Slashdot Mirror
Ubisoft Hacked, Account Data Compromised
Freshly Exhumed writes "There's a new security breach announcement over at the website of game publisher and developer Ubisoft today. Quoting:: 'We recently found that one of our Web sites was exploited to gain unauthorized access to some of our online systems. We instantly took steps to close off this access, to begin a thorough investigation with relevant authorities, internal and external security experts, and to start restoring the integrity of any compromised systems. During this process, we learned that data were illegally accessed from our account database, including user names, email addresses and encrypted passwords. No personal payment information is stored with Ubisoft, meaning your debit/credit card information was safe from this intrusion. As a result, we are recommending you to change your password by clicking this link.'"
at the same time they got in
So they have a name and an e-mail.
If they don't have the password, they have to spend a lot of time trying to crack the encrypted password. Giving the legitimate user plenty of time to change said password.
Chas - The one, the only.
THANK GOD!!!
The point is to minimize the amount of information you actually have. You don't need to know the password itself, you only need to know that they know the password. So, you store just enough information to be able to check that the person attempting to log in knows the password.
These days computers and cypto Technics are powerful enough that they will likely have a 85% success rate at resolving the hashes. Even if salted.
Ironic that their DRM seems to be more secure than their servers...
Hashing is not an encryption. I think that's what that comment was about, just in ambiguously sarcastic way.
I never wanted to sign up for your crappy service in the first place, but was forced to just so I could play a game I already legally purchased.
Fuck you, UbiSoft!
I wish they told us how they were hashed and if they used a salt so that we might get an idea of how many minutes we have to change the password on any accounts with the same password. Luckily for me though I have different pws for almost everything. Maybe this will promt them to make uplay better... I remember when I tried the Heroes game and got tired of playing once the multiplayer games stopped syncing and it became unplayable. Eh, I was just as disappointed with Sim City 5... board games tend to work most of the time though
Anveto
You account details have been hacked.....click this link to reset your password.
Seems legit!
gMail flagged Ubisoft's email as spam and potentially bogus. I wonder how many people will think it's just another phishing attempt and ignore it now.
That would be a hash of the password rather than the encrypted password, although that may be what they mean and they're using sloppy language. (Encrypting it could work the same way, but then you still just have the password in another form).
I think the question was more 'why weren't usernames and e-mails encrypted' and the answer is probably that they're part of a searchable 'find friends' type database.
Only signed up with Ubi so I could play a new game I had purchased.
No important info (CC number, real name, real email) associated with the account.
Don't care.
An enigma, wrapped in a riddle, shrouded in bacon and cheese
Of course leave out the link. Email is plain text, not HTML.
If I get an email from somewhere I have an account, I know how to get to the site.
Plenty of time, as less than an hour after the hack occurred, for ~60% of users.
http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/
I'm pretty sure some guy walking around with a cell phone did it. Aiden Pearce?
Nouvelles de jeux et technologies en français. TC
That's nearly what I did (delete it on sight). Their main page at ubisoft.com needs to have a message about this rather than just a 'under maintenance' type message.
Why?
It's not that hard to check where the link actually points to and determine whether it's legit or not.
I would use ubisoft@arcademan.com for this particular example.
If the company is hacked or sells your email address to spammers, just delete the alias.
Get free satoshi (Bitcoin) and Dogecoins
Always on seems like over kill when X time checks can work just as good.
Only if they aren't salted.
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
Why do they not use a federated identity system?
Why does ANYONE aside from some key core ID providers (Google, Microsoft, Yahoo, Facebook, OpenID, etc) need to store a password?
When are companies going to stop this madness.... no Ubisoft, I will not be giving you another password to lose thanks.
C'est le nom d'un quartier de Brest (Lambézelec)...
I think there's a little bit of disconnect between the people asking this question and the people answering this question. I think the people asking the question are wondering "Why encrypt the piece of information that lets you get at the rest of the information if the rest of the information is right there plain as day?" and the people answering the question are explaining, "passwords use one way encryption so they can't easily be hacked." Yes, one important reason for encrypting the password is to allow some time for users to change their passwords before the passwords are cracked. But I think to answer the question more directly, passwords often give access to a lot more information than just what might have been compromised. Yes the cracker got a hold of a lot of un-encrypted information in this case, but if the passwords were also in plain text, they might have been able to get more information than they did. Some people use the same password for multiple sites, and some sites may store information in multiple locations so that the password could have provided access to more information than what was lost. If passwords were stored in plain text, someone would need only to be able to see the password in order to access all of a user's information, and sometimes that's easier than getting all the information that the password protects.
I received the email - but I've never had a Ubisoft account. They sent me a password reset link for some other user's account. No wonder they got hacked...
Attempting to log-onto their website, I get the following warning:
For security reasons we recommend that you change your password
and a link to change the password.
Interestingly, there is no option to log-on /without/ changing the password. "Recommend" apparently means "you have no choice" in UbiSpeak.
Unfortunately, since the email address I used to register the account is no longer active, and there is no option to update the email address (since I can't log-on at all) I guess I'm screwed (silly me for not keeping my info up to date on a service I had little interest in joining except that it was forced on me to play a game I had legally purchased).
So, I guess it's par for the course for you guys at Ubisoft; you've screwed me over again. Great job, guys; first you force me to sign up to UPlay in the first place, then you screw up by leaking the log-in info all over the net and now you prevent me from changing my password. Maybe you can block access to the games I paid for as well just to round out the whole experience.
Security update regarding your Ubisoft account
- please create a new password
Dear Member,
We recently found that one of our Web sites was exploited to gain unauthorised access to some of our online systems. We instantly took steps to close off this access, investigate the incident and begin restoring the integrity of any compromised systems.
During this process, we learned that data had been illegally accessed from our account database, including user names, email addresses and encrypted passwords. Please note that no personal payment information is stored with Ubisoft, meaning your debit/credit card information was safe from this intrusion.
As a result, we are recommending that you change the password for your account: <account name>
To enter your new password, click the link below: https://secure.ubi.com/register/ResetPassword.aspx?...
Out of an abundance of caution, we also recommend that you change your password on any other Web site or service where you use the same or a similar password.
You can find more information here https://support.ubi.com/en-GB/FAQ.aspx?platformid=60&brandid=2030&productid=3888&faqid=kA030000000eYYxCAM.
For any additional support enquiries, please contact our customer service via our support web site at https://support.ubi.com/
We sincerely apologise to all of you for the inconvenience. Please rest assured that your security remains our priority.
The Ubisoft team
I like how their website tosses up an error saying I "need to enable cookies" even though I do in fact have cookies turned on. Only thing I am blocking is their attempts to track me by including google analytics.. I can use their password change just fine if I use an incognito window (which temporarily disables my plugins).
I suppose the original fault lies with me for creating an account with these goofballs.
That last one is the most important.
Unlike an email sent to me a few months ago by a major credit card provider I had a card with, telling me I may have had a card theft, and asking me to click a link to confirm whether or not I had made a particular purchase. The link went to a completely gibberish link that had no obvious connection to the bank in question. It was very obviously a phish.
Turns out, nope, it was totally legitimate, that card *had* been used to make an unauthorized transaction, and that bank completely failed to understand that emails which aren't phishes, shouldn't look like phishes. Even when I submitted a complaint to them. (Their response: this is a legitimate email. My response, which they completely ignored: "I know it is. I'm telling you it doesn't *look* like one, at all, and perhaps you should fix that." Grah.)
Weak case: MD5 is known to be insecure (very vulnerable to collision attacks), and presuming it was secure, this unsalted list of passwords was vulnerable to a rainbow attack. Similarly a short salt is still vulnerable to a rainbow attack. I understand that bcrypt and sha512 are popular these days. I personally like my salt to be the same length as the resulting hash and of course different for each password - I think this makes a rainbow list attack as complex as the birthday attack on average.
Secure Remote Password protocol is more than a decade old:
http://en.wikipedia.org/wiki/Secure_Remote_Password_protocol
Why aren't more companies using it?
Hackers can't steal passwords if your server doesn't have the passwords to begin with.
While we should be able to assume that the hashes were salted, there have been other breaches in the past year in which the exposed password hashes were not salted. A quick web search turned up drupal.org and LinkedIn. Also, many other companies, like Sony, specified when they disclosed their breach that the password hashes were salted. As Ubisoft did not opt to specify and have not responded to the question anywhere as of yet, I am operating under the assumption that they did not, in fact, salt their password hashes. In 2013, any DBA should understand the importance of salting password hashes and insist on always doing so. In my opinion, any company over a certain size that not only fails to secure the contents of their account table against an attack and weren't even bothering to salt their passwords should be subject to fines and/or civil liabilities.
(no sig)
You have to accept their site cookies when trying to change your password. Cookies from a site belonging to a compromised system rubs me the wrong way for some reason.
Bark less. Wag more.
What's even worse is that Ubisoft sent a plain-text email to everyone that incorporates a link to reset your password. Click on the link, and you are taken to a form where you can reset your password. The thing is, this form doesn't even require you to enter your old password. So, if anyone got their hands on this email, they have immediate access to you account anyway! Ubisoft started with a bad situation and made it a lot worse!
You didn't properly treat it like Schrodinger's email. Trust the info, without trusting the email. It's both legitimate and a pfish at the same time. Your credit card company sends you a "click here" email with a funny address? Call the number on the back of your card, and hit the number for "fraud" (the quickest way to get to a human). If the email is real, then you'll get it taken care of. If it's not legit, they'll listen to your recount of the phish. There's never a reason to click a link in a email. At best, it's a shortcut to info you'd get if you typed it in yourself, so always type it in.
Learn to love Alaska
Right. I agree with everything said completely. My complaint, and it bothered me quite a lot, is that I explained all of that to the bank in question, and they completely didn't even understand at all why I was complaining. *I* know to check whether it was a phishing scam or not by calling the number listed on my card (which, oh by the way, the email also had a number listed that you could call if you had questions... which was not the number on my card, and in fact, wasn't mentioned, as far as I could tell, anywhere on the bank's web site). But, if it had been a phish instead of a really terribly crafted legitimate helpful email, would my computer-illiterate mom have known?
We spend so much effort trying to educate people less knowledgeable about computery things in important matters like "how do you recognize a phish", that it completely blew my mind that they would ruin that with an email that *did* look like a phish, and expect us to click on the link and be happy.
According to an article on Ars Technica, salted hashes are no longer relevant - they are cracking the hashes anyway without using rainbow tables. Using SHA256 instead of MD5 has more benefits in this regard than salted vs. unsalted.
The ever-unpopular Steve Gibson covered this, saying the solution is memory-hard hashing.
(Ctrl+f for "simplified".)
That article is not an argument for not using salted hashes. Just because salt doesn't help prevent brute-force attacks, doesn't mean that salting is worthless. If nobody bothered to salt hashes, rainbow tables would become common again. (The reason nobody uses rainbow tables these days is because most lists are salted, rendering the rainbow table ineffective.)
Unfortunately, using hashes that take longer to calculate just moves the problem forward a few years.
Wolde you bothe eate your cake, and have your cake?
Well, *they* sent it so it couldn't have been a phish.
Their logic is impeccable, even if wrong. I've received similar from my bank, and it was well worded to encourage people to type in the site, and not to rely on links in emails, even the one sent by them.
Learn to love Alaska