killed the DRM system by Anonymous Coward · 2013-07-02 07:26 · Score: 5, Insightful
  
  We never had this problem when I was playing Road Rash and Screamer and Doom and Quake and Duke Nukem, because the game publishers never had any personal info of ours to lose in a security breach. You paid your cash for the game, put the CD in, installed, and played.
  In the late eighties we got rid of DRM by refusing to buy software with it. Lots of companies went out of business because of DRM. All they had to do was wait for a more gullible and docile generation to come along and bring it back.
  DRM is the biggest reason I stopped gaming (that, and none of the new games were as good as the old ones, even if the artwork was better). I wonder how many other customers DRM has cost these morons? Keep shooting, ubisoft, you have more feet and bullets left.
3. Re:should of killed the DRM system by Anonymous Coward · 2013-07-02 07:42 · Score: 0
  
  Should have killed the DRM system.
4. Re:should of killed the DRM system by ArcadeMan · 2013-07-02 07:43 · Score: 5, Funny
  
  To see my reply, please enter the 3rd word of the 7th paragraph on page 12 of your game book.
  
  --
  Get free satoshi (Bitcoin) and Dogecoins
5. Re:should of killed the DRM system by g0bshiTe · 2013-07-02 08:01 · Score: 4, Insightful
  
  I for one enjoy my non-purchased DRM bypassed games!
  
  --
  I am Bennett Haselton! I am Bennett Haselton!
6. Re:should of killed the DRM system by gl4ss · 2013-07-02 08:04 · Score: 0
  
  To see my reply, please enter the 3rd word of the 7th paragraph on page 12 of your game book.
  well.. you just had to have the manual in your hands once or be able to call someone with the manual once. unless you upgraded the cpu/mobo.
  why? who the fuck gave a shit about if the date was correct on the machine(so the game always asked the same question..).
  nowadays though, a read the manual copyprotection would be a refreshing change - or even a silly usb dongle. at least you could sell it.
  
  --
  world was created 5 seconds before this post as it is.
7. Re:should of killed the DRM system by nigelo · 2013-07-02 08:09 · Score: 2
  
  He only said it on accident.
  
  --
  *Still* negative function...
8. Re:should of killed the DRM system by Crudely_Indecent · 2013-07-02 08:16 · Score: 1
  
  Maybe they "should've" or "should have", but they never "should of"
  
  --
  
  "Lame" - Galaxar
9. Re:should of killed the DRM system by jones_supa · 2013-07-02 08:27 · Score: 1
  
  Actually, "should of" has been clearly gaining popularity lately for some reason.
10. Re:should of killed the DRM system by Anonymous Coward · 2013-07-02 08:35 · Score: 0
  
  You mean "by" accident, rite?
11. Re:should of killed the DRM system by TheCycoONE · 2013-07-02 08:44 · Score: 2, Insightful
  
  I guess we lived in different 80s. The way I remember it there was a random list of things to look up and they had to be entered every game. I also remember on my Commodore 64 that most commercial game disks wouldn't copy (without hacking tools to copy bad sectors etc.), and wouldn't work on drives other than the 1541 because they relied on particular idiosyncrasies in that drive to enforce their protection.
  The only reason they didn't make you connect to their servers is that modems weren't common.
12. Re:should of killed the DRM system by steelfood · 2013-07-02 08:57 · Score: 1
  
  Book? You're so 1980's.
  It's now a PDF.
  
  --
  "If a nation expects to be ignorant and free in a state of civilization, it expects what never was and never will be."
13. Re:should of killed the DRM system by ArcadeMan · 2013-07-02 09:34 · Score: 1
  
  You had to do that every time you started the game.
  note to Slashdot: why is the <strong> tag filtered out but <b> is recognized? We're in 2013, not 2003.
  
  --
  Get free satoshi (Bitcoin) and Dogecoins
14. Re:should of killed the DRM system by Anonymous Coward · 2013-07-02 09:57 · Score: 0
  
  I hope you mean that as in "steal everyone's data and rendering the DRM system inoperable" so that all the idiots who by their purchases supported this shameless scam finally wake up and realize what they did. I've been praying since forever that this would happen to uplay, steam and ea in the same day.
15. Re:should of killed the DRM system by AK+Marc · 2013-07-02 09:57 · Score: 1
  
  Yes, I scanned mine to PDF, but had to so so at a cost, as the black ink on red would only show if you scanned it on a color scanner, and even then inconsistently. I couldn't even read the book as a human in low-light gaming conditions.
  
  --
  Learn to love Alaska
16. Re:should of killed the DRM system by Anonymous Coward · 2013-07-02 10:05 · Score: 0
  
  I heard that... mid 2000's FPS are the best anyway
17. Re:should of killed the DRM system by AK+Marc · 2013-07-02 10:05 · Score: 2
  
  Prison guards at Auschwitz don't deserve to be employed. Yes, when people do evil, even on someone else's orders, they are worse for it. And why does a programmer "deserve" a job? There are plenty of unemployed people who would love to have one of those "deserved" jobs.
  
  --
  Learn to love Alaska
18. Re:should of killed the DRM system by Anonymous Coward · 2013-07-02 10:09 · Score: 0
  
  For all intensive porpoises.
19. Re: should of killed the DRM system by jd2112 · 2013-07-02 10:22 · Score: 1
  
  ...and have your original game CD mounted in drive D:, (your CD drive isnt maped to D:? though s#$@.) and verify you have a working Internet connection to our authentication servers. And make sure the key dongle is plugged into a USB port. And bend over and be scanned by our full penetration rectal biometric scanner. ..
  
  --
  Any insufficiently advanced magic is indistinguishable from technology.
20. Re:should of killed the DRM system by Pi+Is+A+Rational · 2013-07-02 10:37 · Score: 1
  
  The worst was the AD&D games that required that goofy wheel.
21. Re:should of killed the DRM system by Khyber · 2013-07-02 11:45 · Score: 1
  
  "note to Slashdot: why is the tag filtered out but is recognized? We're in 2013, not 2003."
  It's called code optimization. Why use so many symbols and characters for a command when you can use fewer?
  This is 2013, code optimization and reduction is ESSENTIAL and EFFICIENT.
  
  --
  Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
22. Re:should of killed the DRM system by Khyber · 2013-07-02 11:50 · Score: 1
  
  "well.. you just had to have the manual in your hands once or be able to call someone with the manual once."
  Wrong, The Colonel's Bequest required you to identify a fingerprint every time you loaded a game. Wolfenstein3D would ask you about things like the number of eyelets Blazkowitz's boots. Leisure Suit Larry had a type of DRM to prove you were an adult and not a teenager playing the game - by asking questions only adults of that time would know (and kids wouldn't have likely learned in history books, yet.) Where in Time is Carmen San Diego came with a specific encyclopedia reference book you absolutely needed to play the game. Ultima V had the language for the game contained within its game manual, and you weren't going anywhere fast without that.
  
  --
  Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
23. Re:should of killed the DRM system by Anonymous Coward · 2013-07-02 12:43 · Score: 0
  
  A Xerox and some prints on Ektachrome-EIR processed using C-41-yellow was the easy solution to that red and black problem. Maybe not easy, but hey! It was a few buck cheaper than buying 2 copies !!
24. Re:should of killed the DRM system by Anonymous Coward · 2013-07-02 12:44 · Score: 0
  
  Should've sounds a lot like should of.
25. Re: should of killed the DRM system by Anonymous Coward · 2013-07-02 14:03 · Score: 0
  
  That ruth hertz, dozen tit?
26. Re:should of killed the DRM system by ArcadeMan · 2013-07-02 14:10 · Score: 1
  
  The "b" tag has been deprecated in favour of "strong". It's about putting structure and meaning on your content, not making text "bold".
  
  --
  Get free satoshi (Bitcoin) and Dogecoins
27. Re:should of killed the DRM system by dwye · 2013-07-02 14:24 · Score: 1
  
  Leisure Suit Larry had a type of DRM to prove you were an adult and not a teenager playing the game - by asking questions only adults of that time would know (and kids wouldn't have likely learned in history books, yet.)
  And no one ever talked to their parents or grandparents? Or older siblings, for that matter? What were these uqestions, anyway?
28. Re:should of killed the DRM system by Anonymous Coward · 2013-07-02 14:45 · Score: 0
  
  That's fine as long as they include a comprehensive selection of meaning. I want to see options like: "angry", "sycophantic", "condescending", "mincing", and "nasal".
29. Re:should of killed the DRM system by styrotech · 2013-07-02 14:57 · Score: 1
  
  The "b" tag has been deprecated in favour of "strong". It's about putting structure and meaning on your content, not making text "bold".
  Not so fast... HTML5 has brought back <b> and it has a new semantic purpose.
  For the first time Slashdot is now at the cutting edge! Without having to do anything either (ok ok they did change the doctype).
30. Re:should of killed the DRM system by Khyber · 2013-07-02 17:51 · Score: 1
  
  http://www.allowe.com/games/larry/tips-manuals/lsl1-age-quiz.html
  There's your questions for at least the first one. The VGA reboot and LSL3 questions are also listed on the right side.
  Prime Examples:
  O. J. Simpson is
  a. an R & B singer.
  b. under indictment.
  c. embarrassed by his first name (Olivia).
  d. no one to fool with.
  (At the time, answer was D. Rather prophetic question and answer choice, though!)
  The germ that transmits syphilis is
  a. Spiro Agnew.
  b. Spirochete.
  c. Spirograph.
  d. Barbarella.
  (Answer C)
  
  --
  Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
31. Re:should of killed the DRM system by Anonymous Coward · 2013-07-02 18:33 · Score: 0
  
  The best example would be Champions of Krynn. It did ask you for a word from the manual at startup but they could just have skipped it, the crack that disabled it was pretty much pointless.
  The manual contained a lot of the dialogues and maps that was needed to get quests, find secrets or understand the story. Often when talking to NPC's or when something happened the gamed would briefly describe the situation and then state that "You record the rest as journal entry #54" or something similar.
  Not only was it extremely effective as DRM but it also it made sure that you had the important hints you got in the game printed out so that you could re-read them to see if you missed anything.
  That is the only time I have seen any kind of DRM that actually added to the game rather than take away from it.
32. Re:should of killed the DRM system by Pi+Is+A+Rational · 2013-07-02 19:27 · Score: 1
  
  It's quite possible they did this to save space on those 360KB 5.25s as well.
33. Re:should of killed the DRM system by Anonymous Coward · 2013-07-02 19:27 · Score: 0
  
  Zooming... Zooming.. Enhancing.. There it is!
34. Re:should of killed the DRM system by Anonymous Coward · 2013-07-02 20:09 · Score: 0
  
  "Diablo III set a new record for fastest-selling PC game by selling over 3.5 million copies in the first 24 hours of its release,[5] and was the highest selling PC game of 2012, selling more than 12 million copies during the year.
  You and I have different definitions of "flopped"
35. Re:should of killed the DRM system by Anonymous Coward · 2013-07-02 20:33 · Score: 0
  
  Ultima V had the language for the game contained within its game manual, and you weren't going anywhere fast without that
  Explains a lot - didn't get very far at all and have hated the series since then.
  Also in railroad tycoon you had to identify a train, eventually built up a collection of train drawings and hit and miss attempts which got me into the game after a couple hours, never switched the PC off because of it, drove my parents nuts.
36. Re:should of killed the DRM system by Yer+Mom · 2013-07-03 02:59 · Score: 1
  
  nowadays though, a read the manual copyprotection would be a refreshing change
  Nowadays, getting a printed manual would be a refreshing change.
  Even with console games, you're lucky to get a list of controls, with the rest of the docs appearing as in-game tutorials. Most of the booklet is dire warnings about copyright infringement, health warnings and other legal CYA.
  
  --
  Never mind Spamassassin. When's Spammerassassin coming out?
37. Re:should of killed the DRM system by webmistressrachel · 2013-07-03 03:40 · Score: 1
  
  Do you pray that one day, just one day, your program will compile and it will happen on the same day, or are you praying for someone else to do it?
  You do realise that praying won't help you one bit, right?
  
  --
  This tagline was transcoded to result in at least one smirk. If you experience failure to smirk, please consult your Gen
38. Re:should of killed the DRM system by Medievalist · 2013-07-03 04:38 · Score: 1
  
  Hmm. Your ideas are intriguing to me and I wish to subscribe to your newsletter.
39. Re:should of killed the DRM system by SuiteSisterMary · 2013-07-03 06:08 · Score: 1
  
  Lux, sestnik, samosud.
  
  --
  Vintage computer games and RPG books available. Email me if you're interested.
The point? by Anonymous Coward · 2013-07-02 07:04 · Score: 0

What's the point of encrypting the passwords if the data (names and emails) was in plain text?
1. Re:The point? by Chas · 2013-07-02 07:08 · Score: 1
  
  So they have a name and an e-mail.
  If they don't have the password, they have to spend a lot of time trying to crack the encrypted password. Giving the legitimate user plenty of time to change said password.
  
  --
  
  Chas - The one, the only.
  THANK GOD!!!
2. Re:The point? by flonker · 2013-07-02 07:10 · Score: 2
  
  The point is to minimize the amount of information you actually have. You don't need to know the password itself, you only need to know that they know the password. So, you store just enough information to be able to check that the person attempting to log in knows the password.
3. Re:The point? by dos1 · 2013-07-02 07:16 · Score: 2
  
  Hashing is not an encryption. I think that's what that comment was about, just in ambiguously sarcastic way.
4. Re:The point? by Anonymous Coward · 2013-07-02 07:18 · Score: 0
  
  A lot of time reads as "in the worst case, 2 minutes with GPGPU offload and 4TB HDD with rainbow tables"
5. Re:The point? by uberbrainchild · 2013-07-02 07:22 · Score: 2
  
  I wish they told us how they were hashed and if they used a salt so that we might get an idea of how many minutes we have to change the password on any accounts with the same password. Luckily for me though I have different pws for almost everything. Maybe this will promt them to make uplay better... I remember when I tried the Heroes game and got tired of playing once the multiplayer games stopped syncing and it became unplayable. Eh, I was just as disappointed with Sim City 5... board games tend to work most of the time though
  
  --
  Anveto
6. Re:The point? by Sir_Sri · 2013-07-02 07:29 · Score: 1
  
  That would be a hash of the password rather than the encrypted password, although that may be what they mean and they're using sloppy language. (Encrypting it could work the same way, but then you still just have the password in another form).
  I think the question was more 'why weren't usernames and e-mails encrypted' and the answer is probably that they're part of a searchable 'find friends' type database.
7. Re:The point? by Sir_Sri · 2013-07-02 07:36 · Score: 3, Interesting
  
  Plenty of time, as less than an hour after the hack occurred, for ~60% of users.
  http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/
8. Re:The point? by afidel · 2013-07-02 07:58 · Score: 2
  
  Only if they aren't salted.
  
  --
  There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
9. Re:The point? by BlueMonk · 2013-07-02 08:01 · Score: 2
  
  I think there's a little bit of disconnect between the people asking this question and the people answering this question. I think the people asking the question are wondering "Why encrypt the piece of information that lets you get at the rest of the information if the rest of the information is right there plain as day?" and the people answering the question are explaining, "passwords use one way encryption so they can't easily be hacked." Yes, one important reason for encrypting the password is to allow some time for users to change their passwords before the passwords are cracked. But I think to answer the question more directly, passwords often give access to a lot more information than just what might have been compromised. Yes the cracker got a hold of a lot of un-encrypted information in this case, but if the passwords were also in plain text, they might have been able to get more information than they did. Some people use the same password for multiple sites, and some sites may store information in multiple locations so that the password could have provided access to more information than what was lost. If passwords were stored in plain text, someone would need only to be able to see the password in order to access all of a user's information, and sometimes that's easier than getting all the information that the password protects.
10. Re:The point? by TheCycoONE · 2013-07-02 09:09 · Score: 2
  
  Weak case: MD5 is known to be insecure (very vulnerable to collision attacks), and presuming it was secure, this unsalted list of passwords was vulnerable to a rainbow attack. Similarly a short salt is still vulnerable to a rainbow attack. I understand that bcrypt and sha512 are popular these days. I personally like my salt to be the same length as the resulting hash and of course different for each password - I think this makes a rainbow list attack as complex as the birthday attack on average.
11. Re:The point? by Kongming · 2013-07-02 09:35 · Score: 2
  
  While we should be able to assume that the hashes were salted, there have been other breaches in the past year in which the exposed password hashes were not salted. A quick web search turned up drupal.org and LinkedIn. Also, many other companies, like Sony, specified when they disclosed their breach that the password hashes were salted. As Ubisoft did not opt to specify and have not responded to the question anywhere as of yet, I am operating under the assumption that they did not, in fact, salt their password hashes. In 2013, any DBA should understand the importance of salting password hashes and insist on always doing so. In my opinion, any company over a certain size that not only fails to secure the contents of their account table against an attack and weren't even bothering to salt their passwords should be subject to fines and/or civil liabilities.
  
  --
  (no sig)
12. Re:The point? by Anonymous Coward · 2013-07-02 10:16 · Score: 0
  
  Also anywhere you use that password, you should change that password - not just at the Ubisoft website.
13. Re:The point? by gaspyy · 2013-07-02 20:07 · Score: 1
  
  According to an article on Ars Technica, salted hashes are no longer relevant - they are cracking the hashes anyway without using rainbow tables. Using SHA256 instead of MD5 has more benefits in this regard than salted vs. unsalted.
14. Re:The point? by Wootery · 2013-07-02 23:01 · Score: 1
  
  The ever-unpopular Steve Gibson covered this, saying the solution is memory-hard hashing.
  (Ctrl+f for "simplified".)
15. Re:The point? by WuphonsReach · 2013-07-02 23:50 · Score: 1
  
  That article is not an argument for not using salted hashes. Just because salt doesn't help prevent brute-force attacks, doesn't mean that salting is worthless. If nobody bothered to salt hashes, rainbow tables would become common again. (The reason nobody uses rainbow tables these days is because most lists are salted, rendering the rainbow table ineffective.)
  
  Unfortunately, using hashes that take longer to calculate just moves the problem forward a few years.
  
  --
  Wolde you bothe eate your cake, and have your cake?
The point? by Anonymous Coward · 2013-07-02 07:06 · Score: 0

What's the point in having encrypted passwords if the information (email addresses and names) was in plain text?
"This isn't phishing, really!" by Anonymous Coward · 2013-07-02 07:09 · Score: 0

I'd probably delete the email on sight without knowing about it ahead of time. But should they catch those responsible,
"No, I wasn't trying to see the new games... I was really trying to connect to the WOPR!"
1. Re:"This isn't phishing, really!" by Anonymous Coward · 2013-07-02 07:22 · Score: 0
  
  Is there any way to send a letter warning of a compromise without it sounding like phishing? Maybe leave out the link?
2. Re:"This isn't phishing, really!" by Anonymous Coward · 2013-07-02 07:31 · Score: 2, Interesting
  
  Of course leave out the link. Email is plain text, not HTML.
  If I get an email from somewhere I have an account, I know how to get to the site.
3. Re:"This isn't phishing, really!" by Sir_Sri · 2013-07-02 07:37 · Score: 2
  
  That's nearly what I did (delete it on sight). Their main page at ubisoft.com needs to have a message about this rather than just a 'under maintenance' type message.
Assume Everything is Compromised by Kagato · 2013-07-02 07:12 · Score: 1

These days computers and cypto Technics are powerful enough that they will likely have a 85% success rate at resolving the hashes. Even if salted.
1. Re:Assume Everything is Compromised by Ectospheno · 2013-07-02 07:17 · Score: 2
  
  Which is why unique is the most important quality of a password. People that did that are yawning while they change this one password and go about their day.
2. Re:Assume Everything is Compromised by Kagato · 2013-07-02 07:26 · Score: 1
  
  Too bad you can't get 1Pass for a game console.
3. Re:Assume Everything is Compromised by Anonymous Coward · 2013-07-02 07:30 · Score: 0
  
  You don't need to find the password, just something with a hash collision.
4. Re:Assume Everything is Compromised by Anonymous Coward · 2013-07-02 07:33 · Score: 0
  
  Woosh! I think you missed his point.
5. Re:Assume Everything is Compromised by Anonymous Coward · 2013-07-02 08:08 · Score: 0
  
  Yeah I got LastPass over a month ago and this is the second email I've received (first was some place called Moniker) that was a password for an account I don't even remember creating. Problem is, there was this one password that I'm positive I used on those sites, and quite a few others (like slashdot). Fortunately, I've changed all my passwords for logins I even remotely remember using to gobbledygook (the meaning, not the word itself) and have it stored in the vault.
  *Yawn*.
Wish their net security was as good as their DRM.. by Anonymous Coward · 2013-07-02 07:15 · Score: 1

Ironic that their DRM seems to be more secure than their servers...
Great job there, UbiSoft by Anonymous Coward · 2013-07-02 07:18 · Score: 4, Insightful

I never wanted to sign up for your crappy service in the first place, but was forced to just so I could play a game I already legally purchased.
Fuck you, UbiSoft!
1. Re:Great job there, UbiSoft by Anonymous Coward · 2013-07-02 10:54 · Score: 0
  
  Same here, except it was for a free game that came with my GPU (which was a gift). I had to give 2 companies my email and address, and make a UbiSoft account just to play my free console port with a crappy UI. Good thing all sane account names were in use so I couldn't use anything that might match any account I have ever used. I would not make that 0$ purchase again if given the option. It was a bad deal.
2. Re:Great job there, UbiSoft by Elijha · 2013-07-02 11:05 · Score: 1
  
  I had an alert from itunes that my account had downloaded a free game from an international IP on the weekend.and to reset the password if it wasn't me... I had used the same old password on both I'm pretty sure (though I setup a Ubi Soft account only as I needed to play a game years ago).
3. Re:Great job there, UbiSoft by Anonymous Coward · 2013-07-02 12:01 · Score: 0
  
  UbiSoft says...
  No. Fuck you. You're our bitch. You know it. You didn't like our drm. but still paid us money and installed it.
  how stupid are you anyway?
4. Re:Great job there, UbiSoft by Anonymous Coward · 2013-07-03 15:39 · Score: 0
  
  Ok ... so ... where you went wrong was ... buying the bloody game at all in the first place.
  STOP buying games that force this crap on you, it is the only way that they will learn.
  I don't care how good you think the game will be, or whether it is a sequel and so you just have to play it ... bullshit. Don't buy it, go without.
Tango by Anonymous Coward · 2013-07-02 07:24 · Score: 0

Down
Seems legit. by ernest.cunningham · 2013-07-02 07:25 · Score: 5, Funny

You account details have been hacked.....click this link to reset your password.
Seems legit!
1. Re:Seems legit. by Anonymous Coward · 2013-07-02 08:19 · Score: 0
  
  that's exactly what I thought, so I went to ubisoft directly and found the shitty looking splash page they have up that doesn't have their usual design. It seems like their whole site was wiped out or something.
2. Re:Seems legit. by Anonymous Coward · 2013-07-02 08:57 · Score: 0
  
  well i see an un-encoded @ symbol, which is enough to make me think twice before clicking on it
3. Re:Seems legit. by Inda · 2013-07-02 20:30 · Score: 1
  
  I thought the same.
  
  The blurb is missing one part of the email. The email started "Dear member". What? You don't even know my username?
  
  So I clicked the link, changed my password to a keyboard mash of 16 characters, which wasn't secure enough according to the security experts known as Ubisoft. So I changed it again to include two numbers and now it's forgotten forever.
  
  Fuck you Ubisoft.
  
  --
  This post contains benzene, nitrosamines, formaldehyde and hydrogen cyanide.
4. Re:Seems legit. by Anonymous Coward · 2013-07-02 23:38 · Score: 0
  
  If ONLY we didn't have to guess. Someone should invent some way of verifying the identity of the sender of an e-mail. Maybe some sort of certificate or... signing. Maybe it could even use encryption to keep the contents of communication secret. It would offer pretty good privacy!
  Man, what I would give for something like that. Too bad it is obviously impossible. Why else wouldn't e-mail providers provide it? Why else wouldn't every legit e-mail sender use it?
5. Re:Seems legit. by Anonymous Coward · 2013-07-12 08:36 · Score: 0
  
  Plus bad spelling and grammar in the german version. I immediately deleted my ubisoft account, of course (only two really bad games: splinter cell conviction and assassins creed 2).
U play by Anonymous Coward · 2013-07-02 07:28 · Score: 0

... and we play U... bisoft.
Holy Admiral Ackbar... by ProfessorKaos64 · 2013-07-02 07:29 · Score: 0

"As a result, we are recommending you to change your password by clicking this link.'" It's a trap!!!!!
Amusing.. by GrBear · 2013-07-02 07:29 · Score: 1

gMail flagged Ubisoft's email as spam and potentially bogus. I wonder how many people will think it's just another phishing attempt and ignore it now.
1. Re:Amusing.. by HTMLSpinnr · 2013-07-02 13:19 · Score: 2
  
  gMail flagged Ubisoft's email as spam and potentially bogus. I wonder how many people will think it's just another phishing attempt and ignore it now.
  I actually read the source of the email to confirm the embedded links were legitimate before marking it as "Not Phishing".
  
  Really sucks for Ubisoft that their notification system will go unheard by many GMail users!
  
  --
  $ man woman *
  -bash: /usr/bin/man: Argument list too long
Don't Care by CanHasDIY · 2013-07-02 07:30 · Score: 1

Only signed up with Ubi so I could play a new game I had purchased.
No important info (CC number, real name, real email) associated with the account.
Don't care.

--
An enigma, wrapped in a riddle, shrouded in bacon and cheese
Seriously? by Anonymous Coward · 2013-07-02 07:30 · Score: 0

"You're account's compromised! Click on this totally legit link provided to you by someone you don't know to give us your login info to fix it!"
Shame on anyone who clicked the link, let alone gave the linked page your info.
1. Re:Seriously? by bonehead · 2013-07-02 07:41 · Score: 1
  
  Why?
  It's not that hard to check where the link actually points to and determine whether it's legit or not.
2. Re:Seriously? by Anonymous Coward · 2013-07-02 07:41 · Score: 0
  
  The e-mails sent out were legit. Professionally presented, no stupid ass misspellings (like in your example), and the links went to ubi.com which is owned by Ubisoft.
3. Re:Seriously? by neminem · 2013-07-02 08:56 · Score: 2
  
  That last one is the most important.
  Unlike an email sent to me a few months ago by a major credit card provider I had a card with, telling me I may have had a card theft, and asking me to click a link to confirm whether or not I had made a particular purchase. The link went to a completely gibberish link that had no obvious connection to the bank in question. It was very obviously a phish.
  Turns out, nope, it was totally legitimate, that card *had* been used to make an unauthorized transaction, and that bank completely failed to understand that emails which aren't phishes, shouldn't look like phishes. Even when I submitted a complaint to them. (Their response: this is a legitimate email. My response, which they completely ignored: "I know it is. I'm telling you it doesn't *look* like one, at all, and perhaps you should fix that." Grah.)
4. Re:Seriously? by AK+Marc · 2013-07-02 13:58 · Score: 2
  
  You didn't properly treat it like Schrodinger's email. Trust the info, without trusting the email. It's both legitimate and a pfish at the same time. Your credit card company sends you a "click here" email with a funny address? Call the number on the back of your card, and hit the number for "fraud" (the quickest way to get to a human). If the email is real, then you'll get it taken care of. If it's not legit, they'll listen to your recount of the phish. There's never a reason to click a link in a email. At best, it's a shortcut to info you'd get if you typed it in yourself, so always type it in.
  
  --
  Learn to love Alaska
5. Re:Seriously? by neminem · 2013-07-02 14:48 · Score: 2
  
  Right. I agree with everything said completely. My complaint, and it bothered me quite a lot, is that I explained all of that to the bank in question, and they completely didn't even understand at all why I was complaining. *I* know to check whether it was a phishing scam or not by calling the number listed on my card (which, oh by the way, the email also had a number listed that you could call if you had questions... which was not the number on my card, and in fact, wasn't mentioned, as far as I could tell, anywhere on the bank's web site). But, if it had been a phish instead of a really terribly crafted legitimate helpful email, would my computer-illiterate mom have known?
  We spend so much effort trying to educate people less knowledgeable about computery things in important matters like "how do you recognize a phish", that it completely blew my mind that they would ruin that with an email that *did* look like a phish, and expect us to click on the link and be happy.
6. Re:Seriously? by Anonymous Coward · 2013-07-02 15:15 · Score: 0
  
  I'm not gonna name names, but there is a gaming company that hosts a redirect script at their domain. BAD FUCKIN MOVE. Everyone on the forums gets private messages trying to get people to click the link, its got the domain name of the game company on it, but it redirects to a phishing site clone of the log in page...maybe. I didn't click on it, it might just steal your cookie right on the spot since you are already logged in to see your private messages.
7. Re:Seriously? by AK+Marc · 2013-07-03 09:17 · Score: 2
  
  Well, *they* sent it so it couldn't have been a phish.
  
  Their logic is impeccable, even if wrong. I've received similar from my bank, and it was well worded to encourage people to type in the site, and not to rely on links in emails, even the one sent by them.
  
  --
  Learn to love Alaska
UBI? by Arkh89 · 2013-07-02 07:35 · Score: 0

Si ta base vient d'etre crackée... vient donc faire un tour a Lambé...
Matmatah - Lambé An Dro
1. Re:UBI? by ArcadeMan · 2013-07-02 07:47 · Score: 0
  
  C'est quoi ça, Lambé ?
  
  --
  Get free satoshi (Bitcoin) and Dogecoins
2. Re:UBI? by Arkh89 · 2013-07-02 08:01 · Score: 1
  
  C'est le nom d'un quartier de Brest (Lambézelec)...
that guy.. from Watch_Dogs by Destoo · 2013-07-02 07:37 · Score: 1

I'm pretty sure some guy walking around with a cell phone did it. Aiden Pearce?

--
Nouvelles de jeux et technologies en français. TC
1. Re:that guy.. from Watch_Dogs by Briareos · 2013-07-02 08:44 · Score: 1
  
  Nope, John Reese. Or Harold Finch.
  
  --
  "I'm not anti-anything, I'm anti-everything, it fits better." - Sole
2. Re:that guy.. from Watch_Dogs by dwye · 2013-07-02 15:40 · Score: 1
  
  Or The Machine, itself.
Make a different email alias for each company by ArcadeMan · 2013-07-02 07:46 · Score: 1

I would use ubisoft@arcademan.com for this particular example.
If the company is hacked or sells your email address to spammers, just delete the alias.

--
Get free satoshi (Bitcoin) and Dogecoins
1. Re:Make a different email alias for each company by Anonymous Coward · 2013-07-02 08:09 · Score: 0
  
  very clerver, thanks for pointing that out
2. Re:Make a different email alias for each company by Vreejack · 2013-07-02 08:34 · Score: 1
  
  You need to establish a valid email address to set up an account.
  
  --
  "Will future ages believe that such stupid bigotry ever existed!" -- Ivanhoe
3. Re:Make a different email alias for each company by Vreejack · 2013-07-02 08:44 · Score: 1
  
  I see, you meant to use an example of a personal mail server. I was confused by the fact that your example is an unused domain.
  How can I get the use of a personal mail server that will actually fool anyone? ubisoft@vreejack.mooo.com is not going to fool anyone who thinks to guess blizzard@vreejack.mooo.com, so while it will help you dodge spam, you will still have to use unique passwords, which is much of the problem.
  
  --
  "Will future ages believe that such stupid bigotry ever existed!" -- Ivanhoe
4. Re:Make a different email alias for each company by Anonymous Coward · 2013-07-02 08:47 · Score: 0
  
  This neckbeard virgin likely uses a catchall at his own domain, something that isn't appropriate for 95% of internet users.
5. Re:Make a different email alias for each company by jones_supa · 2013-07-02 08:53 · Score: 1
  
  If the company is hacked or sells your email address to spammers, just delete the alias.
  Additionally, shame the company in public...
  Another classic trick you can use is to include a plus sign and some text after your username, i.e. john.doe+ubisoft@example.com. The '+ubisoft' part is ignored when the mail is delivered, but you can still see it in the "To" field.
6. Re:Make a different email alias for each company by lgw · 2013-07-02 10:18 · Score: 1
  
  Someone might "think to guess blizzard@vreejack.mooo.com" if they have stolen 1 password and are trying to find a use for it. If they have stolen 1 million, they're not even going to try to be clever, since most of them will work without such changes, so they already have more valid email/password pairs than they'll ever be able to use for anything.
  
  --
  Socialism: a lie told by totalitarians and believed by fools.
7. Re:Make a different email alias for each company by theskipper · 2013-07-02 11:43 · Score: 1
  
  He was talking about creating that account on your mailserver. Sneakemail or Spamgourmet serves the same purpose. As long as you don't mind your email going through a third party server, it works for most purposes. Just be sensible and don't use it for banking-type accounts.
8. Re:Make a different email alias for each company by AK+Marc · 2013-07-02 14:01 · Score: 1
  
  It's appropriate for all, but understandable by only 5%. I have that set up, and it costs all of $5 a year, and took less than 30 minutes to set up.
  
  --
  Learn to love Alaska
Customer & payment data data is stored with... by Anonymous Coward · 2013-07-02 07:51 · Score: 0

b2boost
They take security ALOT more serious than most of these companies who store all the data un-encrypted!
Disclaimer: I used to manage those systems.
steam seems to be the best no Always on by Joe_Dragon · 2013-07-02 07:57 · Score: 1

Always on seems like over kill when X time checks can work just as good.
Why does Ubisoft need to store a password? by brunes69 · 2013-07-02 07:59 · Score: 1

Why do they not use a federated identity system?
Why does ANYONE aside from some key core ID providers (Google, Microsoft, Yahoo, Facebook, OpenID, etc) need to store a password?
When are companies going to stop this madness.... no Ubisoft, I will not be giving you another password to lose thanks.
1. Re:Why does Ubisoft need to store a password? by Imagix · 2013-07-02 08:09 · Score: 2
  
  Because when the federated identity system gets broken in the same manner, the attacker doesn't have access to everything you use.
2. Re:Why does Ubisoft need to store a password? by megalomaniacs4u · 2013-07-02 08:19 · Score: 1
  
  Because I trust those companies less than idiots like ubisoft?
3. Re:Why does Ubisoft need to store a password? by Shados · 2013-07-02 08:30 · Score: 1
  
  Conversion rate on services that force you to create a separate account is impossibly low, unless its Facebook, and that has its own set of problems.
4. Re:Why does Ubisoft need to store a password? by Anonymous Coward · 2013-07-02 10:05 · Score: 0
  
  I already have a federated identity system. It's federated through 1Password, which I keep a backup of on the cloud. The Cloud is a flash stick in the shape of a cumulonimbus head.
Password reset link for someone else's account by BerkeleyDude · 2013-07-02 08:13 · Score: 1

I received the email - but I've never had a Ubisoft account. They sent me a password reset link for some other user's account. No wonder they got hacked...
What Ubisoft Does Best by Somebody+Is+Using+My · 2013-07-02 08:17 · Score: 4, Interesting

Attempting to log-onto their website, I get the following warning:
For security reasons we recommend that you change your password
and a link to change the password.
Interestingly, there is no option to log-on /without/ changing the password. "Recommend" apparently means "you have no choice" in UbiSpeak.
Unfortunately, since the email address I used to register the account is no longer active, and there is no option to update the email address (since I can't log-on at all) I guess I'm screwed (silly me for not keeping my info up to date on a service I had little interest in joining except that it was forced on me to play a game I had legally purchased).
So, I guess it's par for the course for you guys at Ubisoft; you've screwed me over again. Great job, guys; first you force me to sign up to UPlay in the first place, then you screw up by leaking the log-in info all over the net and now you prevent me from changing my password. Maybe you can block access to the games I paid for as well just to round out the whole experience.
1. Re:What Ubisoft Does Best by FlynnMP3 · 2013-07-02 08:40 · Score: 1
  
  Maybe you can block access to the games I paid for as well just to round out the whole experience.
  For a complete and positive gaming experience, your wish has been granted.
  Joking aside, look closer at the account maintenance terms. There may be an option to completely reset or get rid of the account. Then you can at your option start with new login details. This time make a unique email alias just for UPlay and bogus, but plausible, user details that for all you care can be leaked or broken into. I've also gone as far as having a unique credit card just for online gaming service accounts that insist on credit card payments and storage. A different one for each service - limit of $100. True it's a pain in the ass to setup, but if it gets hacked I don't have enough into to even care what happens.
2. Re:What Ubisoft Does Best by RollingThunder · 2013-07-02 09:31 · Score: 1
  
  Their site is pretty clearly in "oh SHIT" mode right now, stripped down to barest minimums. I would hope that once things settle down and the more feature-rich site returns, you'll be able to do a recovery along the lines of what you could previously. However, if you didn't set up any other alternative methods of recovery (I can't remember if they had secret questions, etc), then you may be out of luck. Perhaps the returned site will let you log in with the old password and then force the change.
3. Re:What Ubisoft Does Best by sabt-pestnu · 2013-07-02 12:04 · Score: 1
  
  Not to be a dick about it, but...
  > Great job, guys; first you force me to sign up to UPlay in order to play your game in the first place, then ...
  There was always option E: abstain from giving them money in that first place.
  Or better yet, option F: send a politely worded letter describing your decision not to purchase their product, after having purchased previous products from them, because you disagreed with their DRM scheme, and suggesting other ways they might regain your custom while preserving the income they require to balance the development costs of the game.
  And best, option G: getting said letter openly published on a well-trafficked and apropos web site.
4. Re:What Ubisoft Does Best by project-nova · 2013-07-02 20:18 · Score: 1
  
  There is no option to log-on because the current site is a low-traffic fallback site to accomodate the number of users trying to change their password. The whole ubi.com consists of "Change your password" and three YouTube links right now.
  The usual site will be up again in a few days, if you want to change your e-mail address, try again then.
  This is how it should be done by the way: at least allowing 99% of users to change their password even when the site is getting hammered.
The actual e-mail for reference by jones_supa · 2013-07-02 08:41 · Score: 3, Insightful

Security update regarding your Ubisoft account
- please create a new password
Dear Member,
We recently found that one of our Web sites was exploited to gain unauthorised access to some of our online systems. We instantly took steps to close off this access, investigate the incident and begin restoring the integrity of any compromised systems.
During this process, we learned that data had been illegally accessed from our account database, including user names, email addresses and encrypted passwords. Please note that no personal payment information is stored with Ubisoft, meaning your debit/credit card information was safe from this intrusion.
As a result, we are recommending that you change the password for your account: <account name>
To enter your new password, click the link below: https://secure.ubi.com/register/ResetPassword.aspx?...
Out of an abundance of caution, we also recommend that you change your password on any other Web site or service where you use the same or a similar password.
You can find more information here https://support.ubi.com/en-GB/FAQ.aspx?platformid=60&brandid=2030&productid=3888&faqid=kA030000000eYYxCAM.
For any additional support enquiries, please contact our customer service via our support web site at https://support.ubi.com/
We sincerely apologise to all of you for the inconvenience. Please rest assured that your security remains our priority.
The Ubisoft team
Cookie requirement? C'mon guys. by Xzzy · 2013-07-02 08:55 · Score: 4, Interesting

I like how their website tosses up an error saying I "need to enable cookies" even though I do in fact have cookies turned on. Only thing I am blocking is their attempts to track me by including google analytics.. I can use their password change just fine if I use an incognito window (which temporarily disables my plugins).
I suppose the original fault lies with me for creating an account with these goofballs.
1. Re:Cookie requirement? C'mon guys. by theskipper · 2013-07-02 11:52 · Score: 1
  
  Was wondering about that the other day. I get that message on a lot of sites when I have third-party cookies turned off (usually always), your mention of GA seems related. Guess it's simply a misnomer.
2. Re:Cookie requirement? C'mon guys. by Anonymous Coward · 2013-07-02 19:24 · Score: 0
  
  You can activate plugins in incognito(although usually not recommended), like Ghostery if you want to.
3. Re:Cookie requirement? C'mon guys. by Spansh · 2013-07-02 19:43 · Score: 1
  
  Actually this is due to a UK/EU law/requirement that all sites which require users to explicitly be notified (and agree to) any cookies which are not explicitly required for usage of the site (sites which require logins, shopping carts etc are therefore exempt), the site will just work as normal if you don't click on the "I agree" button (which ironically will set another cookie saying you have agreed).
  I guess some sites just enabled it for world users rather than dealing with different countries seperately.
  ICO link below for those who want to read up on it.
  http://www.ico.org.uk/for_organisations/privacy_and_electronic_communications/the_guide/cookies
Once Again... by Stormy+Dragon · 2013-07-02 09:25 · Score: 1

Secure Remote Password protocol is more than a decade old:
http://en.wikipedia.org/wiki/Secure_Remote_Password_protocol
Why aren't more companies using it?
Hackers can't steal passwords if your server doesn't have the passwords to begin with.
UbiSoft Hacked by Anonymous Coward · 2013-07-02 09:28 · Score: 0

FREE GAMES!!!!!!!!!
Core ID providers by Anonymous Coward · 2013-07-02 10:03 · Score: 0

Who decides who is a "core ID provider"?
You mentioned Microsoft and Facebook but I can't imagine why either of them would be core id providers. Except for the fact that they decided to store usernames and passwords, and then lots of people ended up happening to use their system, which they leveraged into being able to say they're popular enough to be a core id provider.
Seriously, if Facebook is allowed to do it, then you have zero cause to say Ubisoft couldn't do it.
Cookies? by ubrgeek · 2013-07-02 10:50 · Score: 1

You have to accept their site cookies when trying to change your password. Cookies from a site belonging to a compromised system rubs me the wrong way for some reason.

--
Bark less. Wag more.
Ubisoft sucks by Anonymous Coward · 2013-07-02 12:38 · Score: 0

Ubisoft thinks you are a slave. Ubisoft thinks you work for them.
More security issues by postglock · 2013-07-02 12:49 · Score: 1

What's even worse is that Ubisoft sent a plain-text email to everyone that incorporates a link to reset your password. Click on the link, and you are taken to a form where you can reset your password. The thing is, this form doesn't even require you to enter your old password. So, if anyone got their hands on this email, they have immediate access to you account anyway! Ubisoft started with a bad situation and made it a lot worse!
Read as: by Anonymous Coward · 2013-07-02 15:49 · Score: 0

Say goodbye to "The Stick of Truth" in 2013. Damn you, Ubisoft. Damn you.