nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

Epic Games forums breached, salted passwords nabbed

Unreal Engine chathaus had unbelievably bad security

By Darren Pauli, 23 Aug 2016

Information on some 808,000 Unreal Engine and Unreal Tournament forum accounts, including email addresses, birth dates, and private messages, have been stolen from Epic Games.

The games company says passwords were not compromised on the Unreal forums so account resets are not necessary.

Salted passwords were breached for accounts active since July last year used on older game forums including legacy Unreal Tournament titles, Gears of War, and Infinity Blade.

"We believe a recent Unreal Engine and Unreal Tournament forum compromise revealed email addresses and other data entered into the forums, but no passwords in any form, neither salted, hashed, nor plaintext," Epic Games says in a statement.

"While the data contained in the vBulletin account databases for these forums were leaked, the passwords for user accounts are stored elsewhere.

"These forums remain online and no passwords need to be reset."

The breach occurred thanks to an SQL injection hole in an outdated version of vBulletin, ZDNet reports.

Facebook tokens have also been reportedly lifted for those who used the social network to sign in.

Email and password repository LeakedSource revealed the breach adding to its nearly two billion breached accounts across a variety of important and non-critical sites.

Password best practice is subject to debate. If advice from boffins at Microsoft and Google is followed, passwords should be pronounceable, rather than set to the typical recommended jumble of numbers, special characters, and letters as such scrambles are difficult for users to recall.

It is okay for users to reuse passwords on sites they do not care for, Microsoft academics have said, provided they set strong logins for critical sites.

Britain's GCHQ intelligence agency has also weighed in on the password best practice debate advising admins to stop punishing users with regular password resets which studies show leads to weaker options being used over time.

Password strength meters should be largely consigned to history since it does not help against predictable and cliche logins that can be easily guessed, Compound Eye developer Mark Stockley notes.

Docker's security lead Diogo Mónica (@diogomonica) says debate on password choice and complexity is off the mark, and should instead focus on convincing users to run password managers to set unique jumbled credentials for all sites. ®

The Register - Independent news and views for the tech community. Part of Situation Publishing