×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Ubisoft Hacked, Account Data Compromised

Soulskill posted about 10 months ago | from the another-one-bites-the-dust dept.

Security 138

Freshly Exhumed writes "There's a new security breach announcement over at the website of game publisher and developer Ubisoft today. Quoting:: 'We recently found that one of our Web sites was exploited to gain unauthorized access to some of our online systems. We instantly took steps to close off this access, to begin a thorough investigation with relevant authorities, internal and external security experts, and to start restoring the integrity of any compromised systems. During this process, we learned that data were illegally accessed from our account database, including user names, email addresses and encrypted passwords. No personal payment information is stored with Ubisoft, meaning your debit/credit card information was safe from this intrusion. As a result, we are recommending you to change your password by clicking this link.'"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

138 comments

should of killed the DRM system (4, Funny)

Joe_Dragon (2206452) | about 10 months ago | (#44169139)

at the same time they got in

Re:should of killed the DRM system (5, Funny)

Anonymous Coward | about 10 months ago | (#44169343)

Right, because that's how hacking works. After the bright red meter labeled "Accessing Secret Files From Gibson" filled up, they could have just pressed the glowing green button that said "Kill The DRM System". How silly of them to have missed that.

Re:should of killed the DRM system (5, Insightful)

Anonymous Coward | about 10 months ago | (#44169419)

We never had this problem when I was playing Road Rash and Screamer and Doom and Quake and Duke Nukem, because the game publishers never had any personal info of ours to lose in a security breach. You paid your cash for the game, put the CD in, installed, and played.

In the late eighties we got rid of DRM by refusing to buy software with it. Lots of companies went out of business because of DRM. All they had to do was wait for a more gullible and docile generation to come along and bring it back.

DRM is the biggest reason I stopped gaming (that, and none of the new games were as good as the old ones, even if the artwork was better). I wonder how many other customers DRM has cost these morons? Keep shooting, ubisoft, you have more feet and bullets left.

Re:should of killed the DRM system (5, Funny)

ArcadeMan (2766669) | about 10 months ago | (#44169615)

To see my reply, please enter the 3rd word of the 7th paragraph on page 12 of your game book.

Re:should of killed the DRM system (0)

gl4ss (559668) | about 10 months ago | (#44169825)

To see my reply, please enter the 3rd word of the 7th paragraph on page 12 of your game book.

well.. you just had to have the manual in your hands once or be able to call someone with the manual once. unless you upgraded the cpu/mobo.
why? who the fuck gave a shit about if the date was correct on the machine(so the game always asked the same question..).

nowadays though, a read the manual copyprotection would be a refreshing change - or even a silly usb dongle. at least you could sell it.

Re:should of killed the DRM system (2, Insightful)

TheCycoONE (913189) | about 10 months ago | (#44170181)

I guess we lived in different 80s. The way I remember it there was a random list of things to look up and they had to be entered every game. I also remember on my Commodore 64 that most commercial game disks wouldn't copy (without hacking tools to copy bad sectors etc.), and wouldn't work on drives other than the 1541 because they relied on particular idiosyncrasies in that drive to enforce their protection.

The only reason they didn't make you connect to their servers is that modems weren't common.

Re:should of killed the DRM system (1)

ArcadeMan (2766669) | about 10 months ago | (#44170547)

You had to do that every time you started the game.

note to Slashdot: why is the <strong> tag filtered out but <b> is recognized? We're in 2013, not 2003.

Re:should of killed the DRM system (1)

Khyber (864651) | about 10 months ago | (#44171449)

"note to Slashdot: why is the tag filtered out but is recognized? We're in 2013, not 2003."

It's called code optimization. Why use so many symbols and characters for a command when you can use fewer?
This is 2013, code optimization and reduction is ESSENTIAL and EFFICIENT.

Re:should of killed the DRM system (1)

Khyber (864651) | about 10 months ago | (#44171487)

"well.. you just had to have the manual in your hands once or be able to call someone with the manual once."

Wrong, The Colonel's Bequest required you to identify a fingerprint every time you loaded a game. Wolfenstein3D would ask you about things like the number of eyelets Blazkowitz's boots. Leisure Suit Larry had a type of DRM to prove you were an adult and not a teenager playing the game - by asking questions only adults of that time would know (and kids wouldn't have likely learned in history books, yet.) Where in Time is Carmen San Diego came with a specific encyclopedia reference book you absolutely needed to play the game. Ultima V had the language for the game contained within its game manual, and you weren't going anywhere fast without that.

Re:should of killed the DRM system (1)

steelfood (895457) | about 10 months ago | (#44170289)

Book? You're so 1980's.

It's now a PDF.

Re:should of killed the DRM system (1)

AK Marc (707885) | about 10 months ago | (#44170679)

Yes, I scanned mine to PDF, but had to so so at a cost, as the black ink on red would only show if you scanned it on a color scanner, and even then inconsistently. I couldn't even read the book as a human in low-light gaming conditions.

Re: should of killed the DRM system (1)

jd2112 (1535857) | about 10 months ago | (#44170857)

...and have your original game CD mounted in drive D:, (your CD drive isnt maped to D:? though s#$@.) and verify you have a working Internet connection to our authentication servers. And make sure the key dongle is plugged into a USB port. And bend over and be scanned by our full penetration rectal biometric scanner. ..

Re:should of killed the DRM system (-1)

Anonymous Coward | about 10 months ago | (#44169629)

It goes in cycles. I remember a game from EA, Deathlord, that had a good chunk of code just DRM, from varying each read parameters of every track on the disk (and this was just the save game disk), and using timing tricks on the program disk... The DRM worked... it made itself into a footnote in history.

Then Apogee and ID made shareware games, where the only DRM was a warning not to pirate it.

Now we are back with a whole list of wreckage at the side of DRM systems, and it pretty much ensures that the game is not going to be a success. Always on and requiring servers? D3 flopped. Activation? Spore flopped until it was removed.

Then there are games which had minimal DRM, other than a CD key to ensure only one copy at a time was playing. D1/WC1/WC2/WC3/D2, hits. NWN, solid seller for a very long time.

I think there is a change though. The upcoming crop of gamers are used to consoles or heavy DRM/lousy games, so they set the bar low. Consoles have allowed updates for years, so the game on the media didn't have to be release quality, just something that is early beta, to have a late beta patch on release.

*sigh* Count me with the "get off my lawn" crowd. There used to be days where if you wanted to access the entire content of a game, you opened the package. No DLC, no activation, no accounts, no constant access, no camera and mic trained on you 24/7.

Oh well.. time to see if GOG has any specials.

Re:should of killed the DRM system (4, Insightful)

g0bshiTe (596213) | about 10 months ago | (#44169785)

I for one enjoy my non-purchased DRM bypassed games!

Re:should of killed the DRM system (-1)

Anonymous Coward | about 10 months ago | (#44170159)

lol piracy is cool because software developers don't deserve to be employed because of some publisher bs
lol its cool being 14 mentally

Re:should of killed the DRM system (-1)

Anonymous Coward | about 10 months ago | (#44170347)

No, software developers should work for free and not expect to profit because profit is evil and doing things for free is noble and good and ethically sound and morally righteous

Re:should of killed the DRM system (2)

AK Marc (707885) | about 10 months ago | (#44170729)

Prison guards at Auschwitz don't deserve to be employed. Yes, when people do evil, even on someone else's orders, they are worse for it. And why does a programmer "deserve" a job? There are plenty of unemployed people who would love to have one of those "deserved" jobs.

Re:should of killed the DRM system (0)

Anonymous Coward | about 10 months ago | (#44170727)

I heard that... mid 2000's FPS are the best anyway

Re:should of killed the DRM system (0)

Anonymous Coward | about 10 months ago | (#44169603)

Should have killed the DRM system.

Re:should of killed the DRM system (2)

nigelo (30096) | about 10 months ago | (#44169871)

He only said it on accident.

Re:should of killed the DRM system (0)

Anonymous Coward | about 10 months ago | (#44170113)

You mean "by" accident, rite?

Re:should of killed the DRM system (0)

Anonymous Coward | about 10 months ago | (#44170749)

For all intensive porpoises.

Re:should of killed the DRM system (-1)

Anonymous Coward | about 10 months ago | (#44169865)

"Should HAVE killed..."

There, fixed that for you.

Re:should of killed the DRM system (0)

Anonymous Coward | about 10 months ago | (#44170677)

I hope you mean that as in "steal everyone's data and rendering the DRM system inoperable" so that all the idiots who by their purchases supported this shameless scam finally wake up and realize what they did. I've been praying since forever that this would happen to uplay, steam and ea in the same day.

The point? (0)

Anonymous Coward | about 10 months ago | (#44169147)

What's the point of encrypting the passwords if the data (names and emails) was in plain text?

Re:The point? (2)

flonker (526111) | about 10 months ago | (#44169217)

The point is to minimize the amount of information you actually have. You don't need to know the password itself, you only need to know that they know the password. So, you store just enough information to be able to check that the person attempting to log in knows the password.

Re:The point? (2)

dos1 (2950945) | about 10 months ago | (#44169291)

Hashing is not an encryption. I think that's what that comment was about, just in ambiguously sarcastic way.

Re:The point? (1)

Sir_Sri (199544) | about 10 months ago | (#44169457)

That would be a hash of the password rather than the encrypted password, although that may be what they mean and they're using sloppy language. (Encrypting it could work the same way, but then you still just have the password in another form).

I think the question was more 'why weren't usernames and e-mails encrypted' and the answer is probably that they're part of a searchable 'find friends' type database.

Re:The point? (2)

uberbrainchild (2860711) | about 10 months ago | (#44169365)

I wish they told us how they were hashed and if they used a salt so that we might get an idea of how many minutes we have to change the password on any accounts with the same password. Luckily for me though I have different pws for almost everything. Maybe this will promt them to make uplay better... I remember when I tried the Heroes game and got tired of playing once the multiplayer games stopped syncing and it became unplayable. Eh, I was just as disappointed with Sim City 5... board games tend to work most of the time though

Re:The point? (2)

Kongming (448396) | about 10 months ago | (#44170553)

While we should be able to assume that the hashes were salted, there have been other breaches in the past year in which the exposed password hashes were not salted. A quick web search turned up drupal.org and LinkedIn. Also, many other companies, like Sony, specified when they disclosed their breach that the password hashes were salted. As Ubisoft did not opt to specify and have not responded to the question anywhere as of yet, I am operating under the assumption that they did not, in fact, salt their password hashes. In 2013, any DBA should understand the importance of salting password hashes and insist on always doing so. In my opinion, any company over a certain size that not only fails to secure the contents of their account table against an attack and weren't even bothering to salt their passwords should be subject to fines and/or civil liabilities.

The point? (0)

Anonymous Coward | about 10 months ago | (#44169165)

What's the point in having encrypted passwords if the information (email addresses and names) was in plain text?

Re:The point? (1)

Chas (5144) | about 10 months ago | (#44169181)

So they have a name and an e-mail.

If they don't have the password, they have to spend a lot of time trying to crack the encrypted password. Giving the legitimate user plenty of time to change said password.

Re:The point? (0)

Anonymous Coward | about 10 months ago | (#44169315)

A lot of time reads as "in the worst case, 2 minutes with GPGPU offload and 4TB HDD with rainbow tables"

Re:The point? (3, Interesting)

Sir_Sri (199544) | about 10 months ago | (#44169533)

Plenty of time, as less than an hour after the hack occurred, for ~60% of users.

http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/

Re:The point? (2)

TheCycoONE (913189) | about 10 months ago | (#44170371)

Weak case: MD5 is known to be insecure (very vulnerable to collision attacks), and presuming it was secure, this unsalted list of passwords was vulnerable to a rainbow attack. Similarly a short salt is still vulnerable to a rainbow attack. I understand that bcrypt and sha512 are popular these days. I personally like my salt to be the same length as the resulting hash and of course different for each password - I think this makes a rainbow list attack as complex as the birthday attack on average.

Re:The point? (0)

Anonymous Coward | about 10 months ago | (#44170807)

Also anywhere you use that password, you should change that password - not just at the Ubisoft website.

Re:The point? (2)

BlueMonk (101716) | about 10 months ago | (#44169795)

I think there's a little bit of disconnect between the people asking this question and the people answering this question. I think the people asking the question are wondering "Why encrypt the piece of information that lets you get at the rest of the information if the rest of the information is right there plain as day?" and the people answering the question are explaining, "passwords use one way encryption so they can't easily be hacked." Yes, one important reason for encrypting the password is to allow some time for users to change their passwords before the passwords are cracked. But I think to answer the question more directly, passwords often give access to a lot more information than just what might have been compromised. Yes the cracker got a hold of a lot of un-encrypted information in this case, but if the passwords were also in plain text, they might have been able to get more information than they did. Some people use the same password for multiple sites, and some sites may store information in multiple locations so that the password could have provided access to more information than what was lost. If passwords were stored in plain text, someone would need only to be able to see the password in order to access all of a user's information, and sometimes that's easier than getting all the information that the password protects.

"This isn't phishing, really!" (0)

Anonymous Coward | about 10 months ago | (#44169191)

I'd probably delete the email on sight without knowing about it ahead of time. But should they catch those responsible,

"No, I wasn't trying to see the new games... I was really trying to connect to the WOPR!"

Re:"This isn't phishing, really!" (0)

Anonymous Coward | about 10 months ago | (#44169367)

Is there any way to send a letter warning of a compromise without it sounding like phishing? Maybe leave out the link?

Re:"This isn't phishing, really!" (2, Interesting)

Anonymous Coward | about 10 months ago | (#44169489)

Of course leave out the link. Email is plain text, not HTML.
If I get an email from somewhere I have an account, I know how to get to the site.

Re:"This isn't phishing, really!" (2)

Sir_Sri (199544) | about 10 months ago | (#44169557)

That's nearly what I did (delete it on sight). Their main page at ubisoft.com needs to have a message about this rather than just a 'under maintenance' type message.

Assume Everything is Compromised (1)

Kagato (116051) | about 10 months ago | (#44169245)

These days computers and cypto Technics are powerful enough that they will likely have a 85% success rate at resolving the hashes. Even if salted.

Re:Assume Everything is Compromised (2)

Ectospheno (724239) | about 10 months ago | (#44169295)

Which is why unique is the most important quality of a password. People that did that are yawning while they change this one password and go about their day.

Re:Assume Everything is Compromised (0)

Anonymous Coward | about 10 months ago | (#44169471)

You don't need to find the password, just something with a hash collision.

Re:Assume Everything is Compromised (0)

Anonymous Coward | about 10 months ago | (#44169511)

Woosh! I think you missed his point.

Re:Assume Everything is Compromised (0)

Anonymous Coward | about 10 months ago | (#44169859)

Yeah I got LastPass over a month ago and this is the second email I've received (first was some place called Moniker) that was a password for an account I don't even remember creating. Problem is, there was this one password that I'm positive I used on those sites, and quite a few others (like slashdot). Fortunately, I've changed all my passwords for logins I even remotely remember using to gobbledygook (the meaning, not the word itself) and have it stored in the vault.

*Yawn*.

Wish their net security was as good as their DRM.. (1)

Anonymous Coward | about 10 months ago | (#44169279)

Ironic that their DRM seems to be more secure than their servers...

Great job there, UbiSoft (4, Insightful)

Anonymous Coward | about 10 months ago | (#44169311)

I never wanted to sign up for your crappy service in the first place, but was forced to just so I could play a game I already legally purchased.

Fuck you, UbiSoft!

Re:Great job there, UbiSoft (0)

Anonymous Coward | about 10 months ago | (#44171097)

Same here, except it was for a free game that came with my GPU (which was a gift). I had to give 2 companies my email and address, and make a UbiSoft account just to play my free console port with a crappy UI. Good thing all sane account names were in use so I couldn't use anything that might match any account I have ever used. I would not make that 0$ purchase again if given the option. It was a bad deal.

Re:Great job there, UbiSoft (1)

Elijha (2805781) | about 10 months ago | (#44171175)

I had an alert from itunes that my account had downloaded a free game from an international IP on the weekend.and to reset the password if it wasn't me... I had used the same old password on both I'm pretty sure (though I setup a Ubi Soft account only as I needed to play a game years ago).

Re:Great job there, UbiSoft (0)

Anonymous Coward | about 10 months ago | (#44171561)

UbiSoft says...
No. Fuck you. You're our bitch. You know it. You didn't like our drm. but still paid us money and installed it.

how stupid are you anyway?

Seems legit. (5, Funny)

ernest.cunningham (972490) | about 10 months ago | (#44169411)

You account details have been hacked.....click this link to reset your password.
Seems legit!

Re:Seems legit. (0)

Anonymous Coward | about 10 months ago | (#44169961)

that's exactly what I thought, so I went to ubisoft directly and found the shitty looking splash page they have up that doesn't have their usual design. It seems like their whole site was wiped out or something.

Re:Seems legit. (-1)

Anonymous Coward | about 10 months ago | (#44170093)

If you're not retarded, it's pretty easy to see whether or not it's legit.

Re:Seems legit. (0)

Anonymous Coward | about 10 months ago | (#44170293)

well i see an un-encoded @ symbol, which is enough to make me think twice before clicking on it

U play (0)

Anonymous Coward | about 10 months ago | (#44169447)

... and we play U... bisoft.

Amusing.. (1)

GrBear (63712) | about 10 months ago | (#44169455)

gMail flagged Ubisoft's email as spam and potentially bogus. I wonder how many people will think it's just another phishing attempt and ignore it now.

Don't Care (1)

CanHasDIY (1672858) | about 10 months ago | (#44169463)

Only signed up with Ubi so I could play a new game I had purchased.

No important info (CC number, real name, real email) associated with the account.

Don't care.

Seriously? (0)

Anonymous Coward | about 10 months ago | (#44169465)

"You're account's compromised! Click on this totally legit link provided to you by someone you don't know to give us your login info to fix it!"

Shame on anyone who clicked the link, let alone gave the linked page your info.

Re:Seriously? (1)

bonehead (6382) | about 10 months ago | (#44169593)

Why?

It's not that hard to check where the link actually points to and determine whether it's legit or not.

Re:Seriously? (0)

Anonymous Coward | about 10 months ago | (#44169595)

The e-mails sent out were legit. Professionally presented, no stupid ass misspellings (like in your example), and the links went to ubi.com which is owned by Ubisoft.

The actual e-mail for reference (3, Insightful)

jones_supa (887896) | about 10 months ago | (#44170161)

Security update regarding your Ubisoft account
- please create a new password

Dear Member,

We recently found that one of our Web sites was exploited to gain unauthorised access to some of our online systems. We instantly took steps to close off this access, investigate the incident and begin restoring the integrity of any compromised systems.

During this process, we learned that data had been illegally accessed from our account database, including user names, email addresses and encrypted passwords. Please note that no personal payment information is stored with Ubisoft, meaning your debit/credit card information was safe from this intrusion.

As a result, we are recommending that you change the password for your account: <account name>

To enter your new password, click the link below: https://secure.ubi.com/register/ResetPassword.aspx [ubi.com]?...

Out of an abundance of caution, we also recommend that you change your password on any other Web site or service where you use the same or a similar password.

You can find more information here https://support.ubi.com/en-GB/FAQ.aspx?platformid=60&brandid=2030&productid=3888&faqid=kA030000000eYYxCAM [ubi.com].

For any additional support enquiries, please contact our customer service via our support web site at https://support.ubi.com/ [ubi.com]

We sincerely apologise to all of you for the inconvenience. Please rest assured that your security remains our priority.

The Ubisoft team

Re:Seriously? (2)

neminem (561346) | about 10 months ago | (#44170285)

That last one is the most important.

Unlike an email sent to me a few months ago by a major credit card provider I had a card with, telling me I may have had a card theft, and asking me to click a link to confirm whether or not I had made a particular purchase. The link went to a completely gibberish link that had no obvious connection to the bank in question. It was very obviously a phish.

Turns out, nope, it was totally legitimate, that card *had* been used to make an unauthorized transaction, and that bank completely failed to understand that emails which aren't phishes, shouldn't look like phishes. Even when I submitted a complaint to them. (Their response: this is a legitimate email. My response, which they completely ignored: "I know it is. I'm telling you it doesn't *look* like one, at all, and perhaps you should fix that." Grah.)

Make a different email alias for each company (1)

ArcadeMan (2766669) | about 10 months ago | (#44169641)

I would use ubisoft@arcademan.com for this particular example.

If the company is hacked or sells your email address to spammers, just delete the alias.

Re:Make a different email alias for each company (0)

Anonymous Coward | about 10 months ago | (#44169863)

very clerver, thanks for pointing that out

Re:Make a different email alias for each company (1)

Vreejack (68778) | about 10 months ago | (#44170107)

You need to establish a valid email address to set up an account.

Re:Make a different email alias for each company (1)

Vreejack (68778) | about 10 months ago | (#44170177)

I see, you meant to use an example of a personal mail server. I was confused by the fact that your example is an unused domain.

How can I get the use of a personal mail server that will actually fool anyone? ubisoft@vreejack.mooo.com is not going to fool anyone who thinks to guess blizzard@vreejack.mooo.com, so while it will help you dodge spam, you will still have to use unique passwords, which is much of the problem.

Re:Make a different email alias for each company (1)

lgw (121541) | about 10 months ago | (#44170831)

Someone might "think to guess blizzard@vreejack.mooo.com" if they have stolen 1 password and are trying to find a use for it. If they have stolen 1 million, they're not even going to try to be clever, since most of them will work without such changes, so they already have more valid email/password pairs than they'll ever be able to use for anything.

Re:Make a different email alias for each company (0)

Anonymous Coward | about 10 months ago | (#44170201)

This neckbeard virgin likely uses a catchall at his own domain, something that isn't appropriate for 95% of internet users.

Re:Make a different email alias for each company (1)

theskipper (461997) | about 10 months ago | (#44171439)

He was talking about creating that account on your mailserver. Sneakemail or Spamgourmet serves the same purpose. As long as you don't mind your email going through a third party server, it works for most purposes. Just be sensible and don't use it for banking-type accounts.

Re:Make a different email alias for each company (1)

jones_supa (887896) | about 10 months ago | (#44170253)

If the company is hacked or sells your email address to spammers, just delete the alias.

Additionally, shame the company in public...

Another classic trick you can use is to include a plus sign and some text after your username, i.e. john.doe+ubisoft@example.com. The '+ubisoft' part is ignored when the mail is delivered, but you can still see it in the "To" field.

Customer & payment data data is stored with... (0)

Anonymous Coward | about 10 months ago | (#44169693)

b2boost

They take security ALOT more serious than most of these companies who store all the data un-encrypted!

Disclaimer: I used to manage those systems.

Why does Ubisoft need to store a password? (1)

brunes69 (86786) | about 10 months ago | (#44169763)

Why do they not use a federated identity system?

Why does ANYONE aside from some key core ID providers (Google, Microsoft, Yahoo, Facebook, OpenID, etc) need to store a password?

When are companies going to stop this madness.... no Ubisoft, I will not be giving you another password to lose thanks.

Re:Why does Ubisoft need to store a password? (2)

Imagix (695350) | about 10 months ago | (#44169873)

Because when the federated identity system gets broken in the same manner, the attacker doesn't have access to everything you use.

Re:Why does Ubisoft need to store a password? (1)

Shados (741919) | about 10 months ago | (#44170067)

Conversion rate on services that force you to create a separate account is impossibly low, unless its Facebook, and that has its own set of problems.

Core ID providers (0)

Anonymous Coward | about 10 months ago | (#44170719)

Who decides who is a "core ID provider"?

You mentioned Microsoft and Facebook but I can't imagine why either of them would be core id providers. Except for the fact that they decided to store usernames and passwords, and then lots of people ended up happening to use their system, which they leveraged into being able to say they're popular enough to be a core id provider.

Seriously, if Facebook is allowed to do it, then you have zero cause to say Ubisoft couldn't do it.

Re:Why does Ubisoft need to store a password? (0)

Anonymous Coward | about 10 months ago | (#44170733)

I already have a federated identity system. It's federated through 1Password, which I keep a backup of on the cloud. The Cloud is a flash stick in the shape of a cumulonimbus head.

Password reset link for someone else's account (1)

BerkeleyDude (827776) | about 10 months ago | (#44169919)

I received the email - but I've never had a Ubisoft account. They sent me a password reset link for some other user's account. No wonder they got hacked...

What Ubisoft Does Best (4, Interesting)

Somebody Is Using My (985418) | about 10 months ago | (#44169945)

Attempting to log-onto their website, I get the following warning:

For security reasons we recommend that you change your password

and a link to change the password.

Interestingly, there is no option to log-on /without/ changing the password. "Recommend" apparently means "you have no choice" in UbiSpeak.

Unfortunately, since the email address I used to register the account is no longer active, and there is no option to update the email address (since I can't log-on at all) I guess I'm screwed (silly me for not keeping my info up to date on a service I had little interest in joining except that it was forced on me to play a game I had legally purchased).

So, I guess it's par for the course for you guys at Ubisoft; you've screwed me over again. Great job, guys; first you force me to sign up to UPlay in the first place, then you screw up by leaking the log-in info all over the net and now you prevent me from changing my password. Maybe you can block access to the games I paid for as well just to round out the whole experience.

Re:What Ubisoft Does Best (1)

FlynnMP3 (33498) | about 10 months ago | (#44170157)

Maybe you can block access to the games I paid for as well just to round out the whole experience.

For a complete and positive gaming experience, your wish has been granted.

Joking aside, look closer at the account maintenance terms. There may be an option to completely reset or get rid of the account. Then you can at your option start with new login details. This time make a unique email alias just for UPlay and bogus, but plausible, user details that for all you care can be leaked or broken into. I've also gone as far as having a unique credit card just for online gaming service accounts that insist on credit card payments and storage. A different one for each service - limit of $100. True it's a pain in the ass to setup, but if it gets hacked I don't have enough into to even care what happens.

Re:What Ubisoft Does Best (1)

RollingThunder (88952) | about 10 months ago | (#44170529)

Their site is pretty clearly in "oh SHIT" mode right now, stripped down to barest minimums. I would hope that once things settle down and the more feature-rich site returns, you'll be able to do a recovery along the lines of what you could previously. However, if you didn't set up any other alternative methods of recovery (I can't remember if they had secret questions, etc), then you may be out of luck. Perhaps the returned site will let you log in with the old password and then force the change.

Cookie requirement? C'mon guys. (4, Interesting)

Xzzy (111297) | about 10 months ago | (#44170275)

I like how their website tosses up an error saying I "need to enable cookies" even though I do in fact have cookies turned on. Only thing I am blocking is their attempts to track me by including google analytics.. I can use their password change just fine if I use an incognito window (which temporarily disables my plugins).

I suppose the original fault lies with me for creating an account with these goofballs.

Re:Cookie requirement? C'mon guys. (1)

theskipper (461997) | about 10 months ago | (#44171497)

Was wondering about that the other day. I get that message on a lot of sites when I have third-party cookies turned off (usually always), your mention of GA seems related. Guess it's simply a misnomer.

UbiSoft Hacked (0)

Anonymous Coward | about 10 months ago | (#44170511)

FREE GAMES!!!!!!!!!

Cookies? (1)

ubrgeek (679399) | about 10 months ago | (#44171069)

You have to accept their site cookies when trying to change your password. Cookies from a site belonging to a compromised system rubs me the wrong way for some reason.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...