Ubisoft Urges Customers To Change Password After Security Breach

Video game publisher and developer Ubisoft revealed Tuesday it discovered a massive data breach of its systems that exposed customer data, including account credentials tied to millions of its users. The breach is part of longstanding and widespread attack campaigns to steal account credentials, security experts told CRN.

The passwords were encrypted, Gary Steinman, communications manager at Ubisoft, wrote in a company blog post announcing the breach. As a precautionary measure, the firm, which has approximately 58 million users, reset user accounts and sent emails to users urging them to choose another password, according to the July 2 post, which also noted that no credit or debit card information had been compromised.

"It's important to note that no personal payment information is stored with Ubisoft, so fortunately all credit/debit card information was safe from this intrusion," Steinman wrote.

[Related: Microsoft To Fix Critical Errors, Windows Zero-Day Flaw ]

Ubisoft did not respond to CRN's request for comment. The company released an FAQ Wednesday informing users about the breach; however, for security reasons, no specifics could be stated, according to the FAQ.

"At the end of the day, [cybercriminals] are trying to make money and to take that simpler route to get customer data," said George Tubin, senior security strategist of Boston-based security firm Trusteer.

The Ubisoft breach is one in a lengthy line of data security breaches that involve stolen usernames and passwords. Last year, hackers stole more than 6 million LinkedIn customer passwords that were hashed but not salted, making it easier for attackers to crack the protection with automated tools. In April, LivingSocial, an online shopping deals site with 50 million customers, announced a data security breach exposing millions of its customer passwords. In the following months, social networking company Twitter and cloud storage service provider Evernote were also forced to reset user passwords following data security breaches.

Tubin said the reason for the more frequent attacks is due to the ease with which hackers can capture a user's account credentials.

"It's really not difficult to do. Especially where there is combined personal information, it becomes particularly more sensitive," said Tubin.

Account credential data breaches can be detrimental to people who reuse passwords for multiple accounts or have similar passwords to other accounts, said Wade Williamson, security analyst of Palo Alto Networks, a Santa Clara, Calif.-based network security company.

"From the end-users perspective, there is more of a concern about using a similar password on the Internet," Williamson said. "If you do what a lot of us do and reuse similar themed passwords, things can get dicey. You will have to go out and have to change many passwords for accounts."

While businesses can use hashing to protect data, a process known as "salting" makes cracking passwords more difficult. Salting is essentially attaching a series of random digits to the end of each hashed password.

NEXT: Salting, Hashing Not Enough Protection

Joshua Corman, director of security intelligence at Akamai Technologies, a Cambridge, Mass., Internet content delivery network company, believes salting and hashing should be a requirement for most businesses because it is a security best practice. But, even hashing and salting isn't a silver bullet, Corman said.

"Given compute powers, these methods aren't fool proof, and the consumer can only do so much to limit their exposure," Corman said.

Having a strong password as well as a different password for various accounts help boost security, but Corman advises people consider using different email addresses for more sensitive accounts, such as those at banks and other financial firms.

"It's often intelligent to use different email addresses for different levels of sensitivity of accounts," said Corman. "While you cannot control the operational security password, as you give your email and password, you can control what you can give to [companies] in the first place."

In addition to better password protections, Ubisoft and other businesses need to take measures to better protect Web applications and monitor Internet-facing systems to detect suspicious activity, Palo Alto Networks' Williamson said.

"The only thing that will be preventative is better security on the front end," said Williamson. "Ubisoft was hacked through their public sites, and there was some vulnerability in one of their Internet-facing sites."

Breaches are inevitable, Corman said, adding that businesses need to use security incidents to advocate for stronger security measures.

"These kinds of failures are fairly common, and it's better to treat these as catalysts to improve on the supplier and end-user side instead of looking to block or shame the company," said Corman. "Everybody can have operational security failures but it's better to treat them as a chance and nudge to make improvements."

PUBLISHED JULY 8, 2013