1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
  2. Two Factor Authentication is now available on BeyondUnreal Forums. To configure it, visit your Profile and look for the "Two Step Verification" option on the left side. We can send codes via email (may be slower) or you can set up any TOTP Authenticator app on your phone (Authy, Google Authenticator, etc) to deliver codes. It is highly recommended that you configure this to keep your account safe.

EPIC FORUMS HACKED: unauthorized access to your username, email address, password

Discussion in 'Off Topic' started by Manticore, Jul 15, 2015.

  1. Manticore

    Manticore Official BUF Birthday Spammer

    Joined:
    Nov 5, 2003
    Messages:
    5,799
    Likes Received:
    129
    "Important Message From Epic Games

    July 14, 2015
    Dear Epic Games Forum Member,



    We have just discovered that the Epic Games forums located at https://forums.epicgames. com were compromised by a hacker. We are sorry to report that the incident may have resulted in unauthorized access to your username, email address, password, and the date of birth you provided at registration.



    We have taken https://forums. epicgames.com offline. When the site reopens, your password will be reset. If you use the same password on this site which you use on other sites, we recommend immediately changing your password on those sites as well.



    The affected forum site covers UDK, Infinity Blade, Gears of War, Bulletstorm, and prior Unreal Tournament games. However, the separate forum sites covering Unreal Engine 4, Fortnite, and the new Unreal Tournament were unaffected.


    We apologize for the inconvenience this causes everyone. To further understand what’s happened and prevent it in the future, we’re working with a computer security firm to identify the nature of the compromise. We will report further information on the forums when they reopen.


    While the investigation into the security compromise is ongoing, we are reaching out to you directly to let you know of the potential unauthorized access to information you provided at registration. It is possible that any information stored or sent by you using the forums may have been accessed. Since this is a public forum, we do not collect or maintain financial information, but we advise you to be alert for suspicious email such as phishing attempts.


    Thank you for being a part of our community, and for your attention to this issue.



    Best Regards,
    The Epic Games Team"

    Awesome. Good job............ not.
     
  2. Wormbo

    Wormbo Administrator Staff Member

    Joined:
    Jun 4, 2001
    Messages:
    5,913
    Likes Received:
    36
    Why papsswords, btw? I thought vBulletin doesn't store them as clear text? Or does it actually store unsalted password MD5s or something?
     
  3. Zur

    Zur surrealistic mad cow

    Joined:
    Jul 8, 2002
    Messages:
    11,702
    Likes Received:
    4
    vBulletin should at least salt passwords. Anything less would be taking the mickey.
     
  4. Sir_Brizz

    Sir_Brizz Administrator Staff Member

    Joined:
    Feb 3, 2000
    Messages:
    25,995
    Likes Received:
    75
    The passwords are salted and hashed so they can't be reversed through brute force. But with the whole DB you could easily run a rainbow table against it. That would catch a lot of the weaker ones.
     
    Big-Al likes this.
  5. Wormbo

    Wormbo Administrator Staff Member

    Joined:
    Jun 4, 2001
    Messages:
    5,913
    Likes Received:
    36
    Isn't the idea of salting to break the rainbow table approach because the hashes become strong and unique even if the password is weak or used by many other users as well?
     
  6. Sir_Brizz

    Sir_Brizz Administrator Staff Member

    Joined:
    Feb 3, 2000
    Messages:
    25,995
    Likes Received:
    75
    Yes, if you don't have the salt. If you have the salt you can imitate the hashing algorithm which is how authentication in a salt-based auth system works.
     
  7. Leo(T.C.K.)

    Leo(T.C.K.) Well-Known Member

    Joined:
    May 14, 2006
    Messages:
    4,691
    Likes Received:
    29
    Again? This kind of stuff seems to happen frfequently every couple of years if this goes on.
     
  8. Hadmar

    Hadmar Queen Bitch of the Universe

    Joined:
    Jan 29, 2001
    Messages:
    5,460
    Likes Received:
    29
    Let's hope they didn't use MD5 but something that was actually designed for the task of hashing passwords.
    (If you feel like googling: PBKDF2, bcrypt, scrypt)
     
  9. Sir_Brizz

    Sir_Brizz Administrator Staff Member

    Joined:
    Feb 3, 2000
    Messages:
    25,995
    Likes Received:
    75
    They were using standard VB3 encryption, which is MD5+(MD5+salt).
     
  10. Hadmar

    Hadmar Queen Bitch of the Universe

    Joined:
    Jan 29, 2001
    Messages:
    5,460
    Likes Received:
    29
    Thanks, that's too bad.*

    "If you use the same password on this site which you use on other sites, we recommend immediately changing your password on those sites as well."
    This is not an overly cautious cover my ass line. If you re-used that password somewhere else, change it.
     

Share This Page