Ubisoft, maker of Assassin's Creed and Ghost Recon, breached

Ubisoft announced yesterday in a blog post and email sent to users that it had been hacked. User names, email addresses and encrypted passwords were "illegally accessed from our account database." But the company stressed that no financial data was lost. "It’s important to note that no personal payment information is stored with Ubisoft, so fortunately all credit/debit card information was safe from this intrusion."

As a result, the company recommends that users change their passwords both with Ubisoft and "on any other website or service where you use the same or a similar password." 

The latter piece of advice is very important. Ubisoft has provided little actual information about the breach, its time or its extent, other than, "Credentials were stolen and used to illegally access our online network. We can’t go into specifics for security reasons."

More worryingly it has avoided answering direct questions about whether the passwords were salted as well as hashed. Asked, "Can you give us some details on how the passwords were encrypted? Or hashed?" communications manager Gary Steinman responded: "Passwords are not stored in clear-text but as an obfuscated value. These cannot be reversed but could be cracked, in particular if the password chosen is weak. This is the reason we are recommending that our users change their password."

This drew the user's riposte, "I assume it's hashed (can't be reversed). Is it md5? Sha1? Salted or not?" But no further comment came from Ubisoft.

On this basis the assumption has to be that the passwords were hashed (we aren't told with what), but not salted. 'Salt' is a random addition to the password. For weak passwords it converts something guessable into something not guessable; something that can be found in a password dictionary into something that cannot be found in a password dictionary. In general, hashed passwords are easily cracked; hashed/salted passwords are not.

Users should therefore assume that if their passwords comprised actual words, even with added numbers, they have been cracked. Given that the attackers also gained access to user names and email addresses, they would have everything necessary to gain instant access to any other accounts that use the same passwords.

The simple advice has to be that any user who has reused a Ubisoft account password elsewhere should change that password immediately, and not reuse the same password on multiple accounts again.

What’s hot on Infosecurity Magazine?