800,000 Gamers’ Credentials at Risk after Epic Games Forums Breach
Usernames, passwords, email addresses, IP addresses, birthdates and even private messages and posts of over 800,000 Unreal Engine and Unreal Tournament forum accounts, following a breach of its developer and maker, Epic Games.
A massive breach affecting user accounts from Unreal Engine and Unreal Tournament forums sees over 808,000 accounts compromised, as a result of a breach targeting famed game developer Epic Games. The game-maker, popularly known for developing games such as Gears of War and Unreal Tournament among others, insisted that no passwords were compromised on its Unreal forums.
However, accounts active since July 2015 on older gaming forums including Gears of War, Infinity Blade, and other legacy Unreal Tournament titles have had their salted passwords breached. Citing this, the game developer recommends users to change their passwords on other websites if the same password was used on its breached forums.
The unknown hacker(s) engineered a breach by exploiting a known SQL injection vulnerability existing in older vBulletin forum software.
A statement from Epic Games read:
While the data contained in the vBulletin account databases for these forums were leaked, the passwords for user accounts are stored elsewhere. These forums remain online and no passwords need to be reset.
Among other details, the hacker also stole Facebook access tokens from users who signed in with their social media accounts, ZDNet revealed. The publication also cited a member of breach notification website LeakedSource, which claims to have obtained a copy of the database while estimating that the attack was carried out on August 11.
Furthermore, user passwords were discovered to be scrambled in a way different to most techniques, making them harder to crack. The publication also cited the member from LeakedSource who revealed that the database’s source code will have to be examined further before any insight on the password scrambling algorithm.
Epic Games has previously suffered a targeted breach of its forums in the past. Last year, the developer even took the drastic measure of taking all of its forums offline, following a comprehensive breach of its gaming forums.