Video game publisher and developer Ubisoft revealed Tuesday it discovered a massive data breach of its systems that exposed customer data, including account credentials tied to millions of its users. The breach is part of longstanding and widespread attack campaigns to steal account credentials, security experts told CRN.
The passwords were encrypted, Gary Steinman, communications manager at Ubisoft, wrote in a company blog post announcing the breach. As a precautionary measure, the firm, which has approximately 58 million users, reset user accounts and sent emails to users urging them to choose another password, according to the July 2 post, which also noted that no credit or debit card information had been compromised.
"It's important to note that no personal payment information is stored with Ubisoft, so fortunately all credit/debit card information was safe from this intrusion," Steinman wrote.
Ubisoft did not respond to CRN's request for comment. The company released an FAQ Wednesday informing users about the breach; however, for security reasons, no specifics could be stated, according to the FAQ.
"At the end of the day, [cybercriminals] are trying to make money and to take that simpler route to get customer data," said George Tubin, senior security strategist of Boston-based security firm Trusteer.
The Ubisoft breach is one in a lengthy line of data security breaches that involve stolen usernames and passwords. Last year, hackers stole more than 6 million LinkedIn customer passwords that were hashed but not salted, making it easier for attackers to crack the protection with automated tools. In April, LivingSocial, an online shopping deals site with 50 million customers, announced a data security breach exposing millions of its customer passwords. In the following months, social networking company Twitter and cloud storage service provider Evernote were also forced to reset user passwords following data security breaches.
Tubin said the reason for the more frequent attacks is due to the ease with which hackers can capture a user's account credentials.
"It's really not difficult to do. Especially where there is combined personal information, it becomes particularly more sensitive," said Tubin.
Account credential data breaches can be detrimental to people who reuse passwords for multiple accounts or have similar passwords to other accounts, said Wade Williamson, security analyst of Palo Alto Networks, a Santa Clara, Calif.-based network security company.
"From the end-users perspective, there is more of a concern about using a similar password on the Internet," Williamson said. "If you do what a lot of us do and reuse similar themed passwords, things can get dicey. You will have to go out and have to change many passwords for accounts."
While businesses can use hashing to protect data, a process known as "salting" makes cracking passwords more difficult. Salting is essentially attaching a series of random digits to the end of each hashed password.
NEXT: Salting, Hashing Not Enough Protection