The video game publishing company Ubisoft is urging its users to create new passwords after announcing late last week on a support forum that attackers exploited a vulnerability in one of the company’s websites to gain unauthorized access to some of their online systems.
The attackers compromised Ubisoft’s account database and the company claims that usernames, email addresses, and encrypted passwords were among the stolen data. Ubisoft is assuring its users that credit and debit card and other personal payment information are stored by a third party and were not affected by the breach.
“To our knowledge,” Ubisoft said in a statement, “no other personal information (phone numbers, physical addresses etc. was accessed). No personal payment information is stored with Ubisoft, meaning your credit/debit card information was not at risk from this intrusion.”
Despite the fact that Ubisoft stored customer passwords in an encrypted format that would prove difficult but not impossible to break, the company advises that users not only change their Ubisoft passwords, but that they also perform a password reset for any services on which they are using the same or even a similar password.
Ubisoft did not divulge any of the details of the attack other than that an attacker accessed their network with stolen credentials.
The company went on to claim that it immediately took steps to shut down the compromised system after discovering it, and that they have launched “a thorough investigation with relevant authorities” and other security experts and that they are working to restore the integrity of any compromised systems.
Over the last few years there has been a steady stream of gaming-related data breaches and cyberattacks. Most notably there was the enormous PlayStation Network breach that occurred in spring 2011 and affected some 100 million customers. We were still writing about the PSN’s woes in January of this year when the United Kingdom fined Sony some $400,000 for mishandling user data. The gaming company Blizzard found itself on the wrong end of a class-action suit after attackers stole email addresses, hashed passwords and other information from that company’s servers. More recently attackers compromised the forum and game database belonging to The War Z, a massively multiplayer online game and played some less nefarious tricks on Borderlands 2 players.