Epic Games forums breached again, salted passwords of 808,000 Unreal Engine and Unreal Tournament forum accounts have been exposed. The stolen records from Epic Games include email addresses, birth dates, and private messages.
Security experts are critics on the level of security implemented to protect users’ data, in response the company clarified that passwords were not compromised on the Unreal forums and for this reason it will not force the account resets.
“We believe a recent Unreal Engine and Unreal Tournament forum compromise revealed email addresses and other data entered into the forums, but no passwords in any form, neither salted, hashed, nor plaintext. While the data contained in the vBulletin account databases for these forums were leaked, the passwords for user accounts are stored elsewhere. These forums remain online and no passwords need to be reset.” reads the official statement issued by Epic Games.
Accounts active since July last year used on older game forums including legacy Unreal Tournament titles, Gears of War, and Infinity Blade were compromised and associated salted passwords exposed.
At the time I was writing the Epic Games’ forum was down for maintenance, meanwhile, the Unreal Engine forums were still active.
The hackers compromised the forums exploiting a SQL injection vulnerability in their outdated version of the vBulletin CMS.
The attackers also had access to the Facebook access tokens included in the database for those users who signed in with their social account.
Breach notification website LeakedSource.com that has analyzed a copy of the stolen database, confirmed that the attack launched on August 11.
The experts from Epic Games are still investigating the incident.
Unfortunately, this isnìt the first time that Epic Games has suffered a data breach, last year, the gaming company was the victim of the hackers that stole thousands of accounts’ data.
(Security Affairs – Epic Games, data breach)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.