Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Data Protection

Ubisoft Breached: Users Urged to Change Passwords

Ubisoft, the studio behind some widely popular games such as Assassin’s Creed and the Far Cry series, disclosed that they have suffered another security incident on Tuesday, and are urging users to reset their account passwords.

Ubisoft, the studio behind some widely popular games such as Assassin’s Creed and the Far Cry series, disclosed that they have suffered another security incident on Tuesday, and are urging users to reset their account passwords.

Earlier this year, Ubisoft confirmed to customers that UPlay accounts were compromised, but the scope was limited to a handful of gamers. At the time, gamers were complaining that third-parties were altering the email addresses associated with their accounts – a clear sign that there was a breach somewhere. But Ubisoft didn’t confirm if the issue was on the customer’s end, or their servers. 

Now, Ubisoft is once again admitting to a security incident, only this time there are clues as to what happened. Without actually saying so, Ubisoft paints the picture that either a customer or an employee had their account compromised, and a WebApp vulnerability allowed an attacker to gain access to account details. The result of those actions has exposed “user names, email addresses and encrypted passwords.”

“We recently discovered that one of our Web sites was exploited to gain unauthorized access to some of our online systems. We instantly took steps to close this off and to begin a thorough investigation with the relevant authorities, internal and external security experts,” the gaming firm said in a statement

“Passwords are not stored in clear-text but as an obfuscated value. These cannot be reversed but could be cracked, in particular if the password chosen is weak. This is the reason we are recommending that our users change their password.”

Early Wednesday morning, lists of password hashes started to circulate on the Web. SecurityWeek has seen some of those lists, which were hashed using MD5, and we’re hoping they’re from an older breach or something completely unrelated. If they are in fact taken from this latest incident, then the passwords are extremely common and easily cracked using basic wordlists. Moreover, unlike the incident earlier this year, this latest snafu has nothing to do with UPlay.

Ubisoft has said their security teams are exploring all options available to expand and strengthen their security posture, but would not comment any further on specifics. They did go out of their way to mention this recent incident was unrelated to previous breaches at other gaming firms, but that doesn’t exclude the likelihood that there was severe password recycling going on between user accounts.

Advertisement. Scroll to continue reading.

Details on resetting passwords can be found online at the aforementioned blog post.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.