Ubisoft has admitted that an attack on its network has resulted in the personal details of all its customers being accessed by a third party, in what has become a string of security problems for the company.
The game publishing giant has emailed its customers to warn that an attack, the details of which it is refusing to divulge beyond claims that 'credentials were stolen and used to illegally access our online network
,' has given unknown third parties full access to its user account database. While the database does not contain financial information - credit card details are held on the network of a third-party payment processing company, not by Ubisoft itself - it has resulted in user names, email addresses and encrypted passwords being stolen.
To Ubisoft's credit, the passwords were not being stored as plain-text values but as a hash - a process often incorrectly termed 'encrypting.' A hash value is a gibberish string which is near-impossible to turn back into its original human-readable plain text equivalent. When a user enters his or her password to log in, the system creates a new hash and compares it to the stored hash; if the values match, the user is allowed access.
While a one-way hash function is secure from computational reversal, it's not a complete protection: tools exist to run brute-force or dictionary attacks against password hashes, where strings are rapidly hashed and compared to the stolen database in order to find matches. If your password is "password," in other words, the hashing function will barely slow the attacker down. For smaller passwords, typically below eight alphanumeric characters, there are also 'rainbow tables' which store the pre-computed hash values and their plain-text equivalents - allowing an attacker to find the plain text password associated with an account instantly.
The security of hashes can be improved by using a 'salt' value, which differs from user to user and which alters the final hash considerably. Using salted hashes greatly increases the computational effort needed to crack the passwords, and ensures that users who have chosen the same password do not receive the same hash. Ubisoft has not, sadly, confirmed whether or not its password database was salted.
'We sincerely apologise to all of you for the inconvenience,
' Ubisoft told its users of the breach. 'Please rest assured that your security remains our priority. Ubisoft’s security teams are exploring all available means to expand and strengthen our security measures in order to better protect our customers. Unfortunately, no company or organisation is completely immune to these kinds of criminal attacks.
This attack represents the third major security breach suffered by the company in the last year, following a bug in the Uplay browser plug-in which one security research compared to a 'rootkit'
and a hole in the Uplay digital rights management (DRM) implementation which allowed attackers to download the unreleased Far Cry 3: Blood Dragon conversion.
Ubisoft is recommending that all its users change their passwords immediately
, and further warns those silly enough to re-use the same or similar password on multiple sites to do the same anywhere else the password has been used.