More than 800,000 usernames, email addresses, and birth dates are thought to have been stolen by hackers from online forums run by Epic Games.
Epic, famed for developing popular games such as Unreal Tournament, Gears of War and Infinity Blade, are thought to have had members of their message boards exposed by hackers exploiting a known vulnerability in an out-of-date version of the vBulletin forum software.
As a consequence, not only has personal information about individual members been put at risk, but also as ZDNet reports “their full history of posts and comments including private messages, and other user activity data.”
Over half a million of the breached accounts are thought to come just from the Unreal Engine’s forums.
A statement about the data breach was published on the Unreal Engine forum website:
[b]We believe a recent Unreal Engine and Unreal Tournament forum compromise revealed email addresses and other data entered into the forums, but no passwords in any form, neither salted, hashed, nor plaintext. While the data contained in the vBulletin account databases for these forums were leaked, the passwords for user accounts are stored elsewhere. These forums remain online and no passwords need to be reset.
Also, we believe a compromise of our legacy forums covering Infinity Blade, UDK, previous Unreal Tournament games, and archived Gears of War forums revealed email addresses, salted hashed passwords and other data entered into the forums. If you have been active on these forums since July 2015, we recommend you change your password on any site where you use the same password. We don’t believe that other Epic related forums were affected, including Paragon, Fortnite, Shadow Complex, and SpyJinx.We apologize for the inconvenience this causes everyone and we’ll provide updates as we learn more.[/b]
While it must be taken as some relief to hear that passwords do not appear to have been compromised in the breach of the Unreal Engine and Unreal Tournament forums, there are still plenty of ways in which malicious attackers could exploit the stolen information – including sending bogus messages to members’ email addresses, using carefully-crafted social engineering to dupe the unwary.
Furthermore, from the sound of things players of Infinity Blade, UDK, earlier Unreal Tournament games, and Gears of War, may not have been so fortunate password-wise, and would be smart to ensure that they are not reusing passwords on multiple sites. Embarrassingly for Epic Games it has been little more than a year since it last saw its online forums suffering a major hack.
The problem is the same now as it was then. Epic’s forums are running a woefully out-of-date version of the vBulletin software, with SQL injection vulnerabilities which malicious hackers are able to exploit in order to steal information.
It would be nice to think that Epic Games learnt from its bad experience last year and would have been more vigilant in keeping vBulletin patched and updated, or switched to a forum platform that was less riddled with security problems.
Unfortunately, that simply doesn’t seem to have happened. Which means it’s up to gamers to try their hardest to defend themselves. Your first step should obviously be to use unique, hard-to-crack passwords for every account that you use online. That helps protect you from password reuse attacks.
But what we really need is for more companies to stop daydreaming themselves into breaches, and wake up and smell the coffee.
If you can’t demonstrate that you are putting the right measures in place to protect your users, such as keeping forum software updated to defend against the latest vulnerabilities exploited by malicious hackers, don’t be surprised if your users ultimately take their custom elsewhere.
Excellent to know, thank you. I'm not an active member on the forums but I have posted to them before, I do work with the Unreal Engine though. Is it connected to Epic's desktop launcher? I'm curious what the true extent of this is, guess only time will tell.
The extend actually is not known but whats is known for sure is that the 800k accounts info are out.
Knowing how people tend to use the same password accross different accounts this can lead to security issues if , for example, the user's password is part of a previous hacked web site (madison ). By linking both email addresses they can gain access to his EPIC games account.
This is just an example and hackers are always been very creative to find ways to abuse system/accounts.
Very good article thanks for the info.
Indeed i wasn't aware of such hack. Thanks for the details.
Congratulations @shawnshark! You have received a personal award!
Click on the badge to view your Board of Honor.
Do not miss the last post from @steemitboard:
SteemitBoard and the Veterans on Steemit - The First Community Badge.
Congratulations @shawnshark! You received a personal award!
You can view your badges on your Steem Board and compare to others on the Steem Ranking
Vote for @Steemitboard as a witness to get one more award and increased upvotes!