dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
463
share rss forum feed


shinjuru
Premium,Mod
join:2000-10-29
West Coast
Reviews:
·SureWest Internet

Ubisoft Data Breach

said by Washington Post :

Ubisoft said Tuesday that its systems had been breached by cybercriminals, and recommended that any users with a Ubisoft account change their passwords immediately.

In a company blog post, the firm said that users’ names, e-mail addresses and encrypted passwords were taken in the attack. No financial data was at risk from the intrusion, the company said.

More over at »www.washingtonpost.com/business/···ory.html

Blue's News posted up en email sent out to Ubisoft users.

said by »www.bluesnews.com/s/143037/ubisoft-breached :

Dear Member,

We recently found that one of our Web sites was exploited to gain unauthorized access to some of our online systems. We instantly took steps to close off this access, investigate the incident and begin restoring the integrity of any compromised systems.

During this process, we learned that data had been illegally accessed from our account database, including user names, email addresses and encrypted passwords. Please note that no personal payment information is stored with Ubisoft, meaning your debit/credit card information was safe from this intrusion.


--
Games - GameTech - S.F.Bay -


Krisnatharok
Caveat Emptor
Premium
join:2009-02-11
Earth Orbit
kudos:12

YAY DRM!!!



Kaltes
Premium
join:2002-12-04
Los Angeles, CA
reply to shinjuru

said by ubisoft :

While the passwords were encrypted, Ubisoft said, they can still be uncovered by hackers, especially if a password is weak.

Im sorry, but that is just fucking retarded. The strength of a password has NOTHING WHATSOEVER TO DO with whether encryption protecting that password can be broken. When my bullshit detector goes off like this, it generally means someone is trying to cover up some inconvenient fact.

The only way the hackers are getting at your password is if the hackers break UBISOFT'S password, not yours. If your password was encrypted, that means ubisoft is using a password for the encryption they use to supposedly protect your password. If the hackers get their hands on THAT, they can decrypt all the user passwords.

If Ubisoft followed basic encryption security practices, they wouldn't even be asking users to change their passwords. Since they are, I think it is a safe bet that the hackers managed to get their hands of Ubisoft's encryption key and de-crypt the user passwords. Not admitting this is harmful to the users.


Mcrobrewer
Premium
join:2001-03-04
Trenton, NJ
reply to Krisnatharok

said by Krisnatharok:

YAY DRM!!!

What does DRM have to do with this breach?
--
Obama is a liar.... a cheat... a person of low moral character... the least common denominator...


Moos
Tequilablob
Premium
join:2008-12-11
Salt Lake City, UT
kudos:3

If it wasn't for DRM then most of us probably would not have ubisoft accounts. I cannot stand Uplay.



Krisnatharok
Caveat Emptor
Premium
join:2009-02-11
Earth Orbit
kudos:12

said by Moos:

If it wasn't for DRM then most of us probably would not have ubisoft accounts. I cannot stand Uplay.

This. I have TWO uplay accounts and didn't even know about the second one. I probably made it quickly because I could not log in. Now both passwords are burned.
--
Those who would give up Essential Liberty to purchase a little Temporary Safety, deserve neither Liberty nor Safety.


TruSm0ke

join:2005-07-21
Michigan
Reviews:
·Comcast

I received an email from Ubisoft explaining how "one" of their websites was exploited to "gain unauthorized access to some of their online systems". It continues saying to "Please note that no personal payment is stored with Ubisoft, meaning your debit/credit card info was safe."

As a solution the email suggests changing passwords. But not just for Ubisoft sites but any other website or service where you use the same or a similar password.



ekster
Hi there
Premium
join:2010-07-16
Lachine, QC
kudos:3
reply to shinjuru

It's a good thing for me, I suppose. I couldn't even remember my damn password I had with them, so now I get a new shiny password that I won't remember.


nikmagid

join:2001-04-19
Los Angeles, CA
reply to shinjuru

i couldn't remember what game i used to play with them online, then realized after looking at their site, it was settlers online!



Kilroy
Premium,MVM
join:2002-11-21
Saint Paul, MN
reply to Kaltes

said by Kaltes:

The only way the hackers are getting at your password is if the hackers break UBISOFT'S password, not yours. If your password was encrypted, that means ubisoft is using a password for the encryption they use to supposedly protect your password. If the hackers get their hands on THAT, they can decrypt all the user passwords.

If Ubisoft followed basic encryption security practices, they wouldn't even be asking users to change their passwords. Since they are, I think it is a safe bet that the hackers managed to get their hands of Ubisoft's encryption key and de-crypt the user passwords. Not admitting this is harmful to the users.

You seem to not understand how a site/company encrypts passwords. The really poor version is plain text with no encryption, one step up is MD5 hashes without salt. There is no master company password

Here are two great articles from ARS Technica.

Why passwords have never been weaker—and crackers have never been stronger

and

Anatomy of a hack: How crackers ransack passwords like “qeadzcwrsfxv1331”

Since Ubisoft didn't mention salt, you can pretty much guess that they lost MD5 hashed accounts and your data is pretty much in the wind. From the second article you will find that knowing where the passwords come from is a great help in finding out passwords that might be used.

I haven't yet received an e-mail from them, but I'm sure I probably have an account with them. Hopefully more data will come out later so others can learn from Ubisoft's mistakes. The real risk is people who reuse passwords, once your password is lost on one site all of your sites that use that password are at risk.
--
“Progress isn't made by early risers. It's made by lazy men trying to find easier ways to do something.” ¯ Robert A. Heinlein


Kaltes
Premium
join:2002-12-04
Los Angeles, CA

Thanks for those articles, I assumed that the company encrypted the same way a user does, not just with a hash where someone can brute force the whole list at once.

It looks like stringing together words is by far the best option for a password, since your brain can remember each word as 1 unit, and while a computer can crack each word as one unit, the size of the dictionary list makes the possibilities for each unit so immense that putting enough words together is conceptually impossible to crack, while being a lot easier to remember than some l33t-speak p4$$w0rD



Kilroy
Premium,MVM
join:2002-11-21
Saint Paul, MN

Check out Password Haystacking.

In reality the only viable solution is a password manager. I use LastPass Premium. Using a password manager you can have large generated passwords that are unique to each site and you only need to remember the password to access your passwords.

People are not capable of creating secure passwords. In order to remember them they have to have something that makes it easy for them to remember. When you toss in the number of different passwords you need, there is no good way to generate that many passwords.
--
“Progress isn't made by early risers. It's made by lazy men trying to find easier ways to do something.” ¯ Robert A. Heinlein



ekster
Hi there
Premium
join:2010-07-16
Lachine, QC
kudos:3

Yeah, after having too many similar passwords, and then too many random passwords with annoying restrictions that are different everywhere, so I just got keepass and started using unique and randomly generated passwords for everything.



Kaltes
Premium
join:2002-12-04
Los Angeles, CA
reply to shinjuru

The problem with a password manager seems to be that the passwords are stored on your computer or on some 3rd party company's computer. I don't trust a 3rd party with passwords, and it seems like if you rely on keeping them on your computer, you'd be screwed if your hard drive broke. How do you deal with these kinds of risks?

I agree that having hard-to-remember passwords are useless. Ive forgotten mine before. I think one solution is to have a general password you use that is somewhat strong, and then add a tag to it based on the website you're using it for, or something.



ekster
Hi there
Premium
join:2010-07-16
Lachine, QC
kudos:3

Considering that you choose the encryption and the number of iterations of encryption of the file that stores all the passwords... it's safe to say that the file will be perfectly safe no matter where you put it as long as you use a proper password.



Kaltes
Premium
join:2002-12-04
Los Angeles, CA

I guess that makes sense, if you keep enough copies of it around so that you dont end up losing that file somehow because of an equipment failure, fire, or whatever.



Kilroy
Premium,MVM
join:2002-11-21
Saint Paul, MN
reply to Kaltes

Check out Steve Gibson's review of LastPass in Security Now! - Episode 256. You can either listen to the podcast or read the transcript. The basics are LastPass only holds an encrypted version of your information, it is encrypted and decrypted on your machine. LastPass doesn't even know your password, they would have to brute force your file to get your data.
--
“Progress isn't made by early risers. It's made by lazy men trying to find easier ways to do something.” ¯ Robert A. Heinlein