Hackers attack games publisher Ubisoft, steal players’ personal information

Ubisoft, one of the world’s most famous games publishers, has admitted that hackers managed to break into its servers, and stole account databases which included game players’ usernames, email addresses and encrypted passwords.

There are obvious risks that the email addresses could be spammed by malicious attackers. It’s easy to imagine, for instance, cybercriminals attempting to trick targeted game players into downloading malware disguised as a new game.

Sign up to our newsletter
Security news, advice, and tips.

The good news, the company says, is that no personal payment information has been accessed – meaning credit card information has not been compromised.

Users are being advised to change their passwords, and (sensibly) Ubisoft recommends that you also change the password on any *other* site where you might have been using the same password.

As we have said many times before, it’s never a good idea to use the same password in more than one place – after all, if a hacker manages to steal your password in one place you don’t want them to be able to use it to access your other online accounts.

In an attempt to smooth the process, Ubisoft has created a webpage where users can change their passwords.

Some users, however, are reporting that their attempts to visit the page are met with an unhelpful error message (perhaps because the page is overloaded with traffic?):

At the moment, unfortunately, Ubisoft is being a little vague in its FAQ as to how securely it was holding users’ passwords:

What is an encrypted password?
Passwords are not stored in clear-text but as an obfuscated value. Those cannot be reversed but could be cracked, in particular if the password chosen is weak. This is the reason we are recommending our users to change their password.

That doesn’t sound very comforting to me, and suggests that Ubisoft may not have been following best practice to secure those passwords. Fingers crossed, hackers don’t manage to crack the passwords… That would make a bad situation even worse.

Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.

Graham Cluley •   @gcluley

Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, on Mastodon at @[email protected], or drop him an email.