Security Update for all Ubisoft Account Holders

 
We recently discovered that one of our Web sites was exploited to gain unauthorized access to some of our online systems. We instantly took steps to close this off and to begin a thorough investigation with the relevant authorities, internal and external security experts, and to start restoring the integrity of any systems that may have been compromised.

During this process, we learned that data had been illegally accessed from our account database, including user names, email addresses and encrypted passwords. It’s important to note that no personal payment information is stored with Ubisoft, so fortunately all credit/debit card information was safe from this intrusion.

As a result, we are recommending that everyone with a Ubisoft account changes their password. You can do so by clicking the link here.

We would also recommend that you change your password on any other Web site or service where you use the same or a similar password to help ensure the safety of your personal information.

Additional information is available in the form of a Q&A below. An official forum thread has also been created for you to post your questions if you have any here. As well as this our community teams are available to offer support and any additional assistance that you might need.

We sincerely apologize for any inconvenience that this may cause and we would like to thank you for your understanding.

Questions & Answers

 
What can I do to secure my account?

We are recommending all our users change their passwords. Password can be changed by clicking this link. We also recommend that you change your password on any other Web site or service where you use the same or a similar password. Please note that no personal payment information is stored with Ubisoft, meaning your payment details were not at risk from this intrusion.

How did this happen? Which website was exploited? Where did it come from?

Credentials were stolen and used to illegally access our online network. We can’t go into specifics for security reasons.

Has any of my personal data been compromised?

The intruder was able to access account data including user names, email addresses and encrypted passwords. To our knowledge, no other personal information (phone numbers, physical addresses etc. was accessed). No personal payment information is stored with Ubisoft, meaning your credit/debit card information was not at risk from this intrusion.

What is an encrypted password?

Passwords are not stored in clear-text but as an obfuscated value. These cannot be reversed but could be cracked, in particular if the password chosen is weak. This is the reason we are recommending that our users change their password.

Has any of my financial data been compromised?

No personal payment information is stored with Ubisoft, meaning your credit/debit card information was not at risk from this intrusion.

Which measures did you take following this incident?

We instantly took steps to close off this access, to begin a thorough investigation with relevant authorities, internal and external security experts, and to restore the integrity of any compromised systems.

Do you plan to take additional security measures in the future? Is there a risk of this happening again?

Ubisoft’s security teams are exploring all available means to expand and strengthen our security measures in order to better protect our customers. Unfortunately, no company or organization is completely immune to these kinds of criminal attacks.

Is it related to other recent hacks faced by other gaming companies?

There is no evidence that this intrusion is related to any other game company’s previous security incidents.

Was it Uplay that was hacked? Were its servers hacked?

No, the attack did not originate via any Uplay services, the intrusion targeted some of our online systems.

Have other Ubisoft systems been affected? Will your games’ online stability be affected by the attack?

We instantly began working to restore the integrity of any compromised systems and are continuing to investigate the incident. The uptime and stability of our games’ online services were not affected by this intrusion.

the author

Gary Steinman has won numerous editorial awards, but you probably don’t care about that. He also ran multiple industry leading publications and websites including PlayStation: The Official Magazine, GamesRadar.com, PC Gamer and Newtype USA – but that’s all in the past. The real truth about Gary? He loves cats, he takes too many selfies on Facebook (according to one co-worker, at least), and he occasionally crochets. And now he’s helping share stories about Ubisoft’s amazing games and their incredible creators in his role overseeing the UbiBlog and other select Ubisoft social channels. Follow him on Twitter: @GarySteinman

26 comments
mmg map for ets2
mmg map for ets2

I got what you mean , appreciate it for putting up.Woh I am pleased to find this website through google. "Spare no expense to make everything as economical as possible." by Samuel Goldwyn.

yousef
yousef

can you tell me all security account

Alan.W
Alan.W

Ok maybe I'm going out on a limb here, but just before this announcement my debit card got a couple of unauthorized transactions. got a call from my bank today.

I'm extremely careful with my info and I've never fallen prey to a phishing email or internet scam. Seems a little to convenient for my debit card info to go out into the world mere hours after this hack

hms
hms

I seriously doubt they had any better protection on passwords than any other site hacks have had, so if they say passwords were taken, change your password here and any other place you use this pw.

UPlay & Greedy Assasins got pwned, haha

bupisoft fIx the site, I want/need to delete my useless Far Cry ubi account.

Paul
Paul

What if my Email Address has changed?

Securitah
Securitah

If you stored passwords in MD5 or SHA1 hashes only, then all passwords equal to or less than 9 characters will be immediately cracked by anyone with access to rainbow tables (such as freerainbowtables.com) - this is REGARDLESS of password complexity.If your hashes were salted, it'd be nice how big the salt is, it doesn't stop anyone cracking the passwords, it will just slow them down as they have to re-calculate their rainbow tables to incorporate the salt into the hash values. I too would like more info on how the passwords were stored.

Christian Sinding Nellemann
Christian Sinding Nellemann

On top of your losing the credentials you committed *another* security blunder in the way you allow users to change the password without entering the old one. First off, the accounts can then be commandeered using only that email - which was probably sent insecurely - and secondly, you did not allow users to find out what their old password was. So users have no way of knowing *which* password has been leaked. Well done. It also seems that you've known about the problem since the 28th where this cached post was authored:

http://cc.bingj.com/cache.aspx?q=Answer+ID+000017480+|+6%2f28%2f2013+10%3a30%3a23+AM+&d=27023807909856464&mkt=da-DK&setlang=en-US&w=XJZSoy6znaeAhl889XYxaOcI7QAsLz1O

But not acted on it for a few days, allowing more damage to be done to the users with the weakest credentials.

Mark
Mark

Ubisoft, ignore the haters here, you communicated everything clearly. Thumbs up, especially for the emails that were sent out. Good luck with the investigation.

Pascal
Pascal

Thanks a lot for loosing my mail address. How would you like it to get spam messages every day after a break in at ubisoft?!?!

badass007
badass007

still can not enter UBISOFT store or UPLAY with new password

Terrance
Terrance

You need to share with users HOW you protected their passwords. Did you use a SALT? Did you use MD5? SHA1? Something better? Just posting a bulletin like this isn't thorough enough because your users need to understand the likelihood of their passwords being recovered or as you say, cracked.

Kelvin
Kelvin

You guys are kidding me!!! In this digital age and the fact of new DRM or verification polices, which make us register said accounts, you guys go and lose all our digital information. As much as I love your game series, what's the point if I have to keep looking over my shoulder when you lose "credentials" again. How about also automatically changing our passwords for us, with re-authentication via emails. Alot of us are overseas and don't have access sometimes to a stable internet connection.

George
George

I have to say that I really appreciate that Ubisoft send an email to all users to inform us about the situation. One would think this is a no brainer but when there was a security leak on the steam side some time ago I never got any message from Valve and I only read about it from a gaming news website I regularly visit. These things unfortunately happen from time to time and it is a company obligation to inform their customers immediately. So thumbs up from me Ubisoft.

Paul T
Paul T

Hey! why not make games playable without the need for associated accounts? It always worked in the past - Ubisoft were behind UT weren't they? I don't recall the need for a password back in those days, but I suppose if you're wanting to flog DLC etc rather than let users make their own content then this is the sort of thing that happens. As a paying customer (for hard-copies bought via Amazon, Play etc) I have seen no positive benefit whatsoever to me in this need to have me log in,;just the opportunity for the system to lose my save games, lock me out when authentication servers are off-line, or allow someone to steal my details; that and games with a limited life-span.

Guillaume Ross
Guillaume Ross

You just repeated the post which has almost no info.

I assume it's hashed (can't be reversed). Is it md5? Sha1? Salted or not?

Users deserve more information to know how likely it is their password is to be cracked.

Guillaume Ross
Guillaume Ross

Can you give us some details on how the passwords were encrypted? Or hashed?

Frank
Frank

Will you make it so that we can use a password longer than 16 characters so it can be stronger?

Karan
Karan

When can i play HAWX 2 again ?

Or when will be it done ?

Tony
Tony

Thanks for letting us all know i appreciate it god bless :)

Gary Steinman | Communications Manager
Gary Steinman | Communications Manager

Passwords are not stored in clear-text but as an obfuscated value. These cannot be reversed but could be cracked, in particular if the password chosen is weak. This is the reason we are recommending that our users change their password.

Gary Steinman | Communications Manager
Gary Steinman | Communications Manager

We recommend you build a strong password using a combination of letters (small & caps), numbers and symbols. When you create a password, the site lets you know how strong it is.

Dirk Reske
Dirk Reske

How are the passwords "obfuscated"? Some more technical informations please!

The users have a right to know, how secure their data is stored.