Ubisoft Hacked, Account Data Compromised

Freshly Exhumed writes "There's a new security breach announcement over at the website of game publisher and developer Ubisoft today. Quoting:: 'We recently found that one of our Web sites was exploited to gain unauthorized access to some of our online systems. We instantly took steps to close off this access, to begin a thorough investigation with relevant authorities, internal and external security experts, and to start restoring the integrity of any compromised systems. During this process, we learned that data were illegally accessed from our account database, including user names, email addresses and encrypted passwords. No personal payment information is stored with Ubisoft, meaning your debit/credit card information was safe from this intrusion. As a result, we are recommending you to change your password by clicking this link.'"

should of killed the DRM system

[Joe_Dragon]

at the same time they got in

Re:should of killed the DRM system

[Anonymous Coward]

Right, because that's how hacking works. After the bright red meter labeled "Accessing Secret Files From Gibson" filled up, they could have just pressed the glowing green button that said "Kill The DRM System". How silly of them to have missed that.

Re:should of killed the DRM system

[Anonymous Coward]

We never had this problem when I was playing Road Rash and Screamer and Doom and Quake and Duke Nukem, because the game publishers never had any personal info of ours to lose in a security breach. You paid your cash for the game, put the CD in, installed, and played.

In the late eighties we got rid of DRM by refusing to buy software with it. Lots of companies went out of business because of DRM. All they had to do was wait for a more gullible and docile generation to come along and bring it back.

DRM is the biggest reason I stopped gaming (that, and none of the new games were as good as the old ones, even if the artwork was better). I wonder how many other customers DRM has cost these morons? Keep shooting, ubisoft, you have more feet and bullets left.

Re:should of killed the DRM system

[ArcadeMan]

To see my reply, please enter the 3rd word of the 7th paragraph on page 12 of your game book.

Re:

[gl4ss]

To see my reply, please enter the 3rd word of the 7th paragraph on page 12 of your game book.

well.. you just had to have the manual in your hands once or be able to call someone with the manual once. unless you upgraded the cpu/mobo.
why? who the fuck gave a shit about if the date was correct on the machine(so the game always asked the same question..).

nowadays though, a read the manual copyprotection would be a refreshing change - or even a silly usb dongle. at least you could sell it.

Re:

[TheCycoONE]

I guess we lived in different 80s. The way I remember it there was a random list of things to look up and they had to be entered every game. I also remember on my Commodore 64 that most commercial game disks wouldn't copy (without hacking tools to copy bad sectors etc.), and wouldn't work on drives other than the 1541 because they relied on particular idiosyncrasies in that drive to enforce their protection.

The only reason they didn't make you connect to their servers is that modems weren't common.

Re:

[ArcadeMan]

You had to do that every time you started the game.

note to Slashdot: why is the <strong> tag filtered out but <b> is recognized? We're in 2013, not 2003.

Re:

[Khyber]

"note to Slashdot: why is the tag filtered out but is recognized? We're in 2013, not 2003."

It's called code optimization. Why use so many symbols and characters for a command when you can use fewer?
This is 2013, code optimization and reduction is ESSENTIAL and EFFICIENT.

Re:

[ArcadeMan]

The "b" tag has been deprecated in favour of "strong". It's about putting structure and meaning on your content, not making text "bold".

Re:

[styrotech]

The "b" tag has been deprecated in favour of "strong". It's about putting structure and meaning on your content, not making text "bold".

Not so fast... HTML5 has brought back <b> and it has a new semantic purpose.

For the first time Slashdot is now at the cutting edge! Without having to do anything either (ok ok they did change the doctype).

Re:

[Medievalist]

Hmm. Your ideas are intriguing to me and I wish to subscribe to your newsletter.

Re:

[Khyber]

"well.. you just had to have the manual in your hands once or be able to call someone with the manual once."

Wrong, The Colonel's Bequest required you to identify a fingerprint every time you loaded a game. Wolfenstein3D would ask you about things like the number of eyelets Blazkowitz's boots. Leisure Suit Larry had a type of DRM to prove you were an adult and not a teenager playing the game - by asking questions only adults of that time would know (and kids wouldn't have likely learned in history books, yet

Re:

[dwye]

Leisure Suit Larry had a type of DRM to prove you were an adult and not a teenager playing the game - by asking questions only adults of that time would know (and kids wouldn't have likely learned in history books, yet.)

And no one ever talked to their parents or grandparents? Or older siblings, for that matter? What were these uqestions, anyway?

Re:

[Khyber]

http://www.allowe.com/games/larry/tips-manuals/lsl1-age-quiz.html [allowe.com]

There's your questions for at least the first one. The VGA reboot and LSL3 questions are also listed on the right side.

Prime Examples:

O. J. Simpson is
a. an R & B singer.
b. under indictment.
c. embarrassed by his first name (Olivia).
d. no one to fool with.

(At the time, answer was D. Rather prophetic question and answer choice, though!)

The germ that transmits syphilis is
a. Spiro Agnew.
b. Spirochete.
c. Spirograph.
d. Barbarella.

(Answer C)

Re:

[Yer Mom]

nowadays though, a read the manual copyprotection would be a refreshing change

Nowadays, getting a printed manual would be a refreshing change.

Even with console games, you're lucky to get a list of controls, with the rest of the docs appearing as in-game tutorials. Most of the booklet is dire warnings about copyright infringement, health warnings and other legal CYA.

Re:

[steelfood]

Book? You're so 1980's.

It's now a PDF.

Re:

[AK Marc]

Yes, I scanned mine to PDF, but had to so so at a cost, as the black ink on red would only show if you scanned it on a color scanner, and even then inconsistently. I couldn't even read the book as a human in low-light gaming conditions.

Re: should of killed the DRM system

[jd2112]

...and have your original game CD mounted in drive D:, (your CD drive isnt maped to D:? though s#$@.) and verify you have a working Internet connection to our authentication servers. And make sure the key dongle is plugged into a USB port. And bend over and be scanned by our full penetration rectal biometric scanner. ..

Re:

[Pi Is A Rational]

The worst was the AD&D games that required that goofy wheel.

Re:

[SuiteSisterMary]

Lux, sestnik, samosud.

Re:

[Pi Is A Rational]

It's quite possible they did this to save space on those 360KB 5.25s as well.

Re:should of killed the DRM system

[g0bshiTe]

I for one enjoy my non-purchased DRM bypassed games!

Re:

[AK Marc]

Prison guards at Auschwitz don't deserve to be employed. Yes, when people do evil, even on someone else's orders, they are worse for it. And why does a programmer "deserve" a job? There are plenty of unemployed people who would love to have one of those "deserved" jobs.

steam seems to be the best no Always on

[Joe_Dragon]

Always on seems like over kill when X time checks can work just as good.

Re:

[Crudely_Indecent]

Maybe they "should've" or "should have", but they never "should of"

Re:

[nigelo]

He only said it on accident.

Re:

[jones_supa]

Actually, "should of" has been clearly gaining popularity lately for some reason.

Re:

[webmistressrachel]

Do you pray that one day, just one day, your program will compile and it will happen on the same day, or are you praying for someone else to do it?

You do realise that praying won't help you one bit, right?

Re:

[flonker]

The point is to minimize the amount of information you actually have. You don't need to know the password itself, you only need to know that they know the password. So, you store just enough information to be able to check that the person attempting to log in knows the password.

Re:

[dos1]

Hashing is not an encryption. I think that's what that comment was about, just in ambiguously sarcastic way.

Re:

[Sir_Sri]

That would be a hash of the password rather than the encrypted password, although that may be what they mean and they're using sloppy language. (Encrypting it could work the same way, but then you still just have the password in another form).

I think the question was more 'why weren't usernames and e-mails encrypted' and the answer is probably that they're part of a searchable 'find friends' type database.

Re:

[uberbrainchild]

I wish they told us how they were hashed and if they used a salt so that we might get an idea of how many minutes we have to change the password on any accounts with the same password. Luckily for me though I have different pws for almost everything. Maybe this will promt them to make uplay better... I remember when I tried the Heroes game and got tired of playing once the multiplayer games stopped syncing and it became unplayable. Eh, I was just as disappointed with Sim City 5... board games tend to work

Re:

[Kongming]

While we should be able to assume that the hashes were salted, there have been other breaches in the past year in which the exposed password hashes were not salted. A quick web search turned up drupal.org and LinkedIn. Also, many other companies, like Sony, specified when they disclosed their breach that the password hashes were salted. As Ubisoft did not opt to specify and have not responded to the question anywhere as of yet, I am operating under the assumption that they did not, in fact, salt their passw

Re:

[gaspyy]

According to an article on Ars Technica [arstechnica.com], salted hashes are no longer relevant - they are cracking the hashes anyway without using rainbow tables. Using SHA256 instead of MD5 has more benefits in this regard than salted vs. unsalted.

Re:

[Wootery]

The ever-unpopular Steve Gibson covered [grc.com] this, saying the solution is memory-hard hashing.

(Ctrl+f for "simplified".)

Re:

[WuphonsReach]

That article is not an argument for not using salted hashes. Just because salt doesn't help prevent brute-force attacks, doesn't mean that salting is worthless. If nobody bothered to salt hashes, rainbow tables would become common again. (The reason nobody uses rainbow tables these days is because most lists are salted, rendering the rainbow table ineffective.)

Unfortunately, using hashes that take longer to calculate just moves the problem forward a few years.

Re:

[Chas]

So they have a name and an e-mail.

If they don't have the password, they have to spend a lot of time trying to crack the encrypted password. Giving the legitimate user plenty of time to change said password.

Re:The point?

[Sir_Sri]

Plenty of time, as less than an hour after the hack occurred, for ~60% of users.

http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/

Re:

[afidel]

Only if they aren't salted.

Re:

[TheCycoONE]

Weak case: MD5 is known to be insecure (very vulnerable to collision attacks), and presuming it was secure, this unsalted list of passwords was vulnerable to a rainbow attack. Similarly a short salt is still vulnerable to a rainbow attack. I understand that bcrypt and sha512 are popular these days. I personally like my salt to be the same length as the resulting hash and of course different for each password - I think this makes a rainbow list attack as complex as the birthday attack on average.

Re:

[BlueMonk]

I think there's a little bit of disconnect between the people asking this question and the people answering this question. I think the people asking the question are wondering "Why encrypt the piece of information that lets you get at the rest of the information if the rest of the information is right there plain as day?" and the people answering the question are explaining, "passwords use one way encryption so they can't easily be hacked." Yes, one important reason for encrypting the password is to allow s

Re:

[Anonymous Coward]

Of course leave out the link. Email is plain text, not HTML.
If I get an email from somewhere I have an account, I know how to get to the site.

Re:

[Sir_Sri]

That's nearly what I did (delete it on sight). Their main page at ubisoft.com needs to have a message about this rather than just a 'under maintenance' type message.

Assume Everything is Compromised

[Kagato]

These days computers and cypto Technics are powerful enough that they will likely have a 85% success rate at resolving the hashes. Even if salted.

Re:

[Ectospheno]

Which is why unique is the most important quality of a password. People that did that are yawning while they change this one password and go about their day.

Re:

[Kagato]

Too bad you can't get 1Pass for a game console.

Wish their net security was as good as their DRM..

[Anonymous Coward]

Ironic that their DRM seems to be more secure than their servers...

Great job there, UbiSoft

[Anonymous Coward]

I never wanted to sign up for your crappy service in the first place, but was forced to just so I could play a game I already legally purchased.

Fuck you, UbiSoft!

Re:

[Elijha]

I had an alert from itunes that my account had downloaded a free game from an international IP on the weekend.and to reset the password if it wasn't me... I had used the same old password on both I'm pretty sure (though I setup a Ubi Soft account only as I needed to play a game years ago).

Seems legit.

[ernest.cunningham]

You account details have been hacked.....click this link to reset your password.
Seems legit!

Re:

[Inda]

I thought the same.

The blurb is missing one part of the email. The email started "Dear member". What? You don't even know my username?

So I clicked the link, changed my password to a keyboard mash of 16 characters, which wasn't secure enough according to the security experts known as Ubisoft. So I changed it again to include two numbers and now it's forgotten forever.

Fuck you Ubisoft.

Re:

[account_deleted]

Comment removed based on user account deletion

More security issues

[postglock]

What's even worse is that Ubisoft sent a plain-text email to everyone that incorporates a link to reset your password. Click on the link, and you are taken to a form where you can reset your password. The thing is, this form doesn't even require you to enter your old password. So, if anyone got their hands on this email, they have immediate access to you account anyway! Ubisoft started with a bad situation and made it a lot worse!

Re:

[HTMLSpinnr]

gMail flagged Ubisoft's email as spam and potentially bogus. I wonder how many people will think it's just another phishing attempt and ignore it now.

I actually read the source of the email to confirm the embedded links were legitimate before marking it as "Not Phishing".

Really sucks for Ubisoft that their notification system will go unheard by many GMail users!

Don't Care

[CanHasDIY]

Only signed up with Ubi so I could play a new game I had purchased.

No important info (CC number, real name, real email) associated with the account.

Don't care.

Re:

[bonehead]

Why?

It's not that hard to check where the link actually points to and determine whether it's legit or not.

The actual e-mail for reference

[jones_supa]

Security update regarding your Ubisoft account
- please create a new password

Dear Member,

We recently found that one of our Web sites was exploited to gain unauthorised access to some of our online systems. We instantly took steps to close off this access, investigate the incident and begin restoring the integrity of any compromised systems.

During this process, we learned that data had been illegally accessed from our account database, including user names, email addresses and encrypted passwords. Please note that no personal payment information is stored with Ubisoft, meaning your debit/credit card information was safe from this intrusion.

As a result, we are recommending that you change the password for your account: <account name>

To enter your new password, click the link below: https://secure.ubi.com/register/ResetPassword.aspx [ubi.com]?...

Out of an abundance of caution, we also recommend that you change your password on any other Web site or service where you use the same or a similar password.

You can find more information here https://support.ubi.com/en-GB/FAQ.aspx?platformid=60&brandid=2030&productid=3888&faqid=kA030000000eYYxCAM [ubi.com].

For any additional support enquiries, please contact our customer service via our support web site at https://support.ubi.com/ [ubi.com]

We sincerely apologise to all of you for the inconvenience. Please rest assured that your security remains our priority.

The Ubisoft team

Re:

[neminem]

That last one is the most important.

Unlike an email sent to me a few months ago by a major credit card provider I had a card with, telling me I may have had a card theft, and asking me to click a link to confirm whether or not I had made a particular purchase. The link went to a completely gibberish link that had no obvious connection to the bank in question. It was very obviously a phish.

Turns out, nope, it was totally legitimate, that card *had* been used to make an unauthorized transaction, and that bank

Re:

[AK Marc]

You didn't properly treat it like Schrodinger's email. Trust the info, without trusting the email. It's both legitimate and a pfish at the same time. Your credit card company sends you a "click here" email with a funny address? Call the number on the back of your card, and hit the number for "fraud" (the quickest way to get to a human). If the email is real, then you'll get it taken care of. If it's not legit, they'll listen to your recount of the phish. There's never a reason to click a link in a em

Re:

[neminem]

Right. I agree with everything said completely. My complaint, and it bothered me quite a lot, is that I explained all of that to the bank in question, and they completely didn't even understand at all why I was complaining. *I* know to check whether it was a phishing scam or not by calling the number listed on my card (which, oh by the way, the email also had a number listed that you could call if you had questions... which was not the number on my card, and in fact, wasn't mentioned, as far as I could tell

Re:

[AK Marc]

Well, *they* sent it so it couldn't have been a phish.

Their logic is impeccable, even if wrong. I've received similar from my bank, and it was well worded to encourage people to type in the site, and not to rely on links in emails, even the one sent by them.

Re:

[ArcadeMan]

C'est quoi ça, Lambé ?

Re:

[Arkh89]

C'est le nom d'un quartier de Brest (Lambézelec)...

that guy.. from Watch_Dogs

[Destoo]

I'm pretty sure some guy walking around with a cell phone did it. Aiden Pearce?

Re:

[Briareos]

Nope, John Reese. Or Harold Finch.

Re:

[dwye]

Or The Machine, itself.

Make a different email alias for each company

[ArcadeMan]

I would use ubisoft@arcademan.com for this particular example.

If the company is hacked or sells your email address to spammers, just delete the alias.

Re:

[Vreejack]

You need to establish a valid email address to set up an account.

Re:

[Vreejack]

I see, you meant to use an example of a personal mail server. I was confused by the fact that your example is an unused domain.

How can I get the use of a personal mail server that will actually fool anyone? ubisoft@vreejack.mooo.com is not going to fool anyone who thinks to guess blizzard@vreejack.mooo.com, so while it will help you dodge spam, you will still have to use unique passwords, which is much of the problem.

Re:

[lgw]

Someone might "think to guess blizzard@vreejack.mooo.com" if they have stolen 1 password and are trying to find a use for it. If they have stolen 1 million, they're not even going to try to be clever, since most of them will work without such changes, so they already have more valid email/password pairs than they'll ever be able to use for anything.

Re:

[theskipper]

He was talking about creating that account on your mailserver. Sneakemail or Spamgourmet serves the same purpose. As long as you don't mind your email going through a third party server, it works for most purposes. Just be sensible and don't use it for banking-type accounts.

Re:

[AK Marc]

It's appropriate for all, but understandable by only 5%. I have that set up, and it costs all of $5 a year, and took less than 30 minutes to set up.

Re:

[jones_supa]

If the company is hacked or sells your email address to spammers, just delete the alias.

Additionally, shame the company in public...

Another classic trick you can use is to include a plus sign and some text after your username, i.e. john.doe+ubisoft@example.com. The '+ubisoft' part is ignored when the mail is delivered, but you can still see it in the "To" field.

Why does Ubisoft need to store a password?

[brunes69]

Why do they not use a federated identity system?

Why does ANYONE aside from some key core ID providers (Google, Microsoft, Yahoo, Facebook, OpenID, etc) need to store a password?

When are companies going to stop this madness.... no Ubisoft, I will not be giving you another password to lose thanks.

Re:

[Imagix]

Because when the federated identity system gets broken in the same manner, the attacker doesn't have access to everything you use.

Re:

[megalomaniacs4u]

Because I trust those companies less than idiots like ubisoft?

Re:

[Shados]

Conversion rate on services that force you to create a separate account is impossibly low, unless its Facebook, and that has its own set of problems.

Password reset link for someone else's account

[BerkeleyDude]

I received the email - but I've never had a Ubisoft account. They sent me a password reset link for some other user's account. No wonder they got hacked...

What Ubisoft Does Best

[Somebody Is Using My]

Attempting to log-onto their website, I get the following warning:

For security reasons we recommend that you change your password

and a link to change the password.

Interestingly, there is no option to log-on /without/ changing the password. "Recommend" apparently means "you have no choice" in UbiSpeak.

Unfortunately, since the email address I used to register the account is no longer active, and there is no option to update the email address (since I can't log-on at all) I guess I'm screwed (silly me for not keeping my info up to date on a service I had little interest in joining except that it was forced on me to play a game I had legally purchased).

So, I guess it's par for the course for you guys at Ubisoft; you've screwed me over again. Great job, guys; first you force me to sign up to UPlay in the first place, then you screw up by leaking the log-in info all over the net and now you prevent me from changing my password. Maybe you can block access to the games I paid for as well just to round out the whole experience.

Re:

[FlynnMP3]

Maybe you can block access to the games I paid for as well just to round out the whole experience.

For a complete and positive gaming experience, your wish has been granted.

Joking aside, look closer at the account maintenance terms. There may be an option to completely reset or get rid of the account. Then you can at your option start with new login details. This time make a unique email alias just for UPlay and bogus, but plausible, user details that for all you care can be leaked or broken into. I've also gone as far as having a unique credit card just for online gaming service accounts that insis

Re:

[RollingThunder]

Their site is pretty clearly in "oh SHIT" mode right now, stripped down to barest minimums. I would hope that once things settle down and the more feature-rich site returns, you'll be able to do a recovery along the lines of what you could previously. However, if you didn't set up any other alternative methods of recovery (I can't remember if they had secret questions, etc), then you may be out of luck. Perhaps the returned site will let you log in with the old password and then force the change.

Re:

[sabt-pestnu]

Not to be a dick about it, but...

> Great job, guys; first you force me to sign up to UPlay in order to play your game in the first place, then ...

There was always option E: abstain from giving them money in that first place.

Or better yet, option F: send a politely worded letter describing your decision not to purchase their product, after having purchased previous products from them, because you disagreed with their DRM scheme, and suggesting other ways they might regain your custom while preserving the

Re:

[project-nova]

There is no option to log-on because the current site is a low-traffic fallback site to accomodate the number of users trying to change their password. The whole ubi.com consists of "Change your password" and three YouTube links right now.

The usual site will be up again in a few days, if you want to change your e-mail address, try again then.

This is how it should be done by the way: at least allowing 99% of users to change their password even when the site is getting hammered.

Cookie requirement? C'mon guys.

[Xzzy]

I like how their website tosses up an error saying I "need to enable cookies" even though I do in fact have cookies turned on. Only thing I am blocking is their attempts to track me by including google analytics.. I can use their password change just fine if I use an incognito window (which temporarily disables my plugins).

I suppose the original fault lies with me for creating an account with these goofballs.

Re:

[theskipper]

Was wondering about that the other day. I get that message on a lot of sites when I have third-party cookies turned off (usually always), your mention of GA seems related. Guess it's simply a misnomer.

Re:

[Spansh]

Actually this is due to a UK/EU law/requirement that all sites which require users to explicitly be notified (and agree to) any cookies which are not explicitly required for usage of the site (sites which require logins, shopping carts etc are therefore exempt), the site will just work as normal if you don't click on the "I agree" button (which ironically will set another cookie saying you have agreed).

I guess some sites just enabled it for world users rather than dealing with different countries seperately

Once Again...

[Stormy Dragon]

Secure Remote Password protocol is more than a decade old:

http://en.wikipedia.org/wiki/Secure_Remote_Password_protocol [wikipedia.org]

Why aren't more companies using it?

Hackers can't steal passwords if your server doesn't have the passwords to begin with.

Cookies?

[ubrgeek]

You have to accept their site cookies when trying to change your password. Cookies from a site belonging to a compromised system rubs me the wrong way for some reason.