Ubisoft, one of the world’s most famous games publishers, has admitted that hackers managed to break into its servers, and stole account databases which included game players’ usernames, email addresses and encrypted passwords.
There are obvious risks that the email addresses could be spammed by malicious attackers. It’s easy to imagine, for instance, cybercriminals attempting to trick targeted game players into downloading malware disguised as a new game.
The good news, the company says, is that no personal payment information has been accessed – meaning credit card information has not been compromised.
Users are being advised to change their passwords, and (sensibly) Ubisoft recommends that you also change the password on any *other* site where you might have been using the same password.
As we have said many times before, it’s never a good idea to use the same password in more than one place – after all, if a hacker manages to steal your password in one place you don’t want them to be able to use it to access your other online accounts.
In an attempt to smooth the process, Ubisoft has created a webpage where users can change their passwords.
Some users, however, are reporting that their attempts to visit the page are met with an unhelpful error message (perhaps because the page is overloaded with traffic?):
At the moment, unfortunately, Ubisoft is being a little vague in its FAQ as to how securely it was holding users’ passwords:
What is an encrypted password?
Passwords are not stored in clear-text but as an obfuscated value. Those cannot be reversed but could be cracked, in particular if the password chosen is weak. This is the reason we are recommending our users to change their password.
That doesn’t sound very comforting to me, and suggests that Ubisoft may not have been following best practice to secure those passwords. Fingers crossed, hackers don’t manage to crack the passwords… That would make a bad situation even worse.