Some of the online forums maintained by Epic Games, the video game development company behing the Unreal Engine technology and games based on it, have been hacked and their user databases compromised.
According to ZDNet, the hack was executed on August 11, and the (unidentified) attacker made off with user info of over 800,000 forum contributors.
“We believe a recent Unreal Engine and Unreal Tournament forum compromise revealed email addresses and other data entered into the forums, but no passwords in any form, neither salted, hashed, nor plaintext. While the data contained in the vBulletin account databases for these forums were leaked, the passwords for user accounts are stored elsewhere. These forums remain online and no passwords need to be reset,” Epic Games’ staff confirmed.
The team behing breach notification site LeakedSource.com, who got their hands on the leaked data, says that it contains usernames, hashed and salted passwords, email addresses, IP addresses, birthdates, join dates, full post and comment history, as well as Facebook access tokens for those users who chose to log in via their Facebook account.
The attacker apparently leveraged a SQL injection vulnerability in the outdated vBulletin forum software used by the company to dump the databases’ contents.
Epic Games also noted that they believed that their legacy forums covering Infinity Blade, UDK, previous Unreal Tournament games, and archived Gears of War forums have also been hacked.
“If you have been active on these forums since July 2015, we recommend you change your password on any site where you use the same password,” they advised.
As I write this, the affected forums are still offline, in “Maintenance Mode,” despite the company claiming otherwise.
This is the second time in a little over a year that some Epic Games forums have been hacked. An outdated VBulletin installation was apparently also to blame for that hack.
“Yet again a gaming giant has fallen foul of using outdated, vulnerable software, and it has cost hundreds of thousands of fans their personal details. Just like the Dota 2 forum breach earlier this month, which exploited the same vBulletin vulnerability, this hack serves as a reminder that organisations need to both understand and review the security of all the services they provide, even if they sit outside the traditional IT purview,” Thomas Fischer, Threat Researcher & Global Security Advocate at Digital Guardian, commented for Help Net Security.
“For Epic Games, facilitating discussion around its games through online forums is an essential part of building a fan community. However, as these forums are live, and potentially run by business units independent of the IT or security team, they are often left out of security audits. This means that forums often do not have the same layers of protection as the organisation’s core IT infrastructure, and the fact that a forum is using vulnerable software can be missed,” he pointed out.
“Herein lies the issue, and we reaffirm it every time an account database breach of this magnitude happens. The problem is exacerbated by the fact that many users of these services have the same passwords and account details across other systems.”
Ryan O’Leary, VP Threat Research Centre at WhiteHat Security, says that SQL injection is a really easy avenue for hackers to steal personal information on a large scale from vulnerable databases.
“The SQL vulnerability is one of the very first skills you learn when trying to attack a site, because of the prevalence of the flaw and ease of exploitation. Our research has found that around six per cent of websites have at least one such SQLi flaw,” he added.
“Six per cent may not seem like a large proportion, but when you think of it as six out of every 100 websites you use that have this particularly nasty flaw, it suddenly seems a staggeringly large amount. Companies need to run a thorough vulnerability assessment and fix these serious, yet easy-to-exploit, vulnerabilities.”