Slashdot Mirror
Ubisoft Hacked, Account Data Compromised
Freshly Exhumed writes "There's a new security breach announcement over at the website of game publisher and developer Ubisoft today. Quoting:: 'We recently found that one of our Web sites was exploited to gain unauthorized access to some of our online systems. We instantly took steps to close off this access, to begin a thorough investigation with relevant authorities, internal and external security experts, and to start restoring the integrity of any compromised systems. During this process, we learned that data were illegally accessed from our account database, including user names, email addresses and encrypted passwords. No personal payment information is stored with Ubisoft, meaning your debit/credit card information was safe from this intrusion. As a result, we are recommending you to change your password by clicking this link.'"
at the same time they got in
The point is to minimize the amount of information you actually have. You don't need to know the password itself, you only need to know that they know the password. So, you store just enough information to be able to check that the person attempting to log in knows the password.
Hashing is not an encryption. I think that's what that comment was about, just in ambiguously sarcastic way.
Which is why unique is the most important quality of a password. People that did that are yawning while they change this one password and go about their day.
I never wanted to sign up for your crappy service in the first place, but was forced to just so I could play a game I already legally purchased.
Fuck you, UbiSoft!
I wish they told us how they were hashed and if they used a salt so that we might get an idea of how many minutes we have to change the password on any accounts with the same password. Luckily for me though I have different pws for almost everything. Maybe this will promt them to make uplay better... I remember when I tried the Heroes game and got tired of playing once the multiplayer games stopped syncing and it became unplayable. Eh, I was just as disappointed with Sim City 5... board games tend to work most of the time though
Anveto
You account details have been hacked.....click this link to reset your password.
Seems legit!
Of course leave out the link. Email is plain text, not HTML.
If I get an email from somewhere I have an account, I know how to get to the site.
Plenty of time, as less than an hour after the hack occurred, for ~60% of users.
http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/
That's nearly what I did (delete it on sight). Their main page at ubisoft.com needs to have a message about this rather than just a 'under maintenance' type message.
Only if they aren't salted.
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
I think there's a little bit of disconnect between the people asking this question and the people answering this question. I think the people asking the question are wondering "Why encrypt the piece of information that lets you get at the rest of the information if the rest of the information is right there plain as day?" and the people answering the question are explaining, "passwords use one way encryption so they can't easily be hacked." Yes, one important reason for encrypting the password is to allow some time for users to change their passwords before the passwords are cracked. But I think to answer the question more directly, passwords often give access to a lot more information than just what might have been compromised. Yes the cracker got a hold of a lot of un-encrypted information in this case, but if the passwords were also in plain text, they might have been able to get more information than they did. Some people use the same password for multiple sites, and some sites may store information in multiple locations so that the password could have provided access to more information than what was lost. If passwords were stored in plain text, someone would need only to be able to see the password in order to access all of a user's information, and sometimes that's easier than getting all the information that the password protects.
Because when the federated identity system gets broken in the same manner, the attacker doesn't have access to everything you use.
Attempting to log-onto their website, I get the following warning:
For security reasons we recommend that you change your password
and a link to change the password.
Interestingly, there is no option to log-on /without/ changing the password. "Recommend" apparently means "you have no choice" in UbiSpeak.
Unfortunately, since the email address I used to register the account is no longer active, and there is no option to update the email address (since I can't log-on at all) I guess I'm screwed (silly me for not keeping my info up to date on a service I had little interest in joining except that it was forced on me to play a game I had legally purchased).
So, I guess it's par for the course for you guys at Ubisoft; you've screwed me over again. Great job, guys; first you force me to sign up to UPlay in the first place, then you screw up by leaking the log-in info all over the net and now you prevent me from changing my password. Maybe you can block access to the games I paid for as well just to round out the whole experience.
Security update regarding your Ubisoft account
- please create a new password
Dear Member,
We recently found that one of our Web sites was exploited to gain unauthorised access to some of our online systems. We instantly took steps to close off this access, investigate the incident and begin restoring the integrity of any compromised systems.
During this process, we learned that data had been illegally accessed from our account database, including user names, email addresses and encrypted passwords. Please note that no personal payment information is stored with Ubisoft, meaning your debit/credit card information was safe from this intrusion.
As a result, we are recommending that you change the password for your account: <account name>
To enter your new password, click the link below: https://secure.ubi.com/register/ResetPassword.aspx?...
Out of an abundance of caution, we also recommend that you change your password on any other Web site or service where you use the same or a similar password.
You can find more information here https://support.ubi.com/en-GB/FAQ.aspx?platformid=60&brandid=2030&productid=3888&faqid=kA030000000eYYxCAM.
For any additional support enquiries, please contact our customer service via our support web site at https://support.ubi.com/
We sincerely apologise to all of you for the inconvenience. Please rest assured that your security remains our priority.
The Ubisoft team
I like how their website tosses up an error saying I "need to enable cookies" even though I do in fact have cookies turned on. Only thing I am blocking is their attempts to track me by including google analytics.. I can use their password change just fine if I use an incognito window (which temporarily disables my plugins).
I suppose the original fault lies with me for creating an account with these goofballs.
That last one is the most important.
Unlike an email sent to me a few months ago by a major credit card provider I had a card with, telling me I may have had a card theft, and asking me to click a link to confirm whether or not I had made a particular purchase. The link went to a completely gibberish link that had no obvious connection to the bank in question. It was very obviously a phish.
Turns out, nope, it was totally legitimate, that card *had* been used to make an unauthorized transaction, and that bank completely failed to understand that emails which aren't phishes, shouldn't look like phishes. Even when I submitted a complaint to them. (Their response: this is a legitimate email. My response, which they completely ignored: "I know it is. I'm telling you it doesn't *look* like one, at all, and perhaps you should fix that." Grah.)
Weak case: MD5 is known to be insecure (very vulnerable to collision attacks), and presuming it was secure, this unsalted list of passwords was vulnerable to a rainbow attack. Similarly a short salt is still vulnerable to a rainbow attack. I understand that bcrypt and sha512 are popular these days. I personally like my salt to be the same length as the resulting hash and of course different for each password - I think this makes a rainbow list attack as complex as the birthday attack on average.
While we should be able to assume that the hashes were salted, there have been other breaches in the past year in which the exposed password hashes were not salted. A quick web search turned up drupal.org and LinkedIn. Also, many other companies, like Sony, specified when they disclosed their breach that the password hashes were salted. As Ubisoft did not opt to specify and have not responded to the question anywhere as of yet, I am operating under the assumption that they did not, in fact, salt their password hashes. In 2013, any DBA should understand the importance of salting password hashes and insist on always doing so. In my opinion, any company over a certain size that not only fails to secure the contents of their account table against an attack and weren't even bothering to salt their passwords should be subject to fines and/or civil liabilities.
(no sig)
gMail flagged Ubisoft's email as spam and potentially bogus. I wonder how many people will think it's just another phishing attempt and ignore it now.
I actually read the source of the email to confirm the embedded links were legitimate before marking it as "Not Phishing".
Really sucks for Ubisoft that their notification system will go unheard by many GMail users!
$ man woman *
-bash:
You didn't properly treat it like Schrodinger's email. Trust the info, without trusting the email. It's both legitimate and a pfish at the same time. Your credit card company sends you a "click here" email with a funny address? Call the number on the back of your card, and hit the number for "fraud" (the quickest way to get to a human). If the email is real, then you'll get it taken care of. If it's not legit, they'll listen to your recount of the phish. There's never a reason to click a link in a email. At best, it's a shortcut to info you'd get if you typed it in yourself, so always type it in.
Learn to love Alaska
Right. I agree with everything said completely. My complaint, and it bothered me quite a lot, is that I explained all of that to the bank in question, and they completely didn't even understand at all why I was complaining. *I* know to check whether it was a phishing scam or not by calling the number listed on my card (which, oh by the way, the email also had a number listed that you could call if you had questions... which was not the number on my card, and in fact, wasn't mentioned, as far as I could tell, anywhere on the bank's web site). But, if it had been a phish instead of a really terribly crafted legitimate helpful email, would my computer-illiterate mom have known?
We spend so much effort trying to educate people less knowledgeable about computery things in important matters like "how do you recognize a phish", that it completely blew my mind that they would ruin that with an email that *did* look like a phish, and expect us to click on the link and be happy.
Well, *they* sent it so it couldn't have been a phish.
Their logic is impeccable, even if wrong. I've received similar from my bank, and it was well worded to encourage people to type in the site, and not to rely on links in emails, even the one sent by them.
Learn to love Alaska