The usernames and email addresses of over 800,000 Epic Forums users were stolen by a hacker. According to Leakedsource.com, the attack happened on August 11. The hacker obtained the data by exploiting “a known SQL injection vulnerability found in an older vBulletin forum software, which allowed the hacker to get access to the full database” (ZDNet). In addition to the usernames and email addresses, the database contains scrambled passwords, IP addresses, birth dates, and activity such as posts, comments and private messages. Access tokens for Facebook were also breached. Epic Games has stated that the scrambled passwords will not be not easily crackable.
An Epic Games Spokesperson says that passwords do not need to be changed for the Unreal Engine and Unreal Tournament forum but a “compromise of our legacy forums covering Infinity Blade, UDK, previous Unreal Tournament games, and archived Gears of War forums revealed email addresses, salted hashed passwords and other data entered into the forums. If you have been active on these forums since July 2015, we recommend you change your password on any site where you use the same password.”
Epic’s Forums were also hacked last year.
1 Comment
If a server has 800’000 users and an average of up to 500 logins per second, why does it serve so many entries in an alphabetic/ascending order without faking the output or disabling non-public data completely?
Software could limit the access to only public data (or an archive) and trusted queries (no user inputs, stored server-side).