It’s all over the news that Ubisoft got hacked, and I’m sure that a lot of people are sitting back wondering just what the effects of this hack are, and how it affects them.
To sum things up, below is the content of one of the “Password Reset” e-mails that Ubisoft sent out yesterday.
We recently found that one of our Web sites was exploited to gain unauthorised access to some of our online systems. We instantly took steps to close off this access, investigate the incident and begin restoring the integrity of any compromised systems.
During this process, we learned that data had been illegally accessed from our account database, including user names, email addresses and encrypted passwords. Please note that no personal payment information is stored with Ubisoft, meaning your debit/credit card information was safe from this intrusion.
As a result, we are recommending that you change the password for your account: <your name here>
To enter your new password, click the link below: <removed>
Out of an abundance of caution, we also recommend that you change your password on any other Web site or service where you use the same or a similar password.
You can find more information here <removed>
For any additional support enquiries, please contact our customer service via our support web site at https://support.ubi.com
We sincerely apologise to all of you for the inconvenience. Please rest assured that your security remains our priority.
The Ubisoft team”
So your credit/debit card information may be safe, as Ubisoft don’t store this information (thankfully!), but the important part of the e-mail is the line that states:
“Out of an abundance of caution, we also recommend that you change your password on any other Web site or service where you use the same or a similar password.”
If like many millions of people out on the Internet, you’ve used the same password on other web sites, when the hackers eventually crack the encrypted passwords, they will then have your e-mail address and password. Imagine the damage they could cause to your life through websites like Facebook, Twitter, LinkedIn, PayPal, Amazon, eBay, the list goes on and on.
It’s never about attacking a single web site, until people learn that using the same password all over the Internet is not a good idea, this will never change unfortunately.
If you have a Ubisoft account and even if you only use it for gaming, go and change all your other passwords on any other web sites where you’ve used the same password immediately. Just because this data was stolen recently, it doesn’t mean that it will all be used any time soon. You may only notice someone else logging into one or more of your accounts a year down the line. While you’re changing those passwords, it may be a good time to make sure that you’re not using a different “same” password on multiple other web sites or applications.
Unfortunately a lot of the time attacks such as these can be prevented with proper security measures and regular “real world” penetration tests. We always advise our clients to conduct penetration testing on a regular basis, and always before launching any new Internet facing services or web sites. We also always advise our clients to maintain a strong Password Policy.