back to article Ubisoft admits major hacking breach, advises password change

French games publisher Ubisoft has confirmed a major breach of its Uplay servers and the theft of user names, email addresses, and encrypted passwords – although it claims financial data is in a separate silo and looks safe so far. "We are recommending you to change your password," the company said in a statement. "Out of an …

COMMENTS

This topic is closed for new posts.
  1. Turtle

    What they say and what they do.

    "All this furor over DRM and security hasn't hurt the game company's bottom line at all – profits were up 73 per cent last year – but gamers seem to enjoy buying and then 'mouthing off' about games that require an internet connection to function." (Corrections indicated by italics.)

    Right?

    "As Sony has shown, there's a lot of market share to be gained by not assuming your users are pirates..."

    What sales figures are you using here?

    1. Greg J Preece

      Re: What they say and what they do.

      Well the consoles in question are still in pre-order, but...

      http://www.ibtimes.com/ps4-vs-xbox-one-nearly-80-percent-gamers-would-still-prefer-ps4-if-it-cost-500-according-poll-photo

      http://www.dailygame.net/features/ps4-pre-orders-dropping-hard-at-amazon-except-one

      Apparently the PS4 was outselling the 180 at a 2:1 ratio, until Microsoft reversed their DRM bullshit. Now Microsoft sales are on the up again and we might have an actual fight on our hands. I have far less venom for the console now than I did, I'll admit, but it's still more money for less grunt, and I can't forget that they tried this crap, even if it failed.

      1. Tom 35

        Re: What they say and what they do.

        But I expect MS will pull a Ubisoft with the DRM. Once it's been out for a while we will be reading...

        The company first trialed an always-on requirement back in 2013, but backed down over user outrage before gradually easing the DRM system back in.

      2. Anonymous Coward
        Anonymous Coward

        Re: What they say and what they do.

        It's running Linux / Apache so hardly a surprise it was hacked:

        http://uptime.netcraft.com/up/graph/?host=uplay.ubi.com

    2. h3

      Re: What they say and what they do.

      Sony totally does assume their users as pirates that is why they removed OtherOS in the first place (If you want to keep your OtherOS then you cannot even independently update your bluray firmware).

      I am glad I don't care about any of Ubisoft's junk games. (Even if I did I wouldn't suffer uplay).

      1. Danny 14
        Pirate

        Re: What they say and what they do.

        actually no. OtherOS was useful but not for running games or running pirated stuff. A lot of the functionality for the core systems was locked away even with OtherOS. The problem for sony was that people were buying scores of loss leading hardware with no intention of ever buying games - no money for sony. That was an issue at the time; cheap PCs were still a magnitude more expensive than a reasonably powerful PS2 with otherOS available.

        these days a similar raspberry et al will suffice for many of the homebrew ideas (apart from the oddball clusters people were building with PS2's)

        1. Law

          Re: What they say and what they do.

          "That was an issue at the time; cheap PCs were still a magnitude more expensive than a reasonably powerful PS2 with otherOS available.

          these days a similar raspberry et al will suffice for many of the homebrew ideas (apart from the oddball clusters people were building with PS2's)"

          You mean PS3's right? ;)

          Back on subject - I'll probably grab a ps4 when they drop a little in price. Don't get enough gaming time now I have kids these days to justify a full price release-day console. :(

          I'm a current 360 user, but I won't be getting an xbone.

  2. raving angry loony

    Incompetent.

    So not only did they screw up their security, but now their website doesn't accept that my browser actually accepts cookies. This AFTER leaving a cookie on my browser. Why would this stop me changing my password? Who knows, but it does. Their utter fucking incompetence continues.

  3. Anonymous Coward
    FAIL

    It gets even worse...

    If you own a PS3 and bought a Ubisoft game you'll get a nice automated setup to get into their Ubinet or whatever its called. Totally automatic; they set everything up for you.

    Of course they somehow link your PSN account with a Ubisoft account, effectively picking up some information which is already present in your PSN account.

    So what password is being set? I don't know. What information is being used? I assume my e-mail address, but apart from that: I don't know.

    Welcome to modern gaming; where they will fuck up everything for you, no need to do anything but to click register and enter your unlock codes (otherwise you can't play the game obviously).

    So I changed my PSN password just in case, but if that somehow disrupts their ubinet or whatever crap they got then screw them.

    1. auburnman

      Re: It gets even worse...

      Are you sure you're thinking of UPlay? When I played AC3 recently the first thing that comes up is the invitation to log into or set up a UPlay account, but that step is definitely skippable. What you describe sounds a lot more like the forced Origin login EA shoehorned into Fuse* on PS3.

      *for anyone thinking of buying Fuse, don't. it's shite and you can't even launch the game (on PS3) without signing up for an Origin account as mentioned above.

  4. asdf

    >As Sony has shown, there's a lot of market share to be gained by not assuming your users are pirates

    Wow they want you to believe that now but they are still the biggest DRM patron and peddler in the world. Microsoft was just even less subtle about it and got caught.

  5. madmaxious
    FAIL

    They still don't get it

    So they have had a security breach, encrypted passwords are stolen but you go to reset you password and they still restrict password lengths to 16 characters.

    I don't get why companies insist on applying a maximum character limit to passwords.

    1. Anonymous Coward
      Anonymous Coward

      Re: They still don't get it

      Hah. Every time I see a website with such a ridiculous password limit I simply assume that the developers weren't bright enough to hash the password and at the same time decided; "Hey look! Lets show how awesome we are by making the database more efficient by setting our password field to varchar(8)!"

      On a more serious note though; anyone who has even the slightest clue in basic security knows that passphrases really are the way forward.

      Inevitable XKCD reference: http://xkcd.com/936/

      1. Anonymous Coward
        Anonymous Coward

        Re: http://xkcd.com/936/

        soooo, I should change all my passwords to "correct horse battery staple" then?

    2. Putonghua73

      Re: They still don't get it

      Financial institutions are the worst (mostly). Whilst they have layers of security e.g. user identification, PIN, etc, some still insist on a password between 6-8 characters (yeah, that's right, Barclays, I'm looking at YOU!). Note: characters. Not alpha-numerical. Characters.

  6. system11

    Information sharing...

    I signed up to Xbox Live with a specific email address, that I used only there for security. The last game by Ubisoft that I actively played online was R6 Vegas 2, which came out years before I set this new email address.

    How then, do they have my XBL username and email address, and some unknown password which may or may not be my Live one?

    Thanks Microsoft. Just because I play someones game offline, doesn't mean you should automatically send them my information.

  7. goats in pajamas

    Hmmmm.

    I binned both emails, presuming them to be phishing attempts - they listed accounts I didn't recognise the name of and seeing as I don't ever have any money, I don't use my bank card online with gaming sites.

    Added to that, the return email address looked extremely dodgy, being a string of letters some 20+ characters long.

    I tend to avoid buying games from the bigger companies these days as they've screwed them into the ground trying to control the market. The worst example being "one time activation, no selling on".

    Screw the lot of them.

    1. Gene

      Re: Hmmmm.

      I did the same, for the same reasons.

      1. mark 63 Silver badge

        Re: Hmmmm.

        i thought the same, so tried to go to their website separately to change it, which was down.

        so after some googling, genuineness was proved and i used the link

  8. wowfood

    Why can't we just

    Have a univeral login system for all our shit these days. (I know why not but still) I get sick and tired of all these different usernames and all these different passwords I have floating about.

    Go to register on a forum, oh #Username is already being used, I must've signed up to this site a few years back lets see...

    was this my password? Nope, this? Nope, thise? Nope, odd... Maybe it was this... nope, what about this one... nope. Oh I know perhaps it was this... no.... bah stupid machine! "sends forgotten password request" was my email this? No... this? no... did I use my work email? No.... OH I must have used this email "password sent"

    Why couldn't they just have some kind of single user database somewhere designed purely to store usernames and passwords in a secure manner, with an API which allows other sites to interface with it.

    That way at least when something is hacked I don't need to go around and change my password on 20 other sites "just in case"

    And yes I understand this is starting to happen with the whole "login with facebook" stuff, but I kinda wish more sites would make use of that.

    1. auburnman
      Thumb Down

      Re: Why can't we just

      Dear god please don't encourage more bloody Facebook integration in games. Or anything for that matter.

    2. Pascal Monett Silver badge

      Brilliant idea !

      Yeah ! Let's have just one single point of attack for a hacker to get everything about you, that'll make things easier for absolutely everyone (you, the hacker, organised crime and the NSA too!).

  9. Crisp
    Headmaster

    We are recommending you to change your password

    I'm not sure which is worse. Screwing up a service that customers have paid for, or the terrible grammar.

  10. Combustable Lemon

    Ergh, Ubisoft

    They've been crapping all over PC gamers for the better part of the last few years at least. Sadly, i do own lots of games made by Ubisoft.. HAWX, HAWX 2, All the splinter cells, a couple of assassin creed games and all the rainbow 6 games since Ravenshield. Sadly of all those games HAWX, HAWX 2 and both the newest rainbow six games are completely rubbish. The multiplayer for HAWX (the reason i bought them) is completely and totally awful, to the extent that i can't and never have been able to actually join a server, i have the same issues with RS Vegas and Vegas 2, the co-op just flat out doesn't work. How a game can have so many problems with connectivity (Even when the machine is in the DMZ, sigh) is completely beyond me. The input lag when playing HAWX normally is awful to the point of being unplayable, ever tried flying a jet in a game with about 0.75 of a second input lag between mouse and movement on the screen? It's fun for all of about 5 seconds... And this isn't just my machine, 4GHz OC i7 with a 7970HD, yeah, no.

    And now we have this hacking thing, very frikken tedious. Ubisoft have just slid from marginally better than EA in my books to being right up there with them, useless bunch of idiots. Ruining gaming as best they can. It's about time they just vanished to be honest.

  11. Tsung
    FAIL

    Ubisoft... Grrr.

    Ubisoft needs to sort out their UPlay platform. I have several accounts, not by choice but simply because it's been running for 13+ years and my email addresses change (and it isn't obvious the game bought back in 1999 uses the same uplay system as a game bought this year). Still attempting to merge all these accounts is impossible as it's 1 email address per account. Contact their support and they say they cannot do it..

    WHY NOT, IT'S YOUR FRIGGEN SYSTEM.

    So great, they now lost data for several accounts some of which I no longer have access to the associated email address. But nevermind, because I never given them my credit card details either. I do wonder if the passwords were stored in a plain text format, I've only got their word for that (and taken they cant merge accounts I cannot trust that).

    I feel it's about time Amex, Mastercard & Visa got together and banned the storing of all credit card details on all system. If you want to make a purchase you have to enter your card details everytime. This would reduce the risk of mass credit card data loss from careless companies and prevent children from clocking up huge bills buying coconuts for their I-game.

    1. Boothy

      Re: Ubisoft... Grrr.

      Accounts should be based on a user name, not an email address.

      email addresses as a login/user name should be banned.

      It's not like they can't still add an email address to the account during registration, or even force you to confirm it as they do now by sending a link to the address, but please don't make me have to use the email addresses itself to log in!

      (Same goes for MS and Win 8, let me use a username, and add my live account/s to the user. Don't force me to log in with my Live account to get the Live integrations!)

  12. Captain Scarlet
    Facepalm

    Used to it now

    Been used to it now, anything I don't really need to use day to day gets an auto generated password.

    Reset all my shop passwords as well as I doubt any shops would announce we've been hacked as no one will ever purchase anything from them ever again.

This topic is closed for new posts.

Other stories you might like