Ubisoft Accounts Comprimised

Devin Busha

Apparently Ubisoft accounts have been compromised. http://www.joystiq.com/2013/07/02/ubisoft-hacked/

To make things worse, there's a clever phishing email going around asking folks to click the link to change their password. IT at the office said this email is bad news, so I'm just spreading the word.

Do NOT click the links in this email!

Dataday

Yep, received one about an hour or so ago. Thanks for the heads up.

nick2730

interesting, wonder who

WarrenM

Never click links in email!

Fixed that for you. Seriously, I wish people would stop that...

Makkon

Huh. Good thing I left that email alone.

Devin Busha

Getting conflicting info now.

Their UK forum manager Mr. Shade says it's official - http://forums.ubi.com/showthread.php/779063-Received-a-phishing-e-mail-today

IT here double checked the email and it seems to have been a false-positive. They did note tho -

"[FONT=&quot]I would discourage anyone from using any UBISoft servers or domains for a while. The links still take you to UBISoft which has been infiltrated.[/FONT][FONT=&quot] Remember that their main web servers are down, and the fact their their password change page is up is very suspect."[/FONT]

Sorry for any confusion.
- Dev
[FONT=&quot][/FONT]

notman

That's where my confusion is. I actually happened to be doing my 'spam folder' spot check, looking for things that shouldn't be there (and found many from Yahoo's overzealous spam flagging). I saw the ubisoft email, and checked the usual details (email source, link location, etc), and it seemed legit. So, I followed the link, and submitted a change. Fortunately, I don't use the same password everywhere, so I should be good either way. But, I saw this post, and figured I should go to ubisoft's site, and make sure I have the correct password (and maybe change it again). Their site has a link, suggesting to reset my password. I chose that, again, just to be sure. I still haven't received an email to fix my password

I guess I'll give a few days to let the dust settle. I don't have anything vital at ubisoft's site, so I basically just want to get things corrected. It would be nice if ubisoft would get something officially resolved/posted though.

Ged

crap i clicked the link cause i thought it was official and it was part of the official ubisoft website according to my browser and they had my username so that made it seem legit...

Ged

Ged wrote: »

crap i clicked the link cause i thought it was official and it was part of the official ubisoft website according to my browser and they had my username so that made it seem legit...

this is the link I got [/]https://support.ubi.com/en-gb/[/] is that not a real website?

Calabi

I got an email from this address.

email_ubi@email.ubi.com

I changed my password through the supplied http//secure.ubi.com, link. I cant see how that would be bad.

ambershee

It could be bad, because whoever managed to get into Ubisoft's system is likely still capable of operating within it.

Like the previous poster said - the fact that everything is doen except the password change page is very suspicious.

Ace-Angel

Shouldn't Ubi's natural link-back have atleast an HTTPS and not a standard HTTP?

Wesley

So this is the start of the watch_dogs ARG right?

leilei

That would be a dick move if it's a stunt to promote a video game.

MainManiac

ambershee wrote: »

It could be bad, because whoever managed to get into Ubisoft's system is likely still capable of operating within it.

Like the previous poster said - the fact that everything is doen except the password change page is very suspicious.

They may not be able to decrypt the passwords so they're trying to get people to change their passwords so they can see them unhashed.

Ged

frell wrote: »

They may not be able to decrypt the passwords so they're trying to get people to change their passwords so they can see them unhashed.

the link it sent me to didnt ask for the old password - only a new one to replace the stolen one.

ambershee

Ged, you're missing the point of how these work. They don't necessarily want everyone's Ubisoft account passwords. There are a small number of people who may use the same password for multiple services - in this case, if someone is to use the same password combination as they use with their e-mail address, (and a large number of people would really do this), they then have access to more interesting things, such as paypal accounts and everything accessible from the 'hub' e-mail address.

Ged

ambershee wrote: »

Ged, you're missing the point of how these work. They don't necessarily want everyone's Ubisoft account passwords. There are a small number of people who may use the same password for multiple services - in this case, if someone is to use the same password combination as they use with their e-mail address, (and a large number of people would really do this), they then have access to more interesting things, such as paypal accounts and everything accessible from the 'hub' e-mail address.

no i do understand that, the link I got just seemed very official and I still think its ligit so I dont think it could ever be phishing but this thread has made me suspicious. Frells idea that they wanted to see the passwords that they already have unhashed couldnt be the case as they only asked me for a new password(and that could be one I never use anywhere else).

Edward-Andrew

   

Malus

So where should we go change our passwords then?

notman

I requested to change my password, at ubi.com (ubisoft's site), and eventually received an email, that had the same link that I originally received. I'm actually beginning to think that the 'hack' wasn't really to phish for anything, but instead, maybe they found a way to trigger Ubisoft's 'password update' function, and triggered it for all users. So, the people violating the system, may not have actually accessed any of the database. Just triggered the 'update password' for everyone.