Ubisoft customers told "change your passwords *now*"

Filed Under: Data loss, Featured

UbisoftUbisoft, the third-largest gaming company in both Europe and the US, is urging customers to change their passwords following a breach that exposed user names, email addresses and encrypted passwords.

The French company emailed users and put up a blog posting about the breach on Tuesday.

Ubisoft gave scant details but did say that it had recently discovered that a site had been exploited and that intruders had gained access to some online systems.

The company said it "instantly" took steps to close off the affected area and launched an investigation with authorities and both internal and external security experts.

During its investigation, Ubisoft said, the company learned that data had been illegally accessed from its account database.

Ubisoft stressed that no financial data was breached, since it doesn't store personal payment information such as credit or debit card data.

And while Ubisoft says the breached passwords were encrypted, it is not clear exactly what, if any, salting and hashing was used, with Ubisoft commenting that passwords - particularly weak ones, and most particularly those repeated on other sites - could be cracked and therefore should be changed.

Here's what Ubisoft's communications manager, Gary Steinman, had to say:

Password text

Passwords are not stored in clear-text but as an obfuscated value. These cannot be reversed but could be cracked, in particular if the password chosen is weak. This is the reason we are recommending that our users change their password.

Ubisoft confirmed with ZDNet's Michael Lee that Uplay - its digital distribution, digital rights management, multiplayer and communications service and server - was not hacked.

At any rate, customers should heed Ubisoft's advice on passwords.

The need to change passwords is quite real - most particularly if users repeat the same passwords on multiple sites.

We don't know how strong Ubisoft's encryption was at this point, but we know for sure that using the same password on multiple sites is a very bad idea.

If you use the same passwords on multiple sites, change the passwords so they're all unique.

With all the good, free password management apps out there that can churn out complicated, unique passwords that you don't have to remember yourself, there's just no reason to reuse passwords.

Just because password crackers may get at your Assassin's Creed is no reason to give them the keys to your whole online kingdom.


, , , , , ,

You might like

4 Responses to Ubisoft customers told "change your passwords *now*"

  1. Mike · 444 days ago

    For a list of Ubisoft games.....
    http://en.wikipedia.org/wiki/List_of_Ubisoft_game...

  2. darkpr0fit · 444 days ago

    Customers should heed Ubisoft's advice on passwords, and Ubisoft should heed this breach as a warning that their security needs to be tightened. This is another example of lose security and cleanup afterwards.

  3. Techno_M · 444 days ago

    Second time for me, I was hacked in the Sony incident too.

    But after the first time I followed the advice of Naked Security and started using Keepass to generate passwords. Also I've now set up two factor authentication for Google.

  4. Mike · 444 days ago

    I tried to change my password via the link in their email. The page appears to require third-party cookies to be enabled. Pretty much sums it up for well they've tightened their security.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.