Online games publisher Ubisoft has tonight confirmed that one of their websites was exploited and that sensitive information was stolen. Fortunately, it looks like payment details were not ‘secured’ in the same location and so they at least are safe.
I came home from work this evening to the following email from Ubisoft –
“Security update regarding your Ubisoft account – please create a new password
We recently found that one of our Web sites was exploited to gain unauthorised access to some of our online systems. We instantly took steps to close off this access, investigate the incident and begin restoring the integrity of any compromised systems.
During this process, we learned that data had been illegally accessed from our account database, including user names, email addresses and encrypted passwords. Please note that no personal payment information is stored with Ubisoft, meaning your debit/credit card information was safe from this intrusion.
As a result, we are recommending that you change the password for your account: xxxxxxxx
To enter your new password, click the link below: https://secure.ubi.com/register/ResetPassword.aspx?genomeid=5b61fa9f-305b-422b-aa3a-0efcf8370dec&strStamp=4D873472C46884A27D26D44AD9F6E2574756B68901DE10D7A251E6EE63F7F11EB738342CEBFDB10027D75FF7765AF7AB37382101343EE104BC68986AAF3F55D8&lang=en-GB&strLoginemail@example.com&nextURL=http%3a%2f%2fwww.ubi.com%2fUK%2fdefault.aspx
Out of an abundance of caution, we also recommend that you change your password on any other Web site or service where you use the same or a similar password.
You can find more information here https://support.ubi.com/en-GB/FAQ.aspx?platformid=60&brandid=2030&productid=3888&faqid=kA030000000eYYxCAM.
For any additional support enquiries, please contact our customer service via our support web site at https://support.ubi.com
We sincerely apologise to all of you for the inconvenience. Please rest assured that your security remains our priority.
The Ubisoft team”
– and its good to see the French software company being proactive and warning users of its service that an issue has arisen (having a response prepared in advance and keeping customers informed is always a good starting point for incident response).
Its also good to see that Ubisoft have created a special page for updating your password too.
I don’t like the idea of putting live links in emails (I’ve unlinked the web address above for this post). Even though this linked address is genuine, we all know better than to click on links in emails don’t we?
Also, clicking on said link leads to a web page that is currently inaccessible – I guess Ubi servers are getting hammered right now huh?
And whats with the writing? – “Out of an abundance of caution” – sounds very dodgy to me, like its been typed by someone sitting in an internet cafe in a foreign land.
Overall I’d be very wary of the email notification itself if I hadn’t already heard about the incident tonight!
But hey, its ok, the company has only lost my username, email address and encrypted password so its not all bad eh? Its not like they have some draconian DRM system in place when all is well is it???