Sophos Cloud Optix
Ubisoft, the third-largest gaming company in both Europe and the US, is urging customers to change their passwords following a breach that exposed user names, email addresses and encrypted passwords.
The French company emailed users and put up a blog posting about the breach on Tuesday.
Ubisoft gave scant details but did say that it had recently discovered that a site had been exploited and that intruders had gained access to some online systems.
The company said it “instantly” took steps to close off the affected area and launched an investigation with authorities and both internal and external security experts.
During its investigation, Ubisoft said, the company learned that data had been illegally accessed from its account database.
Ubisoft stressed that no financial data was breached, since it doesn’t store personal payment information such as credit or debit card data.
And while Ubisoft says the breached passwords were encrypted, it is not clear exactly what, if any, salting and hashing was used, with Ubisoft commenting that passwords – particularly weak ones, and most particularly those repeated on other sites – could be cracked and therefore should be changed.
Here’s what Ubisoft’s communications manager, Gary Steinman, had to say:
Passwords are not stored in clear-text but as an obfuscated value. These cannot be reversed but could be cracked, in particular if the password chosen is weak. This is the reason we are recommending that our users change their password.
Ubisoft confirmed with ZDNet’s Michael Lee that Uplay – its digital distribution, digital rights management, multiplayer and communications service and server – was not hacked.
At any rate, customers should heed Ubisoft’s advice on passwords.
The need to change passwords is quite real – most particularly if users repeat the same passwords on multiple sites.
We don’t know how strong Ubisoft’s encryption was at this point, but we know for sure that using the same password on multiple sites is a very bad idea.
If you use the same passwords on multiple sites, change the passwords so they’re all unique.
With all the good, free password management apps out there that can churn out complicated, unique passwords that you don’t have to remember yourself, there’s just no reason to reuse passwords.
Just because password crackers may get at your Assassin’s Creed is no reason to give them the keys to your whole online kingdom.
For a list of Ubisoft games…..
http://en.wikipedia.org/wiki/List_of_Ubisoft_game…
Customers should heed Ubisoft's advice on passwords, and Ubisoft should heed this breach as a warning that their security needs to be tightened. This is another example of lose security and cleanup afterwards.
Second time for me, I was hacked in the Sony incident too.
But after the first time I followed the advice of Naked Security and started using Keepass to generate passwords. Also I've now set up two factor authentication for Google.
I tried to change my password via the link in their email. The page appears to require third-party cookies to be enabled. Pretty much sums it up for well they’ve tightened their security.