Ubisoft breached, asks customers to reset passwords

Ubisoft breached, asks customers to reset passwords

Summary: A recent successful breach on Ubisoft's systems appears to be anything but a game.

SHARE:
TOPICS: Security
3

Ubisoft is urging its customers to reset their account passwords after discovering that its systems were breached by an unknown attacker.

Watch Dogs
Despite the timing of its "hacking" game Watch Dogs, the attack appears to be the real deal.
(Image: Ubisoft)

Details around the attack itself are scarce, due to "security reasons", and Ubisoft has not committed to a date that the attack was discovered or conducted, or the method of entry gained.

In an email to customers, it said that the attackers compromised one of its websites to gain access to a database containing user names, email addresses, and "encrypted passwords".

"Please note that no personal payment information is stored with Ubisoft, meaning your debit/credit card information was safe from this intrusion."

In a separate statement on its blog, the company states that to its knowledge, no other personal information, such as phone numbers or physical addresses, was accessed.

As for the "encrypted" passwords, Ubisoft said that it stored them as an obfuscated value that "cannot be reversed, but could be cracked, in particular if the password chosen is weak". Ubisoft has not yet responded to customer queries as to what algorithm was used to hash the passwords, or whether a salt was used.

The company is currently in the process of an investigation into the matter, and called on the assistance of relevant authorities and external security experts in addition to its own internal staff.

Despite the email and notice on the company's blog, several Ubisoft customers on its forums and Facebook page appear to be under the impression that the password change is a phishing attempt by scammers. This belief was compounded by initial issues with the company's password reset feature, the emailed link to its security information page not working, and the coincidental timing around the announcement of Watch Dogs — a game where the lead protagonist hacks into systems.

The website and password reset issues now appear to have been resolved, and while Ubisoft has not indicated whether this is a publicity stunt, the fact that its password reset process is fully functional makes this possibility unlikely.

The company has confirmed that its Uplay services and servers were not hacked. In July last year, Google security researcher Tavis Ormandy discovered a vulnerability in the Uplay service that security company F-Secure at the time confirmed could allow attackers to gain control of a customer's PC. Ubisoft later patched the hole, and denied allegations that the vulnerability was an intentionally placed rootkit.

Topic: Security

Michael Lee

About Michael Lee

A Sydney, Australia-based journalist, Michael Lee covers a gamut of news in the technology space including information security, state Government initiatives, and local startups.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

3 comments
Log in or register to join the discussion
  • I got the email

    I bought Far Cry 3 on Amazon as a download. Had to install and create an account with Steam to use the code, then it had me create an account with UPlay, and now I get a 'your personal information might have been compromised' a few weeks later. What happened to just buying a game and playing it?
    edelbrp
    • To answer your question...

      I'm afraid it went out the window.
      statuskwo5
  • I Never Liked UPLAY

    I never really chose to join UPLAY.
    Assassin's Creed on the XBOX somewhat "forced" me to create an account that I and will never use. Now this.

    Microsoft should not allow XBOX Live games to "force" users to join another vendor network.
    TheCyberKnight