Epic Games forums breached again, salted passwords of 808,000 Unreal Engine and Unreal Tournament forum accounts have been exposed. The stolen records from Epic Games include email addresses, birth dates, and private messages.
Security experts are critics on the level of security implemented to protect users’ data, in response the company clarified that passwords were not compromised on the Unreal forums and for this reason it will not force the account resets.
“We believe a recent Unreal Engine and Unreal Tournament forum compromise revealed email addresses and other data entered into the forums, but no passwords in any form, neither salted, hashed, nor plaintext. While the data contained in the vBulletin account databases for these forums were leaked, the passwords for user accounts are stored elsewhere. These forums remain online and no passwords need to be reset.” reads the official statement issued by Epic Games.
Accounts active since July last year used on older game forums including legacy Unreal Tournament titles, Gears of War, and Infinity Blade were compromised and associated salted passwords exposed.
At the time I was writing the Epic Games’ forum was down for maintenance, meanwhile, the Unreal Engine forums were still active.
The hackers compromised the forums exploiting a SQL injection vulnerability in their outdated version of the vBulletin CMS.
The attackers also had access to the Facebook access tokens included in the database for those users who signed in with their social account.
Breach notification website LeakedSource.com that has analyzed a copy of the stolen database, confirmed that the attack launched on August 11.
The experts from Epic Games are still investigating the incident.
Unfortunately, this isnìt the first time that Epic Games has suffered a data breach, last year, the gaming company was the victim of the hackers that stole thousands of accounts’ data.
(Security Affairs – Epic Games, data breach)