American video game development company Epic Games has announced someone hacked its forums, making it twice in one year.
On 22 August, the Cary-based organization disclosed the breach on its website:
“We believe a recent Unreal Engine and Unreal Tournament forum compromise revealed email addresses and other data entered into the forums, but no passwords in any form, neither salted, hashed, nor plaintext. While the data contained in the vBulletin account databases for these forums were leaked, the passwords for user accounts are stored elsewhere. These forums remain online and no passwords need to be reset.”
But hold on. Forum users aren’t off the hook just yet.
Epic Games discovered that someone also apparently compromised the older forums for Infinity Blade, UDK, previous Unreal Tournament games, and Gears of War. That hack is believed to have exposed users’ salted passwords, along with their usernames, email address, birth dates, IP addresses, join dates, posting history, and even Facebook access tokens if they signed up using the social networking site. As a result, the company is asking all users who accessed those legacy forums since July 2015 to change their passwords.
In total, the hack is believed to have compromised the information of at least 808,000 accounts.
ZDNet reports the unidentified hacker exploited a vulnerability in an out-of-date version of vBulletin to gain access to the forums’ databases. That’s the same attack vector hackers used to compromise the forums of uTorrent, Ubuntu, Disney’s Playdom, and Dota 2 in recent weeks.
Unfortunately, this isn’t the first time Epic Games has experienced a hack. The company shut down its forums in mid-July following a breach that compromised all members’ usernames, passwords, email addresses, and dates of birth.
Let’s hope the second time’s a charm. To prevent another hack, Epic Games should create a vulnerability management program that can help schedule patches for known disclosures affecting vBulletin and other software. The company should also be transparent about these new security measures and communicate them to the public.
What do you think? Are there other measures Epic Games can take to save face after this second hack? Let us know in the comments!