Epic Games, probably best known for the Unreal games programming system and the Xbox game Gears of War, has just admitted to a data breach.
Two breaches, in fact:
We believe a recent Unreal Engine and Unreal Tournament forum compromise revealed email addresses and other data entered into the forums, but no passwords in any form, neither salted, hashed, nor plaintext.
Also, we believe a compromise of our legacy forums covering Infinity Blade, UDK, previous Unreal Tournament games, and archived Gears of War forums revealed email addresses, salted hashed passwords and other data entered into the forums.
We’re glad that Epic Games has published this notification and not swept the breach under the carpet, but in cases like this, we think it helps to be clearer about what happened.
In the second half of the breach notification, for example, the company admits that “salted hashed passwords” were stolen, but missed the chance of saying how they were salted and hashed.
Our recommendation (last updated in June 2016) is to use a password storage system called PBKDF2, and the hash HMAC-SHA-256, salted with at least 16 bytes, stretched with at least 20,000 iterations.
(This meets and exceeds the latest guidelines for US public sector passwords from the US National Institute for Standards and Technology, better-known as NIST.)
Don’t worry if you don’t follow all this talk of salting-hashing-and-stretching.
The idea is that you don’t store the actual password entered by the user, in case it’s ever stolen.
Instead you store a unique, cryptographically-scrambled version that can be checked quickly enough for convenience, but not so quickly that crooks can easily try billions of passwords a second if the scrambled passwords are stolen.
Simply put, salting-hashing-and-stretching using 20,000 repetitions takes 20,000 times longer than just a straight hash of the password.
So, all things being equal, crooks who steal the database for an offline attack will recover passwords 20,000 times more slowly, and passwords that might have been cracked after minutes or hours of guessing might now take weeks or years.
In breach notifications like this, then, it’s helpful to say what sort of hashing system was used.
Technically savvy users can then use this information to make a more informed decision about the likelihood of their passwords being cracked.
Also, Epic advises, in respect of the second breach, that:
If you have been active on these forums since July 2015, we recommend you change your password on any site where you use the same password.
We’re a little confused here.
This implies that your data was compromised when you used the forums (e.g. while logging in or posting), rather than simply because you had an account on one of them.
Otherwise, accounts created before July 2015 would be at risk of password recovery, too, assuming the crooks plundered the forum databases.
And if that’s how it went down, with the crooks keeping tabs on users as they logged in, then the crooks may have grabbed plaintext passwords from memory during the login process.
We think Epic should consider making a clearer statement about how the July 2015 “cutoff” enters the equation.
What to do?
- Change your Epic passwords, even if Epic thinks you don’t need to.
- Assume that anything you wrote in the affected forums is now public.
- Consider asking Epic for a bit more detail on what happened, notably whether July 2015 is when the breach started, and whether that date applies to the first breach as well.
Oh, before you go, in case you ever find yourself in a breach disclosure situation, be sure to read the satirical but helpful advice in our article What you sound like after a data breach.
And, if you’re one of the users who needs to change your password, here’s a short and straight-talking video that shows you not only how to do choose a good one, but also why you should bother:
(No video? Watch on YouTube. No audio? Click on the [CC] icon for subtitles.)