Ubisoft Hacked

McSasquatch

Just a heads up - official forums.

Hello All,

We recently found that one of our Web sites was exploited to gain unauthorised access to some of our online systems. We instantly took steps to close off this access, to begin a thorough investigation with relevant authorities, internal and external security experts, and to start restoring the integrity of any compromised systems.

During this process, we learned that data were illegally accessed from our account database, including user names, email addresses and encrypted passwords. No personal payment information is stored with Ubisoft, meaning your debit/credit card information was safe from this intrusion.

As a result, we are recommending you to change your password by clicking this link.

https://secure.ubi.com/register/Forg.../www.uplay.com

Out of an abundance of caution, we also recommend that you change your password on any other Web site or service where you use the same or a similar password.

Additional information can be found here and an official forum thread -- http://forums.ubi.com/forumdisplay.p...a-new-password -- has been created for you to post your questions.

We sincerely apologise for any inconvenience and thank you for your understanding
The Ubisoft team

Falthyron

Yeah, I just received an email asking me to change my password. It also recommends changing the password of other sites/services that use the same email/password.

Headshot

FFS im so pissed off by companies not protecting my ****ing details

COYVB

Headshot wrote: »

FFS im so pissed off by companies not protecting my ****ing details

It's not as if they sit them in an open folder on a public facing FTP in fairness. Everything can be hacked, sadly

Headshot

Its nearly a year today that the last hack happened, you would think they would of learned
Whats the betting they did **** all after the first hack..

Azza

Got the e-mail, changed my password fast and simple, although I'd appreciate it if they could do a better job with the security of U-Play, think this is the second security breach they have had.

Potential-Monke

I'm running out of passwords and starting to forget others...

COYVB

Headshot wrote: »

Whats the betting they did **** all after the first hack..

I doubt that tbh

Clover

Got the email also , nice and straight forward to change the password.

Daemos

Headshot wrote: »

FFS im so pissed off by companies not protecting my ****ing details

I find it strange how people blame the companies who get hacked more than the people who do the hacking?

McSasquatch

Potential-Monke wrote: »

I'm running out of passwords and starting to forget others...

Had this problem too, so have started using a password manager... Getting old I tells ya.

Headshot

Daemos wrote: »

I find it strange how people blame the companies who get hacked more than the people who do the hacking?

Of course they are pricks but you cant stop pricks, who do I blame,/give out about?

You even see some companies that make it piss easy for hackers (videogame plus) it isnt on in my books for a company to be hacked twice now

COYVB

Headshot wrote: »

Of course they are pricks but you cant stop pricks, who do I blame,/give out about?

Good idea. Let's not blame the people doing it, let's blame the people they're doing it to

You have the same view of rapists or what?

Headshot

COYVB wrote: »

Good idea. Let's not blame the people doing it, let's blame the people they're doing it to

You have the same view of rapists or what?

man your annoying


I blame the companies that have pathetic security If the company had proper security we wouldnt have all these hacks, granted we'll always get hacks but not to this level

Hackers are pieces of garbage and should be treated as such but its easy to give out about hackers but when companies dont protect your details, they get most of the blame imo.

wayne040576

Headshot wrote: »

man your annoying


I blame the companies that have pathetic security If the company had proper security we wouldnt have all these hacks, granted we'll always get hacks but not to this level

Hackers are pieces of garbage and should be treated as such but its easy to give out about hackers but when companies dont protect your details, they get most of the blame imo.

How do you know they have pathetic security? And how do you know having 'proper' security would prevent it? What's proper security anyway?

Headshot

2 hacks within a year doesnt paint a good picture

wayne040576

Headshot wrote: »

2 hacks within a year doesnt paint a good picture

Blizzard have been hacked a few times recently too despite having more security procedures in place than most.
Microsoft have had a history of social engineering hacks in the last year as well on xbox live as have several companies. It happens all the time. If you know what you're doing and keep prodding, no security will keep you out.

Headshot

http://www.computerandvideogames.com/360662/uplay-security-flaw-a-huge-risk-says-hack-expert/

Ubisoft must patch its uPlay online service "as a matter of urgency", an online security expert has told CVG.

Early reports indicate that Ubisoft's online PC network has been hacked into with new exposed data suggesting that the service includes an alleged "rootkit"; a term given for software that gains privileged access onto sensitive computer files.

Ubisoft has declined to comment at this early stage.

Rik Ferguson, the director of security research at Trend Micro, challenged the assumption that the service features a rootkit.

However, he added that the security flaw represents a huge risk and must be resolved immediately.

"This certainly looks like an easily exploitable software flaw, but I'm not sure I would go as far as calling it a rootkit," Ferguson told CVG.

"The reports state the exploitable code is in the form of a browser plugin, the plugin does not attempt to hide its presence on your system and can be relatively simply disabled. It's not a malicious root, just really bad code," he added.

Ferguson's account reflects another IT expert's view, who told CVG that the exploit was likely an unintentional security vulnerability, as opposed to an intentional backdoor left in the system.

uPlay is a mandatory service that registers PC games published by Ubisoft.

Ferguson urged Ubisoft to fix the loophole as soon as possible now that the exploit is public information.

"Pushing out such easily exploitable code, to such an easily targeted platform as a web browser through such a huge gaming population presents a huge risk and will of course be of interest to online criminals.

"Ubisoft should be patching this code as a matter of urgency and in the meantime, gamers should be disabling the plug-in".

COYVB

Headshot wrote: »

I blame the companies that have pathetic security If the company had proper security we wouldnt have all these hacks, granted we'll always get hacks but not to this level

But that's not true at all. Everything can be hacked. Ubisoft obviously DO have proper security, to think otherwise is absolute nonsense

Falthyron

If you don't want your details being stolen then don't give them to free services. Nothing, NOTHING is 100% secure.

Alternatively, don't go on the internet at all.

Headshot

"Ubisoft installs a backdoor that allows any website to take over your computer. The Sony BMG rootkit was also DRM and required product recall when it was discovered."

Another wrote: "I noticed the uPlay installation procedure creates a browser plugin for its accompanying uPlay launcher, which grants unexpectedly (at least to me) wide access to websites".

Man thats bad

wayne040576

That's last years attack. I'm assuming they've fixed it by now :eek:
But let me ask you this. With all of the hacks that have happened over the past couple of years have you updated your own personal security practices or are you still doing the same thing you always did? Do you use a different , strong password for every site and service that you use or are you using the same password on several sites?

By the way a strong password is something like "58EL$mPx%Wsl" a completely random sequence of characters.

Headshot

Oh ya my passwords are rock solid, hell I couldnt even remember them. Im probably unfair on company websites being hacked tbh. Just the videogameplus hack which even I could of done lol (that simple) leaves a bad taste in my mouth.

Dravokivich

Headshot wrote: »

Its nearly a year today that the last hack happened, you would think they would of learned
Whats the betting they did **** all after the first hack..

The last uplay hacking was of their store primarily software fileshares. User account details weren't comprimised at the time.

Got the email too. Only problem is I can't remember when I signed up to Ubisoft. Not sure what password I used, so don't know what other websites (if any) I used it on.

Most of my account on gmail, paypal etc all has very long passwords, randomly generated and 2 factor auth where available. I'm a bit paranoid when it comes to online security.

nesf

Yeah I'm just getting an error when I try to change password now. Eh, I'll try again later.

nesf

nesf wrote: »

Yeah I'm just getting an error when I try to change password now. Eh, I'll try again later.

I was getting a cookie error with Firefox. Just opened it up in Chrome, that worked for me.

nesf

Deleted User wrote: »

I was getting a cookie error with Firefox. Just opened it up in Chrome, that worked for me.

I'm using Chrome. :P

K.O.Kiki

I use a 26-character password composed of 4 words and extra numbers/letters.

nesf

K.O.Kiki wrote: »

I use a 26-character password composed of 4 words and extra numbers/letters.

Ubisoft only leave you use 16. Though honestly, 16 random digits is, right now, unreasonable to crack even using a supercomputer.

Nolars

The only reason I am on ****y uplay is cause I got 2 free games with my gpu.

K.O.Kiki

nesf wrote: »

Ubisoft only leave you use 16. Though honestly, 16 random digits is, right now, unreasonable to crack even using a supercomputer.

Think again!
http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/2/
:pac:

nesf

K.O.Kiki wrote: »

Think again!
http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/2/
:pac:

Brute forcing 16 random digits is impossible right now. That article is talking about non-random passwords with human patterns in them, like words, numbers at the end, passphrases and so on.

If you wanted to brute force "843%X[Q<c:)L9g@P" at a rate of 4 billion combinations per second (a fairly powerful desktop machine) you're talking about it taking you 412 trillion years. There is no pattern in this password you can use to solve it faster.

Something like "HappyLittleBoys1" even though it's the same length could be solved with a mask attack.

Kirby

nesf wrote: »

"843%X[Q<c:)L9g@P"

:eek: How did you know my password?

The_Valeyard

thopschael4 wrote: »

I wasn't as sexy as a kid as you were.

Wha?




But if this was one year to the day that the last hacked happened, was probably some sort of anniversary attack by the hackers.

Annoying though.

nesf

Kirby wrote: »

:eek: How did you know my password?

It's on a post-it on your desk. Also, you might want to turn off your webcam.

Richard Dower

yet more reasons not to.......

nesf

Ok, I tried again this morning and kept getting the same error. For a laugh I decreased it from 16 to 14 random digits, worked fine. Really, Ubisoft are not impressing me at all.

Sierra Oscar

nesf wrote: »

Ubisoft only leave you use 16. Though honestly, 16 random digits is, right now, unreasonable to crack even using a supercomputer.

Out of interest, what number of random digits would be considered 'robust' for a password these days?

Monotype

You'd want a minimum of 8. That's 208 billion combinations if you're just using lower case. 1000 times the combinations when using upper case and numbers.
A good way to generate seemingly random passwords is to use the first letter of a words of a song or phrase.
Mary Had A Little Lamb Fleece As White As Snow - MHALLFAWAS.
Now, if you can throw in a few upper and lower cases (e.g., nouns, start or end of line) as well as substitute some symbols, if the system supports it.

Shiminay

I picked up an app called mSecure for my phone as a password vault and it's been serving me well. It'll generate passwords for me too that are complete random gibberish with as many characters as I want. They have a Windows version too that I found myself looking at after this Ubisoft notification and you can synch your stuff via an encrypted file in Dropbox which seems convenient.

nesf

Sierra Oscar wrote: »

Out of interest, what number of random digits would be considered 'robust' for a password these days?

Define robust. Crackers normally want around 90% of the passwords, what's "robust" is being in that 10% that's too much of a bitch to crack to be worth the effort.

With random digits you're talking about solving a password space, i.e. going through all possible variations, so totally solving a 6 digit password is fairly trivial any modern PC with a decent GPU could do it in seconds. Every digit beyond that multiplies the time involved. This increases near vertically on a graph if you plot it out for the entire ASCII keyspace. I've seen 12 digits being touted as robust enough for almost any need. Some examples of numbers of combinations:

(Assuming a 50,000 word list being used for passphrases): the formula for those interested is (n + k - 1 | k) rather than the (n | k) you may have seen in school, this works out as (n - k - 1)!/((n-1)!k!) You can solve these kinds of equations with Wolfram Alpha.

4 word passphrase: 2.6 × 10^17
5 word passphrase: 2.6 × 10^21
6 random digits: 6.8 × 10^9
10 random digits: 4.5 × 10^14
16 random digits: 6.1 × 10^20

Assuming a solving speed of 1 x 10^11 (100 billion) combinations a second (super computer speed) and in brackets a speed of 1 x 10^9 (1 billion) which would be more in line with a home computer:

4 word passphrase: 30 days 2 hours 13 minutes 20 seconds (98.93 months)
5 word passphrase: 823.9 years (82,391 years)
6 random digits: less than a second (less than 7 seconds)
10 random digits: 1.25 hours (5 days 5 hours)
16 random digits: 193.3 years (19,330 years)

You can see why 5 word passphrases and 16 digit passwords are so recommended. A 12 digit password has 10^16 combinations which turns those 5 days into 500, making it unreasonable for cracking with a home PC.

some say its just pr for watch dogs

McSasquatch

Using Last Pass myself. Worth it for the hassle it saves, let alone the peace of mind it gives.

uncle_sam_ie

Potential-Monke wrote: »

I'm running out of passwords and starting to forget others...

You need a good password manager like Lastpass, https://lastpass.com
Everyone one of my login sites has a unique strong password that lastpass will generate.
A security expert explains why he trusts it.
Skip to 1:12:00 https://www.youtube.com/v/r9Q_anb7pwg&enablejsapi=1&playerapiid=r9Q_anb7pwg

Also,
Here is a good read on security, https://www.guildwars2.com/en/news/mike-obrien-on-account-security/

nesf

uncle_sam_ie wrote: »

You need a good password manager like Lastpass, https://lastpass.com
Everyone one of my login sites has a unique strong password that lastpass will generate.

Here is a good read on security, https://www.guildwars2.com/en/news/mike-obrien-on-account-security/

I've used 1Password for years. It has some useful features.

Potential-Monke

uncle_sam_ie wrote: »

You need a good password manager like Lastpass, https://lastpass.com
Everyone one of my login sites has a unique strong password that lastpass will generate.
A security expert explains why he trusts it.
Skip to 1:12:00 https://www.youtube.com/v/r9Q_anb7pwg&enablejsapi=1&playerapiid=r9Q_anb7pwg

Also,
Here is a good read on security, https://www.guildwars2.com/en/news/mike-obrien-on-account-security/

Right, time to download and get this baby working! Much difference between the free and paid?

uncle_sam_ie

Potential-Monke wrote: »

Right, time to download and get this baby working! Much difference between the free and paid?

With the paid you get mobile device features. The free version is fine.

delta36

Well this was annoying to hear about, and the problem is I have no idea what my original Ubisoft password was, so no idea if it's something I used on other sites.

But like other people have said, there's always going to be a risk of an online service being hacked, and at least they came out and announced it immediately, rather than going the Sony route of leaving it a month before telling people their passwords may have been compromised.

In terms of password security, I do recall reading somewhere in the last few days (can't seem to find the article), that a password with special characters in it is harder to crack than a password with only letters and numbers in it, something to do with the fact that the keyspace of special characters is larger, and takes longer to process..or something. Anyway, here's a free password for anyone who wants it: !"£$%^&*(*&^%$£"£%^& :P

uncle_sam_ie

delta36 wrote: »

In terms of password security, I do recall reading somewhere in the last few days (can't seem to find the article), that a password with special characters in it is harder to crack than a password with only letters and numbers in it, something to do with the fact that the keyspace of special characters is larger, and takes longer to process..or something. Anyway, here's a free password for anyone who wants it: !"£$%^&*(*&^%$£"£%^& :P

The thinking that you only need a strong password is where people are getting into trouble.

From the article I linked above,

"Most of the security advice we've all seen through the years has focused on how to choose a strong password. You might therefore think that the primary way hackers break into accounts is by preying on accounts with weak passwords, perhaps scanning every word in the dictionary looking for matches. That’s rarely the case.
The basic truth is this: hackers steal game accounts because they already know the account name and password. They know them because they stole them (via security breaches or spyware) from another game or site where the person used the same account name and password.
So unfortunately, if the lesson you've learned from security advice through the years is to pick a single complicated password, memorize it, and then use it everywhere, that’s exactly the wrong lesson for today’s security environment. To keep accounts on different sites secure in today’s environment, you need to use a unique password for each account."

Also,
"They’re not guessing or brute-forcing passwords; they’re trying a very specific account name and password for each attempt. For example, account name “joe.user@example.com”, password “alligator101″. If they don’t get a match immediately, they may try a variant like “alligator100″ or “alligator102″, then they quickly move on to the next entry on their list. And it’s interesting to see that the passwords on these lists are mostly quite good passwords. For every one account on the hackers’ lists with a password like “twilight” (real example, ಠ_ಠ), there are dozens of accounts with good strong passwords. So the world at large clearly knows how to pick good passwords; the reason people are still getting hacked is because they use the same passwords on multiple sites."

K.O.Kiki

uncle_sam_ie wrote: »

The thinking that you only need a strong password is where people are getting into trouble.

From the article I linked above,

"Most of the security advice we've all seen through the years has focused on how to choose a strong password. You might therefore think that the primary way hackers break into accounts is by preying on accounts with weak passwords, perhaps scanning every word in the dictionary looking for matches. That’s rarely the case.
The basic truth is this: hackers steal game accounts because they already know the account name and password. They know them because they stole them (via security breaches or spyware) from another game or site where the person used the same account name and password.
So unfortunately, if the lesson you've learned from security advice through the years is to pick a single complicated password, memorize it, and then use it everywhere, that’s exactly the wrong lesson for today’s security environment. To keep accounts on different sites secure in today’s environment, you need to use a unique password for each account."

Also,
"They’re not guessing or brute-forcing passwords; they’re trying a very specific account name and password for each attempt. For example, account name “joe.user@example.com”, password “alligator101″. If they don’t get a match immediately, they may try a variant like “alligator100″ or “alligator102″, then they quickly move on to the next entry on their list. And it’s interesting to see that the passwords on these lists are mostly quite good passwords. For every one account on the hackers’ lists with a password like “twilight” (real example, ಠ_ಠ), there are dozens of accounts with good strong passwords. So the world at large clearly knows how to pick good passwords; the reason people are still getting hacked is because they use the same passwords on multiple sites."

Hmm, guess it's time for me to rethink my password creations.