Gaming firm Ubisoft admits illegal access to user data
Gaming firm Ubisoft admits illegal access to user data

Up to 58 million gamers may be impacted after Ubisoft said that user names and email addresses had been compromised following unauthorised access to its online systems.

In a statement on its forums Ubisoft said that it found that a website had been exploited to gain unauthorised access to some online systems. It said that during the process, it found that user names, email addresses and encrypted passwords were "illegally accessed from our account database". However as no personal payment information is stored with Ubisoft, it said that debit and credit card information was safe from this intrusion.

It recommended users change their password both on Ubisoft and on any other website or service where users use the same or a similar password. “We sincerely apologise for any inconvenience and thank you for your understanding,” it said.

Ubisoft, who makes games such as Assassin's Creed, Splinter Cell and Far Cry, said that it had 58 million people on its database at the time of attack.

Paul Ayers, VP EMEA at Vormetric, said: “As though we needed another reminder, the Ubisoft data breach highlights once more that cyber thieves remain hungry for the valuable data stored at the server level. While the exact number of those affected has not been disclosed, it is safe to assume this is a breach of some magnitude.

“Although the company has confirmed that the stolen passwords were encrypted, other data, including email addresses were not. Ubisoft's customers will now be uncertain who has accessed their contact information and have even less insight into what else the hackers plan to use it for later down the line.

“Unfortunately, the nature of the information hijacked adds to the hackers ability to target other services, like social networking sites, causing a ripple effect of data compromise.

Rik Ferguson, global vice president of security research at Trend Micro, said: “How exactly were the passwords secured? Hashed I'm sure, this is the ‘non-reversible' security they mention in the blog, but if simple passwords could be cracked with ease, this sounds like the weakest form of hashing, unsalted, which is vulnerable to a simple lookup attack known as a Rainbow Table attack.

“This is not very confidence inspiring news. If they were salted, then were they using a common salt for every user and a hashing algorithm designed for speed rather than security? If so, then their password database is still vulnerable to a rainbow table attack.

“Ideally user passwords should be stored with a unique salt for every user and using an algorithm that allows a ‘work factor' to be introduced into the hashing process, such as Blowfish. This drastically increases the time taken to crack individual passwords and because the work factor is variable, it can be modified to keep up with advances in processing power. Increase the work factor, and the hash gets slower. The effect is negligible on an individual calculation, but mass calculation of rainbow tables becomes impractical.”