Ubisoft compromised, breach notification… Fail

At 19:44 CET I got my breach notification mail from Ubisoft. It seems that perhaps the consequences of the attack are still being felt at Ubisoft because currently their main web site is still down. In their words

“We recently found that one of our Web sites was exploited to gain unauthorised access to some of our online systems. We instantly took steps to close off this access, investigate the incident and begin restoring the integrity of any compromised systems.

During this process, we learned that data had been illegally accessed from our account database, including user names, email addresses and encrypted passwords. Please note that no personal payment information is stored with Ubisoft, meaning your debit/credit card information was safe from this intrusion.

As a result, we are recommending that you change the password for your account: <account-name>”

Further details from the Ubisoft blog state that the attacker used stolen credentials to gain this level of unauthorised access.

The notification mail goes on to advise “Out of an abundance of caution, we also recommend that you change your password on any other Web site or service where you use the same or a similar password.” This is good advice in a case such as this, but closer inspection of the Ubisoft blog reveals that it may well be more urgent than a simple “abundance of caution”

The blog post states “Passwords are not stored in clear-text but as an obfuscated value. Those cannot be reversed but could be cracked, in particular if the password chosen is weak. This is the reason we are recommending our users to change their password.”

How exactly were the passwords secured? Hashed I’m sure, this is the “non-reversible” security they mention in the blog, but if simple passwords could be cracked with ease, this sounds like the weakest form of hashing, unsalted, which is vulnerable to a simple lookup attack known as a Rainbow Table attack. This is not very confidence inspiring news. If they were salted, then were they using a common salt for every user and a hashing algorithm designed for speed rather than security? If so, then their password database is still vulnerable to a rainbow table attack. Ideally user passwords should be stored with a unique salt for every user and using an algorithm that allows a “work factor” to be introduced into the hashing process, such as Blowfish. This drastically increases the time taken to crack individual passwords and because the work factor is variable, it can be modified to keep up with advances in processing power. Increase the work factor, the hash gets slower. The effect is negligible on an individual calculation, but mass calculation of rainbow tables becomes impractical.

Considering the notification from this perspective makes that advice to change your password on other accounts where it may also be in use all the more urgent, and going forward, try to avoid using duplicate passwords on multiple sites

Quite aside from all that, at a most basic level, the notification mail failed. It contained a link, pre-authenticated no-less, for me to click on to reset my password, no entry of my possibly compromised password necessary to make that change.

If you as an organisation ever have the misfortune to have to notify your customers of a breach, never include a link in the reset mail, it encourages insecure behaviour in your customer base and leaves them wide open to the inevitable phishing attacks that always follow this kind of event. Always advise them to navigate to your site themselves and follow the on screen instructions that they will surely find there.

It is never a good idea to use the same password across multiple web sites, so try to have a unique one for every site you use. While this may sound complex and impossible to remember there is simple way to acheive this. Create a complex, yet memorable, password using upper and lower case letters, numbers and special characters such as $%&!. Try using the initial letter from each word in a memorable sentence for example. Devise a way to differentiate your password for each site you use, for example putting the first and last letters of the web site name at the beginning and end of your initial complex password, making it unique yet easy to remember.

As for those security or password reset questions, this is also one of the most common ways to break into an account. If you are asked to provide answers to “Security questions” consider whether the answers are really secure. Secure means that you are the only person who can answer the question. If the possibility exists to create your own questions, use it. If you are obliged to answer more standard questions such as “First school”or “First pet” remember the answer doesn’t have to be the truth, it only has to be something you can remember.

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.