Ubisoft Hacked As Passwords Pilfered

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Ubisoft attacked again – Knights Templar not suspected

Games developer Ubisoft has been hacked for the second time in a year and this time login details have been compromised, causing plenty of upset amongst customers.

The producer of games such as Assassin’s Creed admitted one of its websites was exploited after credentials were stolen, allowing hackers to access certain online systems and login information of Uplay users. As many as 58 million users could have been affected.

assassins creed ubisoft game warUbisoft undone again

“Data were illegally accessed from our account database, including user names, email addresses and encrypted passwords,” Ubisoft noted in a forum post.

“No personal payment information is stored with Ubisoft, meaning your debit/credit card information was safe from this intrusion.

“We instantly took steps to close off this access, to begin a thorough investigation with relevant authorities, internal and external security experts, and to restore the integrity of any compromised systems.

“We instantly began working to restore the integrity of any compromised systems and are continuing to investigate the incident.”

It appears Ubisoft has used basic hashing to protect passwords, noting the encryption “cannot be reversed but could be cracked, in particular if the password chosen is weak”. It is unclear whether salting has also been used for an extra layer of protection, and the company had not responded to a request for additional detail from TechWeekEurope.

The firm recommended users change their passwords for both their Ubisoft accounts and others where the same or similar passwords are used.

Users have let their ire be known across social networks and on the Ubisoft forum. “I will be deleting this account,” declared one gamer. “And for future reference, I will never buy nor play another Uplay enabled Ubisoft game on Xbox that requires me to make another account on here. You had one job, keep my account information safe.”

It appears some have had problems trying to reset their passwords, claiming the site Ubisoft pointed to was not working correctly. Others said Gmail had sent their password reset emails into the spam folder.

“The handling of the breach has not been as good as it could have been,” Chris Boyd, senior threat researcher at ThreatTrack Security, told TechWeek.

“And the maximum password length is 16 characters long, which isn’t really enough in an age where many popular sites and services will allow up to 100 characters or more, alongside additional security features such as two factor login and authentication devices.”

This is not the first time Ubisoft has had a problem with Uplay security. In July 2012, it rushed out a patch for a flaw in the Uplay browser plug-in, after Google security researcher Tavis Ormandy found specially-crafted websites could force computers with the plug-in running to open certain programs, possibly malicious ones.

Earlier this year, an attack on Ubisoft allowed hackers to download games without paying, including the then unreleased Far Cry 3: Blood Dragon.

What do you know about Internet security? Find out with our quiz!