Ubisoft breached, users asked to reset passwords

If you’re a Ubisoft customer, you probably wondered why you are  being asked to reset your password.

Ubisoft is now part of the “big family” of prominent websites that got hacked and lost customer data: LinkedIn, eHarmony, LastFM and others.

In a post called “SECURITY UPDATE REGARDING YOUR UBISOFT ACCOUNT – PLEASE CREATE A NEW PASSWORD” (yes, written with capitals), the French company announced that their systems were breached and databases using user names, email addresses and passwords were compromised.

ubisoft

If this comforts you, the passwords were hashed and no financial data was stored on those servers.

What worries me more is the affirmation of Ubisoft:

“Passwords are not stored in clear-text but as an obfuscated value. These cannot be reversed but could be cracked, in particular if the password chosen is weak.[...]We also recommend that you change your password on any other Web site or service where you use the same or a similar password.”

This tells me that most probably the password were just hashed using an algorithm like MD5. The de-facto standard these days is to use SHA-256 and a salt.

Even if the exact details about how did the hackers got into Ubisoft’s servers are not known, we can safely assume that one of these situations happened:

- the software running on these systems was vulnerable and the criminals exploited the vulnerability which allowed them to get access to the servers.

- the cyber-criminals got in possession of login credentials of some Ubisoft employee(s) and have used them to get the data.

Using dedicated attacks (social engineering, spear phishing, targeted malware, “water-holing” attacks) against employees, probably computers inside Ubisoft got infected and the affected employees got their credentials stolen.

Getting valid credentials is sometimes easier to achieve than exploiting vulnerabilities.

As a conclusion, please change your password. And if you were using the same password for multiple accounts, change all of them. Here are tips how to create good passwords and to improve your overall security.

Update: Ubisoft updated a couple of times the original post, showing from time to time an error page. In case it happens that you see that page, you can just go to the forum entry.

 

Sorin Mustaca

IT Security Expert