Skip to main content

Ubisoft Hacked, User Accounts Compromised

Ubisoft said on Tuesday that one of its Web sites was exploited to gain unauthorized access to some of its online systems. The company said it immediately took steps to block the intruders and began restoring the integrity of any systems that may have been compromised. Ubisoft is also currently working with the authorities as well as internal and external security teams.

"During this process, we learned that data had been illegally accessed from our account database, including user names, email addresses and encrypted passwords," the company said. "It’s important to note that no personal payment information is stored with Ubisoft, so fortunately all credit/debit card information was safe from this intrusion."

Naturally Ubisoft recommends that everyone with a Ubisoft account change their password. Even more, change the password on any other Web site or service where the same or a similar password is used to help ensure the safety of personal information.

"Credentials were stolen and used to illegally access our online network. We can’t go into specifics for security reasons," the company said. "To our knowledge, no other personal information (phone numbers, physical addresses etc. was accessed)."

Ubisoft went on to report that security teams are exploring all available means to expand and strengthen its security measures in order to better protect customers, but no company or organization is completely immune to "these kinds of criminal attacks". Ubisoft also said the uptime and stability of its games’ online services were not affected by this intrusion, and that the attack did not originate via any Uplay services.

Given that credit card information was not accessible, Ubisoft customers should likely be worried about hackers retrieving their information and hacking into other gaming services that do contain credit card information. Currently there's no evidence that this intrusion is related to any other game company’s previous security incidents.

"We… are continuing to investigate the incident," Ubisoft said.

  • alchemy69
    I got an e-mail from ubisoft this morning about this very thing. I assumed it was phishing scam as I don't remember ever having had an ubisoft account.
    Reply
  • majudhu
    Websites should let us authenticate with an OpenPGP signed message
    Reply
  • Jim90
    I also got an email this morning.
    Why do sites such as these still persist on having some personal information unencrypted - why not encrypt ALL personal information? (email, passwords, etc).
    Is it really such a big deal to do this?

    Obviously, if they get hold of the 'key' then that's another matter (but maybe allows for more trackability for such investigations).
    Reply
  • cats_Paw
    Exactly why i dont put my credit card data on those services.
    I dont care much if they get my E-Mail since i use one for all that crap and another for important things.

    As far as i see it, Ubisoft might have done it themselves to sell personal data to ad companies. There is no way to tell. Or how exactly do i get ads from some new E-mail account i just created that i only used to create a Ubisoft/EA/Sony account?

    Reply
  • __-_-_-__
    "Obviously, if they get hold of the 'key' then that's another matter (but maybe allows for more trackability for such investigations). "

    how it would allow more trackability? it wouldn't.
    encrypted passwords can be cracked.
    Reply
  • ZippyPeanut
    ANOTHER reason I resent always-online DRM. To play Far Cry 3, I must have an account with Ubisoft, which is trouble enough. Now this shit happens, and I have to worry about my account being hacked and have to change my password--just to play a video game.
    Reply
  • MolsonsX
    What a complete hassle this was because I have 2 accounts with them (UBI Soft). I changed passwords on both accounts as per instructions and ended up being locked out of both when trying to log in to uPlay.
    But finally after much stress over lost game$ I was able to log in and all is good, at least for now. I guess non of us are safe from those that would like to steal our personal info. Thank God they weren't able to get banking and credit card info....
    Reply
  • koga73
    @Jim90

    If everything were encrypted it would take a huge amount of processing power on servers whenever inserting or selecting from databases. Passwords are hashed and Credit Card numbers are encrypted. Allow me to explain the difference. Hashes are simply a checksum. They cannot be decrypted because they are not encrypted in the first place. Think of a hash of being something like if you were to assign each letter in a password a specific value, add them all up and take their character position into consideration. You would have a unique "hash" that represents the password but contains no information pointing back to it. Password hashes are cracked by comparing hashes and trying to find a match. Credit card data on the other hand is encrypted because at some point it needs to be decrypted to process a new transaction.
    Reply