Video game development company Ubisoft posted an article earlier today on their support site that one of their systems were compromised and gamers usernames, email addresses and encrypted passwords were stolen. There's also a blog post with some FAQ's and more info here.
Ubisoft is known for such popular video gaming franchises as the Assassin's Creed and Splinter Cell series.
They claim that they do not store any transaction, credit card or other personal payment information in their systems, which as our favorite home, cooking and decorating maven Martha Stewart likes to say, is a "good thing".
It's not known how the attacker or attackers got in, but Ubisoft did say:
"Credentials were stolen and used to illegally access our online network. We can't go into specifics for security reasons."
This implies that someone at Ubisoft fell victim to a targeted spear-phishing attack and was tricked into giving up their login and password allowing the attacker to gain access to Ubisoft's systems.
Ubisoft has done some good things in this breach, which other companies may want to use as an example if and when they fall prey to a data breach in the future:
They put a notice front and center on their landing page:
They have created an online forum for concerned customers to post questions or comments.
They have created a special site for users to quickly reset their passwords.
They have not released any information as to how their encrypted password files are stored, nor the method of encryption, which either means they're concerned that they are using an encryption method that isn't particularly strong, or they're being deliberately quiet to prevent the attacker from determining a best course of action to attack the encrypted files. What they have said about their passwords though is:
"Passwords are not stored in clear-text but as an obfuscated value. These cannot be reversed but could be cracked, in particular if the password chosen is weak. This is the reason we are recommending that our users change their password."
This does imply that they didn't do as much as they could have to protect their password files. Perhaps they failed to salt their hashes, or used a weak salt.
It will be interesting to see if the password files end up being cracked and accounts accessed.
As I've mentioned in the past, it's important to limit the amount of times you reuse your passwords online. It's even better to ensure you don't recycle passwords at all! It's certainly not easy to keep track of all the passwords you need to know, but incidents like this make it clear that if you're using the same password here as you are elsewhere, an attacker will have a much easier time getting into other services you use.
If you're an online gamer, and play any Ubisoft titles - go change your password.