More than 800,000 usernames, email addresses, and birth dates are thought to have been stolen by hackers from online forums run by Epic Games.
Epic, famed for developing popular games such as Unreal Tournament, Gears of War and Infinity Blade, are thought to have had members of their message boards exposed by hackers exploiting a known vulnerability in an out-of-date version of the vBulletin forum software.
As a consequence, not only has personal information about individual members been put at risk, but also as ZDNet reports “their full history of posts and comments including private messages, and other user activity data.”
Over half a million of the breached accounts are thought to come just from the Unreal Engine’s forums.
A statement about the data breach was published on the Unreal Engine forum website:
We believe a recent Unreal Engine and Unreal Tournament forum compromise revealed email addresses and other data entered into the forums, but no passwords in any form, neither salted, hashed, nor plaintext. While the data contained in the vBulletin account databases for these forums were leaked, the passwords for user accounts are stored elsewhere. These forums remain online and no passwords need to be reset.
Also, we believe a compromise of our legacy forums covering Infinity Blade, UDK, previous Unreal Tournament games, and archived Gears of War forums revealed email addresses, salted hashed passwords and other data entered into the forums. If you have been active on these forums since July 2015, we recommend you change your password on any site where you use the same password.
We don’t believe that other Epic related forums were affected, including Paragon, Fortnite, Shadow Complex, and SpyJinx.
We apologize for the inconvenience this causes everyone and we’ll provide updates as we learn more.
While it must be taken as some relief to hear that passwords do not appear to have been compromised in the breach of the Unreal Engine and Unreal Tournament forums, there are still plenty of ways in which malicious attackers could exploit the stolen information – including sending bogus messages to members’ email addresses, using carefully-crafted social engineering to dupe the unwary.
Furthermore, from the sound of things players of Infinity Blade, UDK, earlier Unreal Tournament games, and Gears of War, may not have been so fortunate password-wise, and would be smart to ensure that they are not reusing passwords on multiple sites.
Embarrassingly for Epic Games it has been little more than a year since it last saw its online forums suffering a major hack.
The problem is the same now as it was then. Epic’s forums are running a woefully out-of-date version of the vBulletin software, with SQL injection vulnerabilities which malicious hackers are able to exploit in order to steal information.
It would be nice to think that Epic Games learnt from its bad experience last year and would have been more vigilant in keeping vBulletin patched and updated, or switched to a forum platform that was less riddled with security problems.
Unfortunately, that simply doesn’t seem to have happened.
Which means it’s up to gamers to try their hardest to defend themselves.
Your first step should obviously be to use unique, hard-to-crack passwords for every account that you use online. That helps protect you from password reuse attacks.
But what we really need is for more companies to stop daydreaming themselves into breaches, and wake up and smell the coffee.
If you can’t demonstrate that you are putting the right measures in place to protect your users, such as keeping forum software updated to defend against the latest vulnerabilities exploited by malicious hackers, don’t be surprised if your users ultimately take their custom elsewhere.
by Graham Cluley, ESET We Live Security