Ubisoft breached, users asked to reset passwords

If you’re a Ubisoft customer, you probably wondered why you are  being asked to reset your password.

Ubisoft is now part of the “big family” of prominent websites that got hacked and lost customer data: LinkedIn, eHarmony, LastFM and others.

In a post called “SECURITY UPDATE REGARDING YOUR UBISOFT ACCOUNT – PLEASE CREATE A NEW PASSWORD” (yes, written with capitals), the French company announced that their systems were breached and databases using user names, email addresses and passwords were compromised.


If this comforts you, the passwords were hashed and no financial data was stored on those servers.

What worries me more is the affirmation of Ubisoft:

“Passwords are not stored in clear-text but as an obfuscated value. These cannot be reversed but could be cracked, in particular if the password chosen is weak.[…]We also recommend that you change your password on any other Web site or service where you use the same or a similar password.”

This tells me that most probably the password were just hashed using an algorithm like MD5. The de-facto standard these days is to use SHA-256 and a salt.

Even if the exact details about how did the hackers got into Ubisoft’s servers are not known, we can safely assume that one of these situations happened:

– the software running on these systems was vulnerable and the criminals exploited the vulnerability which allowed them to get access to the servers.

– the cyber-criminals got in possession of login credentials of some Ubisoft employee(s) and have used them to get the data.

Using dedicated attacks (social engineering, spear phishing, targeted malware, “water-holing” attacks) against employees, probably computers inside Ubisoft got infected and the affected employees got their credentials stolen.

Getting valid credentials is sometimes easier to achieve than exploiting vulnerabilities.

As a conclusion, please change your password. And if you were using the same password for multiple accounts, change all of them. Here are tips how to create good passwords and to improve your overall security.

Update: Ubisoft updated a couple of times the original post, showing from time to time an error page. In case it happens that you see that page, you can just go to the forum entry.


Sorin Mustaca

IT Security Expert

via Avira – TechBlog http://techblog.avira.com/2013/07/03/ubisoft-breached-users-asked-to-reset-passwords/en/

© Copyright Sorin Mustaca, All rights Reserved. Written For: Sorin Mustaca on Cybersecurity

Check www.endpoint-cybersecurity.com for seeing the consulting services we offer.

Visit www.itsecuritynews.info for latest security news in English
Besuchen Sie de.itsecuritynews.info für IT Sicherheits News auf Deutsch

About the Author

Sorin Mustaca
Sorin Mustaca, (ISC)2 CSSLP, CompTIA Security+ and Project+, is working since over 20 years in the IT Security industry and worked between 2003-2014 for Avira as Product Manager for the known products used by over 100 million users world-wide. Today he is CEO and owner of Endpoint Cybersecurity GmbH focusing on Cybersecurity, secure software development and security for IoT and Automotive. He is also running his personal blog Sorin Mustaca on Cybersecurity and is the author of the free eBook Improve your security .

Comments are closed.

%d bloggers like this: