Forgot your password?
typodupeerror
Security Games

Ubisoft Hacked, Account Data Compromised 138

Posted by Soulskill
from the another-one-bites-the-dust dept.
Freshly Exhumed writes "There's a new security breach announcement over at the website of game publisher and developer Ubisoft today. Quoting:: 'We recently found that one of our Web sites was exploited to gain unauthorized access to some of our online systems. We instantly took steps to close off this access, to begin a thorough investigation with relevant authorities, internal and external security experts, and to start restoring the integrity of any compromised systems. During this process, we learned that data were illegally accessed from our account database, including user names, email addresses and encrypted passwords. No personal payment information is stored with Ubisoft, meaning your debit/credit card information was safe from this intrusion. As a result, we are recommending you to change your password by clicking this link.'"
This discussion has been archived. No new comments can be posted.

Ubisoft Hacked, Account Data Compromised

Comments Filter:
  • by Joe_Dragon (2206452) on Tuesday July 02, 2013 @02:03PM (#44169139)

    at the same time they got in

    • by Anonymous Coward on Tuesday July 02, 2013 @02:20PM (#44169343)

      Right, because that's how hacking works. After the bright red meter labeled "Accessing Secret Files From Gibson" filled up, they could have just pressed the glowing green button that said "Kill The DRM System". How silly of them to have missed that.

    • by Anonymous Coward on Tuesday July 02, 2013 @02:26PM (#44169419)

      We never had this problem when I was playing Road Rash and Screamer and Doom and Quake and Duke Nukem, because the game publishers never had any personal info of ours to lose in a security breach. You paid your cash for the game, put the CD in, installed, and played.

      In the late eighties we got rid of DRM by refusing to buy software with it. Lots of companies went out of business because of DRM. All they had to do was wait for a more gullible and docile generation to come along and bring it back.

      DRM is the biggest reason I stopped gaming (that, and none of the new games were as good as the old ones, even if the artwork was better). I wonder how many other customers DRM has cost these morons? Keep shooting, ubisoft, you have more feet and bullets left.

      • by ArcadeMan (2766669) on Tuesday July 02, 2013 @02:43PM (#44169615)

        To see my reply, please enter the 3rd word of the 7th paragraph on page 12 of your game book.

        • by gl4ss (559668)

          To see my reply, please enter the 3rd word of the 7th paragraph on page 12 of your game book.

          well.. you just had to have the manual in your hands once or be able to call someone with the manual once. unless you upgraded the cpu/mobo.
          why? who the fuck gave a shit about if the date was correct on the machine(so the game always asked the same question..).

          nowadays though, a read the manual copyprotection would be a refreshing change - or even a silly usb dongle. at least you could sell it.

          • Re: (Score:3, Insightful)

            by TheCycoONE (913189)

            I guess we lived in different 80s. The way I remember it there was a random list of things to look up and they had to be entered every game. I also remember on my Commodore 64 that most commercial game disks wouldn't copy (without hacking tools to copy bad sectors etc.), and wouldn't work on drives other than the 1541 because they relied on particular idiosyncrasies in that drive to enforce their protection.

            The only reason they didn't make you connect to their servers is that modems weren't common.

          • You had to do that every time you started the game.

            note to Slashdot: why is the <strong> tag filtered out but <b> is recognized? We're in 2013, not 2003.

            • by Khyber (864651)

              "note to Slashdot: why is the tag filtered out but is recognized? We're in 2013, not 2003."

              It's called code optimization. Why use so many symbols and characters for a command when you can use fewer?
              This is 2013, code optimization and reduction is ESSENTIAL and EFFICIENT.

              • The "b" tag has been deprecated in favour of "strong". It's about putting structure and meaning on your content, not making text "bold".

                • by styrotech (136124)

                  The "b" tag has been deprecated in favour of "strong". It's about putting structure and meaning on your content, not making text "bold".

                  Not so fast... HTML5 has brought back <b> and it has a new semantic purpose.

                  For the first time Slashdot is now at the cutting edge! Without having to do anything either (ok ok they did change the doctype).

          • by Khyber (864651)

            "well.. you just had to have the manual in your hands once or be able to call someone with the manual once."

            Wrong, The Colonel's Bequest required you to identify a fingerprint every time you loaded a game. Wolfenstein3D would ask you about things like the number of eyelets Blazkowitz's boots. Leisure Suit Larry had a type of DRM to prove you were an adult and not a teenager playing the game - by asking questions only adults of that time would know (and kids wouldn't have likely learned in history books, yet

            • by dwye (1127395)

              Leisure Suit Larry had a type of DRM to prove you were an adult and not a teenager playing the game - by asking questions only adults of that time would know (and kids wouldn't have likely learned in history books, yet.)

              And no one ever talked to their parents or grandparents? Or older siblings, for that matter? What were these uqestions, anyway?

              • by Khyber (864651)

                http://www.allowe.com/games/larry/tips-manuals/lsl1-age-quiz.html [allowe.com]

                There's your questions for at least the first one. The VGA reboot and LSL3 questions are also listed on the right side.

                Prime Examples:

                O. J. Simpson is
                a. an R & B singer.
                b. under indictment.
                c. embarrassed by his first name (Olivia).
                d. no one to fool with.

                (At the time, answer was D. Rather prophetic question and answer choice, though!)

                The germ that transmits syphilis is
                a. Spiro Agnew.
                b. Spirochete.
                c. Spirograph.
                d. Barbarella.

                (Answer C)

          • by Yer Mom (78107)

            nowadays though, a read the manual copyprotection would be a refreshing change

            Nowadays, getting a printed manual would be a refreshing change.

            Even with console games, you're lucky to get a list of controls, with the rest of the docs appearing as in-game tutorials. Most of the booklet is dire warnings about copyright infringement, health warnings and other legal CYA.

        • by steelfood (895457)

          Book? You're so 1980's.

          It's now a PDF.

          • by AK Marc (707885)
            Yes, I scanned mine to PDF, but had to so so at a cost, as the black ink on red would only show if you scanned it on a color scanner, and even then inconsistently. I couldn't even read the book as a human in low-light gaming conditions.
        • ...and have your original game CD mounted in drive D:, (your CD drive isnt maped to D:? though s#$@.) and verify you have a working Internet connection to our authentication servers. And make sure the key dongle is plugged into a USB port. And bend over and be scanned by our full penetration rectal biometric scanner. ..
        • The worst was the AD&D games that required that goofy wheel.
      • by g0bshiTe (596213) on Tuesday July 02, 2013 @03:01PM (#44169785)
        I for one enjoy my non-purchased DRM bypassed games!
    • Maybe they "should've" or "should have", but they never "should of"

  • These days computers and cypto Technics are powerful enough that they will likely have a 85% success rate at resolving the hashes. Even if salted.

    • Which is why unique is the most important quality of a password. People that did that are yawning while they change this one password and go about their day.
  • Ironic that their DRM seems to be more secure than their servers...

  • by Anonymous Coward on Tuesday July 02, 2013 @02:18PM (#44169311)

    I never wanted to sign up for your crappy service in the first place, but was forced to just so I could play a game I already legally purchased.

    Fuck you, UbiSoft!

    • by Elijha (2805781)
      I had an alert from itunes that my account had downloaded a free game from an international IP on the weekend.and to reset the password if it wasn't me... I had used the same old password on both I'm pretty sure (though I setup a Ubi Soft account only as I needed to play a game years ago).
  • by ernest.cunningham (972490) on Tuesday July 02, 2013 @02:25PM (#44169411) Homepage

    You account details have been hacked.....click this link to reset your password.
    Seems legit!

    • by Inda (580031)
      I thought the same.

      The blurb is missing one part of the email. The email started "Dear member". What? You don't even know my username?

      So I clicked the link, changed my password to a keyboard mash of 16 characters, which wasn't secure enough according to the security experts known as Ubisoft. So I changed it again to include two numbers and now it's forgotten forever.

      Fuck you Ubisoft.
  • gMail flagged Ubisoft's email as spam and potentially bogus. I wonder how many people will think it's just another phishing attempt and ignore it now.

    • What's even worse is that Ubisoft sent a plain-text email to everyone that incorporates a link to reset your password. Click on the link, and you are taken to a form where you can reset your password. The thing is, this form doesn't even require you to enter your old password. So, if anyone got their hands on this email, they have immediate access to you account anyway! Ubisoft started with a bad situation and made it a lot worse!
    • gMail flagged Ubisoft's email as spam and potentially bogus. I wonder how many people will think it's just another phishing attempt and ignore it now.

      I actually read the source of the email to confirm the embedded links were legitimate before marking it as "Not Phishing".

      Really sucks for Ubisoft that their notification system will go unheard by many GMail users!

  • Only signed up with Ubi so I could play a new game I had purchased.

    No important info (CC number, real name, real email) associated with the account.

    Don't care.

  • I'm pretty sure some guy walking around with a cell phone did it. Aiden Pearce?

  • I would use ubisoft@arcademan.com for this particular example.

    If the company is hacked or sells your email address to spammers, just delete the alias.

    • by Vreejack (68778)

      You need to establish a valid email address to set up an account.

      • by Vreejack (68778)

        I see, you meant to use an example of a personal mail server. I was confused by the fact that your example is an unused domain.

        How can I get the use of a personal mail server that will actually fool anyone? ubisoft@vreejack.mooo.com is not going to fool anyone who thinks to guess blizzard@vreejack.mooo.com, so while it will help you dodge spam, you will still have to use unique passwords, which is much of the problem.

        • by lgw (121541)

          Someone might "think to guess blizzard@vreejack.mooo.com" if they have stolen 1 password and are trying to find a use for it. If they have stolen 1 million, they're not even going to try to be clever, since most of them will work without such changes, so they already have more valid email/password pairs than they'll ever be able to use for anything.

      • He was talking about creating that account on your mailserver. Sneakemail or Spamgourmet serves the same purpose. As long as you don't mind your email going through a third party server, it works for most purposes. Just be sensible and don't use it for banking-type accounts.

    • If the company is hacked or sells your email address to spammers, just delete the alias.

      Additionally, shame the company in public...

      Another classic trick you can use is to include a plus sign and some text after your username, i.e. john.doe+ubisoft@example.com. The '+ubisoft' part is ignored when the mail is delivered, but you can still see it in the "To" field.

  • Why do they not use a federated identity system?

    Why does ANYONE aside from some key core ID providers (Google, Microsoft, Yahoo, Facebook, OpenID, etc) need to store a password?

    When are companies going to stop this madness.... no Ubisoft, I will not be giving you another password to lose thanks.

    • by Imagix (695350)
      Because when the federated identity system gets broken in the same manner, the attacker doesn't have access to everything you use.
    • Because I trust those companies less than idiots like ubisoft?

    • by Shados (741919)

      Conversion rate on services that force you to create a separate account is impossibly low, unless its Facebook, and that has its own set of problems.

  • I received the email - but I've never had a Ubisoft account. They sent me a password reset link for some other user's account. No wonder they got hacked...
  • by Somebody Is Using My (985418) on Tuesday July 02, 2013 @03:17PM (#44169945) Homepage

    Attempting to log-onto their website, I get the following warning:

    For security reasons we recommend that you change your password

    and a link to change the password.

    Interestingly, there is no option to log-on /without/ changing the password. "Recommend" apparently means "you have no choice" in UbiSpeak.

    Unfortunately, since the email address I used to register the account is no longer active, and there is no option to update the email address (since I can't log-on at all) I guess I'm screwed (silly me for not keeping my info up to date on a service I had little interest in joining except that it was forced on me to play a game I had legally purchased).

    So, I guess it's par for the course for you guys at Ubisoft; you've screwed me over again. Great job, guys; first you force me to sign up to UPlay in the first place, then you screw up by leaking the log-in info all over the net and now you prevent me from changing my password. Maybe you can block access to the games I paid for as well just to round out the whole experience.

    • by FlynnMP3 (33498)

      Maybe you can block access to the games I paid for as well just to round out the whole experience.

      For a complete and positive gaming experience, your wish has been granted.

      Joking aside, look closer at the account maintenance terms. There may be an option to completely reset or get rid of the account. Then you can at your option start with new login details. This time make a unique email alias just for UPlay and bogus, but plausible, user details that for all you care can be leaked or broken into. I've also gone as far as having a unique credit card just for online gaming service accounts that insis

    • Their site is pretty clearly in "oh SHIT" mode right now, stripped down to barest minimums. I would hope that once things settle down and the more feature-rich site returns, you'll be able to do a recovery along the lines of what you could previously. However, if you didn't set up any other alternative methods of recovery (I can't remember if they had secret questions, etc), then you may be out of luck. Perhaps the returned site will let you log in with the old password and then force the change.

    • Not to be a dick about it, but...

      > Great job, guys; first you force me to sign up to UPlay in order to play your game in the first place, then ...

      There was always option E: abstain from giving them money in that first place.

      Or better yet, option F: send a politely worded letter describing your decision not to purchase their product, after having purchased previous products from them, because you disagreed with their DRM scheme, and suggesting other ways they might regain your custom while preserving the

    • There is no option to log-on because the current site is a low-traffic fallback site to accomodate the number of users trying to change their password. The whole ubi.com consists of "Change your password" and three YouTube links right now.

      The usual site will be up again in a few days, if you want to change your e-mail address, try again then.

      This is how it should be done by the way: at least allowing 99% of users to change their password even when the site is getting hammered.

  • by Xzzy (111297) <sether@nOspAM.tru7h.org> on Tuesday July 02, 2013 @03:55PM (#44170275) Homepage

    I like how their website tosses up an error saying I "need to enable cookies" even though I do in fact have cookies turned on. Only thing I am blocking is their attempts to track me by including google analytics.. I can use their password change just fine if I use an incognito window (which temporarily disables my plugins).

    I suppose the original fault lies with me for creating an account with these goofballs.

    • Was wondering about that the other day. I get that message on a lot of sites when I have third-party cookies turned off (usually always), your mention of GA seems related. Guess it's simply a misnomer.

    • by Spansh (219937)

      Actually this is due to a UK/EU law/requirement that all sites which require users to explicitly be notified (and agree to) any cookies which are not explicitly required for usage of the site (sites which require logins, shopping carts etc are therefore exempt), the site will just work as normal if you don't click on the "I agree" button (which ironically will set another cookie saying you have agreed).

      I guess some sites just enabled it for world users rather than dealing with different countries seperately

  • Secure Remote Password protocol is more than a decade old:

    http://en.wikipedia.org/wiki/Secure_Remote_Password_protocol [wikipedia.org]

    Why aren't more companies using it?

    Hackers can't steal passwords if your server doesn't have the passwords to begin with.

  • You have to accept their site cookies when trying to change your password. Cookies from a site belonging to a compromised system rubs me the wrong way for some reason.

Many people are unenthusiastic about their work.

Working...