Epic Games is warning users of a breach that impacts 800,000 user accounts tied to the company’s online forums. On Monday, the game developer temporarily shut down many of its forums and advised users to change passwords on any accounts that shared the same credentials for some of its forums.
Epic Games said the breach is tied to Unreal Engine and Unreal Tournament forums and that the data stolen included email addresses and “other data entered into the forums.” Data was stolen from the company’s vBulletin account databases and, according to Epic Games, did not include “passwords in any form, neither salted, hashed, nor plaintext,” according to a statement posted by the company.
“While the data contained in the vBulletin account databases for these forums were leaked, the passwords for user accounts are stored elsewhere. These forums remain online and no passwords need to be reset,” Epic Games wrote.
On Monday, Epic Games also reported a more serious breach impacting the game forums for Infinity Blade, UDK, previous Unreal Tournament games, and Gears of War. With these breaches, the hackers gained access to email addresses, salted hashed passwords and other data associated with those forums.
Epic Games is urging those forum users to secure credentials, and especially be wary of password reuse. “If you have been active on these forums since July 2015, we recommend you change your password on any site where you use the same password,” Epic Games advises.
Not impacted, according to Epic Games, are forums for the games Paragon, Fortnite, Shadow Complex, and SpyJinx.
We have placed our forums in maintenance mode while we investigate the recent compromise.
— Epic Games (@EpicGames) August 23, 2016
In a Tweet Epic Games alerted its users late Monday: “We have placed our forums in maintenance mode while we investigate the recent compromise.”
Security expert Deral Heiland, research lead at Rapid7, said the hack is tied to known SQL injection vulnerabilities. Heiland said the Epic Games forum hack is the latest in a long string of forum hacks tied to the use of outdated and unpatched vBulletin forum software.
Epic Games would not confirm to Threatpost the root of the attack.
“This breach is another reminder that SQL injection – which has been around since 1998 – doesn’t appear to be going away anytime soon. Current reporting of this event indicates that vBulletin forum software was still in use with a known SQLi vulnerability,” Heiland wrote a statement regarding the Epic Games breach.
The breach is similar to other SQL injection vulnerabilities found in content management system Joomla, SAP’s HANA in-memory management system and more recently in Oracle’s EBusiness Suite 11i.
Heiland advises any Epic Game user to change their passwords in light of the forum breaches. “Although Epic claims that most of the password hashes are not easily cracked, it’s important for users to remember that with motivation and time nothing is impossible. In addition to passwords, potentially, attackers could have email addresses and private messages at their fingertips,” he said.
In its statement issued Monday Epic Games wrote: “We apologize for the inconvenience this causes everyone and we’ll provide updates as we learn more.”