
Ubisoft hacked, account data compromised - bobwaycott
https://support.ubi.com/en-US/FAQ.aspx?platformid=60&brandid=2030&productid=3888&faqid=kA030000000eYZ2CAM
======
dclowd9901
I wouldn't care so much about this, except that I am often essentially
required to give my data to Ubisoft (and other third party publishers) in
order to buy/play their games. EA, you're no better.

Why are all these companies adamant about trying to bootstrap their own
services. It's maddening, and it _only_ causes things like this to happen.
Steam exists, and it's amazing. Stop trying to do better -- you won't.

~~~
FredFredrickson
I have mixed feelings about that. On the one hand, I fully agree - I hate
having all kinds of junky game clients running on my computer when I _ought_
to just be able to have one, Steam, which is obviously doing a decent job.

On the other hand, I think that competition will drive Steam to be better (or
maybe, just maybe, result in something better than Steam), and so I don't
necessarily want the other companies to stop trying to compete entirely,
either.

~~~
cookiecaper
The other companies aren't really trying to compete with Steam per se, they
just want to inject their own custom babysitter to analyze your computer and
see if they're complying with their rules. When you open a game from Steam
that's produced by one of these companies, it chains in its own loaders and
achievements and stuff. It totally sucks, and it's a terrible end user
experience.

It'll be exciting when the fogies in charge of these companies die out. They
seem to have difficulty grasping the concept of computers and digital
distribution.

~~~
HelloMcFly
I think they are probably more interested in avoiding the ~15-30% (rumored)
cut that Steam takes for digital sales of their games. And I know in EA's
case, they want to sell DLC through their game, not through Steam's client
specifically to avoid that charge (that's the reason some EA games were
removed from Steam when Valve changed their policy on the matter).

~~~
cookiecaper
They do this even on games purchased directly through Steam. It's obviously
not about cutting out Steam, because they still facilitate their sales via
Steam and presumably are still obliged to render commissions. As Ubisoft says
in their own announcement, UPlay did not accept payments directly;
distribution channels like Steam or physical retail were still required to
obtain the games.

------
psycr
Let's play the guessing game: by "encrypted" they mean MD5'd?

~~~
krallin
I received an email from them - the password was included in the email, in
plaintext.

So I don't know exactly what they mean, but it's at best symmetric encryption.

~~~
Zikes
I've got an account with them under two different email addresses, and have
gone through the password change process with both. In neither case did I
receive an email with my password in it.

------
eranation
To add insult to injury, another (though less severe of course) security issue
is this - I went to the "change password" page per their recommendation, and
typed my email. Usually, security best practices say that you should not
volunteer any information for a potential attacker, e.g. don't tell the user
if an email was sent or not, as this can be used for example to eventually
construct a list of all their user's emails (Although they have captcha
protection so it's not really feasibly or at least less likely in a reasonable
cost, but still, I can find out if John Doe has a Ubisoft account or not, e.g.
if I'm Joe's manager who works for a competitor, and he swore last night that
he never plays Ubisoft games, busted!).

So this is what I got from their change password screen:

"No account was found matching those entries. No email will be sent."

So I'm glad I learned that I don't have my password compromised. but I think
someone at Ubisoft need to take web security 101 again

p.s. Who encrypts passwords anyway? isn't there a consensus to hash using
bcrypt / scrypt + random salt?

~~~
daeken
I'm going to speak strongly against the prevailing view in the security
community here: a forgot password email/username oracle is _not an issue_. Not
in any way, shape, or form.

Why? Because if I go to register an account with a given email or username,
it's going to tell me if that account is already registered! Unless you make
multiple accounts with a given username/email possible (please, please don't
do that), the forgot password oracle is a non-issue.

You lose absolutely nothing by saying "this email does not exist", and you
gain a tremendous amount of user friendliness.

~~~
xyzzyz
How about this: when you register an account with an already existing email,
the website returns the same message as it would if the email didn't already
exist: "The account have been created, but needs to be activated. Click on the
link in the activation email that has been sent to your email address.". Now,
the email that is actually sent says "Someone tried to create an account with
your email address. If it was you, we remind you that you already have an
account at our website". If the email does not exist, then usual activation
email is sent.

This way, we don't leak the emails of registered users. If we use emails as
usernames, we don't leak usernames either.

~~~
shabble
This does seem like a reasonable approach, but would definitely need a rate-
limiting system/opt-out to avoid intentional activate-mail DoS to the actual
address owner.

Might also help whoever has foo@bar.com and similar, too.

------
dansanderson
They sent a notification email to every customer asking them to change their
password. The email includes the user's current password.

I know this because I received such an email-- intended for someone else who
accidentally used my email address for their account. So not only is Ubisoft
storing raw passwords and sending them via email, they're not verifying email
addresses during account creation.

~~~
Brandon0
No way, really? According to the article they claim to "encrypt" the passwords
(they actually mean hash). Any way you could post the contents of the email
(minus the personal details)?

~~~
dclowd9901
I think he's misunderstanding the email:

>As a result, we are recommending that you change the password for your
account: dclowd9901

All I see is the plaintext representation of my username.

~~~
dansanderson
Ah, glad to have that clarified. The username in the misdelivered email I
received looked very much like an attempt at a memorable password, not a
username. Thanks!

------
jheimark
I received an email from Ubisoft and assumed I was being phished. They are not
doing a good job of fixing the problem here.

They should have a cert on the splash redirect page. I wasn't sure if ubi.com
was actually Ubisoft. Even worse, the email I got had some terrible font -
practically unreadable. Those two factors combined did not make me feel that
giving them my password is a good idea.

------
codereflection
I just got an email about this from Ubisoft, with a link to change my
password. Yet another incident to prove that unique passwords and utilities
such as RoboForm / Dashlane / Lastpass are a necessity.

~~~
eksith
As an alternative, you could GPG a text file with all passwords and use...

    
    
      hexdump -n 16 -v -e '/1 "%02X"' /dev/urandom
    

...as a password generator

~~~
286c8cb04bda

        openssl rand 48 -base64

~~~
eksith
Ah, yes. Much shorter and more effective ;)

------
Arnor
> No personal payment information is stored with Ubisoft, meaning your
> credit/debit card information was not at risk from this intrusion.

Sure they can't read the data right of the disk, but what about a MITM? If the
intruder had access to the application server, there's a good chance the
credit card data was in memory at some point. If the data ever touches the
server memory in an unencrypted form, the intruder could have it...

------
devinegan
Ubisoft should have a look at LaunchKey
([https://launchkey.com](https://launchkey.com)) which went out of private
beta yesterday. Passwords being compromised should be a thing of the past.

------
lampe3
can someone please make a hall of shame for all the big Companies which where
hacked! i think there are quite a lot by now.

~~~
Everlag
It shouldn't be a hall of shame for companies being hacked, getting hacked is
thing you can only mitigate not prevent.

The shaming should be for storing your sensitive data in an insufficiently
secure manner. If a company used scrypt to hash their passwords then they
would essentially have no issue with getting hacked.

~~~
viraptor
Already there:
[http://plaintextoffenders.com/](http://plaintextoffenders.com/)

------
mordae
Yay!

