Security Experts Blast Ubisoft for Data Breach
Ubisoft is a French video game developer and publisher.
On July 2, everyone who's played a Ubisoft game online in the last few years discovered that their accounts had potentially been compromised, but they have no idea how or why — and security experts think that doesn't bode well.
Ubisoft, a French video game developer and publisher, emailed thousands of customers, informing them that they should change their passwords immediately. Beyond that, though, the developer was reluctant to share any pertinent details.
"We recently found that one of our websites was exploited to gain unauthorized access to some of our online systems," the email stated. "During this process, we learned that data were illegally accessed from our account database, including usernames, email addresses and encrypted passwords."
Which website, what kind of exploit, the identity of the attackers and the data accessed are all mysteries for the ages.
Ubisoft's opacity also calls its overall security practices into further question, particularly when it comes to password protection. The company does encrypt passwords "as an obfuscated value," according to a recent blog post. "These cannot be reversed but could be cracked, in particular if the password chosen is weak," the company wrote.
But experts remain skeptical. "That doesn't sound very comforting to me," Graham Cluley, a U.K.-based security researcher, wrote on his blog. "Ubisoft may not have been following best practices to secure those passwords."
Simply saying that passwords are encrypted is essentially meaningless, argues Rik Ferguson, a Trend Micro security blogger in the U.K. "How, exactly, were the passwords secured?" he asked on a blog. "If simple passwords could be cracked with ease, this sounds like the weakest form of hashing [creating a unique numeric value for each entry] … This is not very confidence-inspiring news."
Ferguson argues that a better method of encryption would involve a unique algorithm that could "salt," or append randomized data, to each hashed password. This would make individual attacks feasible but large-scale ones almost impossible.
The breach may not even have been the result of a hack. According to Romanian security researcher Sorin Mustaca, it would have been much easier to gain credentials from higher-ups at Ubisoft by means of phishing or malware. "Getting valid credentials is sometimes easier to achieve than exploiting vulnerabilities," he told tech site Softpedia.
Since Ubisoft does not store any payment info, users are not in danger of having their credit-card information stolen. Nor has Ubisoft's digital game service, Uplay, suffered any ill effects — users' games and in-game purchases are safe. [See also: 13 Security and Privacy Tips for the Truly Paranoid]
Although the developer has promised to tighten security measures in the future, it has not outlined any specific steps it plans to take.
One small irony of the case is that Ubisoft was once a champion of restrictive digital rights management software on the PC. When blockbuster "Assassin's Creed II" was first released, Ubisoft was so concerned about piracy that it required a constant Internet connection, rendering the game unplayable and losing a player's saved progress if access blinked even for a moment.
Ubisoft is neither the first nor last game company to be hacked, but its lack of detail may not help to reassure skeptical players. If the next hack targets Uplay servers, rather than just a single website, the backlash may be more severe.