It’s been awhile since a hack made headline news, which is itself newsworthy, given how poorly defended security experts claim too many of these systems are. But here we are again: another database with usernames and passwords ransacked, and this time the victim’s the international publisher of heavy-hitters like Assassin’s Creed, Far Cry, Rayman and all those scads of Tom Clancy’s-prefaced military shooters.
Ubisoft copped to the hack yesterday, writing in a blog security update that one of its websites had been “exploited to gain unauthorized access to some of [its] online systems.” The France-based company says it “instantly took steps” to seal the breach and began investigating “with the relevant authorities, internal and external security experts, and to start restoring the integrity of any systems that may have been compromised.” Ubisoft notes that Uplay, the company’s in-game digital distribution and multiplayer service, was not impacted — only Ubisoft’s website, though you can use your Uplay account credentials to log into the site, so I’m guessing Uplay accounts are at risk as well.
How many people were affected? Ubisoft isn’t saying, so it’s anyone guess. But the company sells tens of millions of games worldwide and has annual revenue of well over $1 billion. As you’d expect, Ubisoft can’t elaborate on the hack, saying only that it involved data being “illegally accessed” from its account database, including “usernames, email addresses and encrypted passwords” (the company adds in a FAQ that, as far as it knows, no other personal info like phone numbers or addressees was accessed).
The upside, if this counts as one, is that Ubisoft says it doesn’t store personal payment information, thus credit and debit cards were “safe from this intrusion.” For those of you wondering what Ubisoft means when it says the passwords were “encrypted,” Ubisoft says that while these were stored as a non-reversible “obfuscated value,” they “could be cracked,” especially if the chosen password was weak.
What can you do to safeguard your account? Ubisoft recommends that Ubisoft.com members change their passwords immediately (see the secure link to do so in Ubisoft’s blog post), as well as at other sites where you use the same or similar usernames and passwords. And if you have additional questions or concerns, Ubisoft has a forum thread here where it’s responding to inquiries.
A pain? Yep, especially if you’re guilty of using same/similar authentication credentials elsewhere. I know, it’s easier to remember everything if you just use one name and password for everything, but you’re flirting with disaster. A few years ago, I started tracking my passwords in one place, so I could use different usernames and obtuse passwords for every site/service. Yes, I have to check that list daily to do whatever, but it offers peace of mind, and it makes security breaches like these a snap to recover from — one name, one password change only, everything else inviolate. (Also, if you’re looking for a first-rate strong password generator, consider that base covered.)