OFFICIAL SECURITY BLOG
July 2, 2013 | BY Jérôme Segura
French video game developer and publisher company Ubisoft suffered a hack to one of their websites according to a statement published today. Customer data including names, emails and encrypted passwords were accessed by unauthorized third parties and should be considered part of the public domain now.
It is not clear how the breach happened as Ubisoft declined to share all the details: “Credentials were stolen and used to illegally access our online network. We can’t go into specifics for security reasons.“. However, their comment seems to suggest that a Ubisoft employee’s credentials were stolen (spear phishing attack perhaps?) and those credentials were sufficient to access sensitive data.
The company prompted its users to change their password immediately while insisting the passwords were not stored in plain text, but rather encrypted, which makes it more difficult for the bad guys to retrieve them.
Despite coming forward and apologizing, Ubisoft is getting hit with hundreds of nasty comments on its forum, although many are uncalled for:
“Congrats UBISOFT for making me change all my passwords for everything I use. Bank, Credit Cards, Email, Utilities, Cell Phone, College. How about some compensation! Your ignorance leads to unnecessary burdens on your users. This bit of having accounts compromised has grown old. No body learned anything from Sony. The Uplay thing is junk and there’s no reason for it. Played hawx back in 2006 forget I even had a UBISOFT account. Didn’t realize you guys even existed anymore.“
If that person is using the same password for Uplay as his banking account then I really don’t feel sorry for him.
Here are some things to take away from this: