Epic Games Forums Hacked, Again

An anonymous reader writes: Epic Games, maker of popular games such as Unreal and Infinity Blade, announced today that its forums have been hacked. Now, if you don't reuse password that isn't a huge deal. But if you have used the same password on any service, perhaps even a variation of that password, you will want to ensure that you have changed password of all your accounts. In the meanwhile, here's Epic Games: "We believe a recent Unreal Engine and Unreal Tournament forum compromise revealed email addresses and other data entered into the forums, but no passwords in any form, neither salted, hashed, nor plaintext. While the data contained in the vBulletin account databases for these forums were leaked, the passwords for user accounts are stored elsewhere. These forums remain online and no passwords need to be reset", says Epic Games.ZDNet is reporting that thousands of passwords have been stolen.

Hmmmm

Probably the "Russians".....................

Which one is it?

[Calydor]

Epic Games says passwords were not taken in any way. ZDNet says they were. Summary says to change your passwords elsewhere if they're the same or similar.

Are we assuming Epic Games is lying about the scope of the breach?

Re:Which one is it?

[sexconker]

Are you assuming the "editors" edit?
Are you assuming the "anonymous reader" who posted this submission wasn't a bot or a Slashdot "editor" filling a daily quota of shitty front page articles?

Re:Which one is it?

[mattventura]

There were two different compromises. One of them involted salted+hashed passwords, the other involved no passwords. Crappy ZD clickbait headline+poor /. editing.

Re: Which one is it?

#EditorLivesMatter

Re:Which one is it?

Epic Games says passwords were not taken in any way. ZDNet says they were.

Notice that ZDNet doesn't specifically say where passwords were stolen from. Most likely whoever got a hold of the email addresses then proceeded to break into the email accounts through a variety of known methods. Voila, passwords 'stolen".

Re:Which one is it?

Read the entire article and shut the fuck up.

likey more forums sql injection

[Joe_Dragon]

likey more forums sql injection.

It seems like just about any forums site out there is open to that.

Cat got my tongue (subjects are dumb)

Question 1: Who the hell reuses passwords, and why? Anyone left not using password managers?

Question 2: If passwords were not compromised, why should anyone worry even if they used the same password elsewhere?

Question 3: If passwords were stored using any common sense method like salting and hashing, why would anyone care, even if they were compromised?

Re:Cat got my tongue (subjects are dumb)

[Calydor]

Reusing passwords for all the non-critical crap isn't necessarily a bad idea. If a site is just 'a place' to you, with no access to your credit card or anything that can cost you money, may as well make logging in easy.

Re:Cat got my tongue (subjects are dumb)

[davidwr]

Question 1: Who the hell reuses passwords, and why? Anyone left not using password managers?

I don't trust my password manager to not be broken into without me knowing about it.

If someone breaks into my brain, I'll probably know about it ("Hey, put the rubber hose down! I give, just tell me what password you need!").

Re:Cat got my tongue (subjects are dumb)

[dgatwood]

Question 1: Who the hell reuses passwords, and why? Anyone left not using password managers?

Statistically, almost everyone:

• Anyone who created at least one account more than a few years ago and has continued using it without changing his/her password
• Anyone who is using a site that doesn't support the browser's build-in password manager (usually by not showing a username field)

There are probably others, but most users have at least a few sites that use shared passwords, and most of them are the fault of the people who designed the websites.

Re:Cat got my tongue (subjects are dumb)

[The-Ixian]

I think one of the problems of this is that even though the site (say a forum) is not valuable to you, it could be used to "spoof" your identity to someone else.

It just takes one gullible help desk guy at an organization you DO care about to be fooled into thinking the attacker is actually the victim.

As with most vulnerabilities, all you need to start with is a toe-hold. Once you have that, you can start leveraging other exploits until, ultimately, you end up with the victim's important stuff.

If you can close the holes on the small stuff, then you have less to worry about.

Too bad

[Billly+Gates]

There games are not compatible with Windows 7 with unreal tournament 99 and ut2004 has issues with Windows 10.

I just bought them on steam and disappointed. Was about to register an account on epic forums and glad I didn't

Re:Too bad

Get the unreal tournament 2004 64 bit version update. It works fine on windows 10, including the gamma adjuster.

Re:Too bad

[Lehk228]

only issue I had was fullscreen not working, but it was quite a while ago as I have neglected to replace my failed DVD-RW drive.

Use a password manager

[ilsaloving]

I'll get this in now before it gets buried in comments: Use a password manager. The internet is too risky to be re-using passwords. Although there are various free ones out there, I went and bought 1password. It runs on Windows, OSX, iOS and Android. It has a read-only version that works in Linux. (I wish they'd make a Linux version, but as of yet, they haven't) It also has plugins for every major browser out there. It can also sync your passwords between multiple devices.

You can use it to keep track of all your passwords, and will even generate random passwords for you.

Nowdays, the risk of password re-use is just too high, and you're basically playing russian roulette with someone from a far off country just itching to steal your identity info, or cause havoc in some other way.

Re:Use a password manager

[ilsaloving]

Wow, I just checked, and the field has gotten a lot bigger than I last remembered:

http://alternativeto.net/softw...

Re:Use a password manager

[L'Ange+Oliver]

You can also take the habit to always log in to your services through the "I forgot my password" options. At least it saves you from having to remember the password to your password manager!

Re:Use a password manager

[The-Ixian]

This just opens up more opportunities for a MITM to screw with you. E-mail is not secure. SMS is not secure.

Re:Use a password manager

[Fnord666]

Although there are various free ones out there, I went and bought 1password. It runs on Windows, OSX, iOS and Android.

1Password is nice if you don't mind paying separately for each platform you want to run it on. I used it a long time ago but dropped it when they started this. There are too many other options out there, both free and commercial, that support multiple platforms for a single fee.

Re:Use a password manager

[ilsaloving]

That is true. I went ahead and bit the bullet cause I couldn't find anything else that had it's feature set. It's broad platform and browser support, multiple vaults, and general polish of the application are very benefits to me. I was also able to get the desktop version on sale, which also helped. :)

The only thing missing for me, is the lack of Linux support, and it's limited sync support (ie: It only supports dropbox and icloud).

If you can suggest a tool that can do what 1password does, AND supports Linux and, say, owncloud, I would very seriously consider it.

My desired features for an ideal password manager:
-Support for Windows, Mac, Linux, iOS, Android
-Support all major browsers (Chrome, Firefox, Safari, Opera)
-Strong encryption
-Can handle multiple vaults simultaneously and seamlessly
-Support for various sync solutions including Dropbox, Box, OwnCloud, etc. (my preference being OwnCloud)

Bigger scope than you think

You have to log into an Epic account if you do any work with UE. Thanks a lot Epic, you're really inspiring me to choose you over CryEngine or Unity.

Re:Bigger scope than you think

[spire3661]

You mean like every other company out there now? DCS, Blizzard, EA, GoG, Steam, Microsoft, Autodesk, Adobe.....These are just the clients i personally have installed.

I'm in trouble

My Slashdot password is

is my Epic Games password XOR'd with a randomly-generated password, then XOR'd with my Epic Games password again (twice is better than once!).

All of my other important passwords follow the same pattern, but with a different randomly-generated password.

I guess I'll have to go change them all now.

Re:I'm in trouble

Considering AC has no password, does that make all your other passwords null? SAD!

Re: Another failure of big government.

I know our govt is epic and all but.. ;)

Did I just get whooshed?

Re: Another failure of big government.

The only whoosh you should get is when you put your trust in big government.

THE FBI HACKED IT.

This is more tying in of your various accounts for their databases. They seem to think they should hack every large user base "anything" then push the story out. People who have no problems with old passwords don't ever change them and they don't get associated with "everything else" in that person's life unless they pull a stunt.

The same goes with "2 factor" account security. It just ties your account to government databases on you that already exist. Your phone is generally your real name as is your bank card.

vBulletin

Sounds like this is the third vBulletin hack of a gaming forum in 2 weeks. Moral of the story: if you use an older version of the vBulletin software and are running a forum that relates to gaming, either prepare to upgrade or prepare an announcement that you've been hacked.

Re:Another failure of big government.

Looks like some mod's sarcasm detector is broken.

Was it an EPIC hack?

If this hack will talked about for many years to come, this hack of Epic should be hereto forthwith be referred to as "The epic hack of Epic."

uh...duh?

This is why you DO NOT STORE a plaintext password.

Mozilla Firefox

[DrYak]

Mozilla has their own password manager as part of their sync service.

And if you don't trust them, you can even sync using your own home server (I think I remember that you need WebDAV for that.)

And that one works *also* on Linux.

And in addition to a password manager, you should enable 2 factors on anything critical: Your banks, e-mail address that you use for password recovery, OAuth and OpenID providers that you use to log elsewehere (like Google or Facebook), etc.