Codemasters' Website Hacked

skybon writes "After similar attacks on Sony and Square Enix, Codemasters' website has now been hacked as well. The intrusion took place on 3 June, and is believed to have compromised members' names, usernames, screen names, email addresses, date of birth, encrypted passwords, newsletter preferences, any biographies entered by users, details of last site activity, IP addresses and Xbox Live Gamertags. In a letter sent out to CodeM subscribers, the company recommended changing passwords as soon as possible."

Epic Forums

[Cidolfas]

The Epic forums got hit too, with usernames and encrypted passwords. At least, the UDK forums did, and I assume the Gears and other game-specific ones did too. Got the email about that today. At least they encrypted passwords, hopefully with a good salt.

Re:

[Konsalik]

Yes please note the difference between *hashed* and *encrypted* as passwords are usually hashed to obfuscate them.

Re:

[DrXym]

Hashing is not obfuscation. It produces a one way digest of your password, which if properly salted and hashed is very difficult to recover. So a site which uses hashes can't send you a password reminder since it doesn't know what your password is. The danger is if the site doesn't salt properly an attacker can use a reverse hash lookup to figure out what the password is. In addition without salting if 2 or more users use the same password you can tell it instantly by looking for duplicate hashes.

Sites th

DDOS

[tepples]

If it takes a cracker 0.3 seconds, as described in the article you cited [codahale.com], then it also takes the legit server 0.3 seconds to authenticate the user. If a lot of people submit the login form at once, this becomes a denial-of-service attack against the server.

Re:

[DrXym]

I said nothing of the hash algorithm so your point is moot. And bcrypt uses salts too so nothing I said suddenly becomes invalid.

Re:

[blueg3]

Even at that rate, a random 10-character password is essentially uncrackable.

The standard way of artificially strengthening the hash is to N-round HMAC-SHA1 (or HMAC-MD5, I suppose), where N is chosen so that the computation takes a fair amount of time. This is better for client-side encryption, where you have time to waste per request, and less popular for server-side encryption, where you don't want to consume that much processing power. Still usable server-side, though.

Re:

[Khyber]

"Salting is now mostly irrelevant because the latest consumer ATI card can calculate 5.5 BILLION MD*/SHA* hashes per second."

And that's why you write your own non-standard algorithm that makes GPU busting almost impossible due to modern GPU architecture.

Notice how ATi cards are beating nVidia cards in bitcoin generation. It's almost purely an architectural issue.

Re:

[Cidolfas]

I wish. They said encrypted, and warned that they could be cracked. Not that there could be a collision, but outright cracked. I have no idea why it's not standard policy EVERYWHERE just to use hashes. I'm just glad they didn't store in plaintext.

Re:

[Seumas]

This is yet another reason that the whole idea of forcing users to use their real names on Battle.net and Blizzard/Activision forums was a fucking awful one. And yeah, the problem with the passwords is that they point out that the passwords were hashed, but they don't mention whether they were salted. It seems obvious, but many people who bother to hash their password database don't bother to salt that hash.

Re:

[stonedcat]

But what if I crack your hack when I hack your crack?

--Jack

Codemasters' Rootkit?

[TheVelvetFlamebait]

Hey, you're not allowed to hack companies who aren't flagrantly, explicitly evil! It's almost like you're hacking companies whose security is weak, rather than acting as moral crusaders. How could that be?

Re:

[webmistressrachel]

"LulzSec"

Are they like C-Sec, but just for the "Lulz"?

Re:

[webmistressrachel]

Yay! Someone got my geeky reference!

Re:

[RichardJenkins]

Storing personal data without appropriate security controls in place is 'evil'. If companies develop an expectation that they *will* be hacked without good security measues then that is a good thing.

Eheh, Lotro Online Europe

[SmallFurryCreature]

Evil enough for anyone. You don't get two products taken away from you if you don't suck to high heaven (Turbine took both DDO and Lotro back from Codemasters inept handling).

Re:

[syousef]

Hey, you're not allowed to hack companies who aren't flagrantly, explicitly evil! It's almost like you're hacking companies whose security is weak, rather than acting as moral crusaders. How could that be?

No sympathy. Their copy protection bullshit has on more than one occasion caused me more grief than most other company's crap (and I am not a pirate by the way). Hate that my account may have been compromised, especially since I haven't used it in years (quite literally).

#ifndef MASTERS

[waddgodd]

I'm going to go right ahead and say they ain't codeMASTERS if they got hacked....

Re:

[rust627]

so, let me see
some one has mastered the masters ....................

Re:

[davidbrit2]

In fairness, they never claimed to be php/SQL masters. They're probably referring to being masters at trying to sell you cheat codes to games they make.

Re:

[Lilith's Heart-shape]

I wish they had a cheat code that would make Clive Barker's Jericho not suck Pinhead's balls.

Re:

[gl4ss]

the website was probably ran by some dweebs they found on the street. but the real lessons they should take here are that they should not even ask for things like date of birth - they could just ask for the year for example, and even then store it ONLY if the user wants it to be shown on the forums. it makes it much easier for someone to do something with the hacked data - and they got about zero guarantee about the data being right so it's not much use for codemasters itself...

When eligibility depends on the birthday

[tepples]

the real lessons they should take here are that they should not even ask for things like date of birth - they could just ask for the year for example

Some web sites have legal reasons to require all users to be at least 13, 18, or 21 years old (to use examples of thresholds from U.S. federal law). Say your web site requires all users to be at least 18 years old. If the sign-up form asks for just the Gregorian year, how would the site distinguish an 18-year-old, whose birthday is before today, from a 17-year-old, whose birthday is after today?

Re:

[Anonymous Coward]

Interesting thought, but this is the same public that now accepts getting groped at TSA checkpoints by 300lb, $14/hr rentacops because somebody could be a terrorist. If Anonymous or somebody else were to break into the credit bureaus or some other high-value target - I fully expect there may be a couple of nominal changes, but the anger will be focused squarely on the "terrorists" who are trying to undermine our country's economy.

Re:

[account_deleted]

Comment removed based on user account deletion

3rd of June?

[Psychotria]

That was 8 days ago! I am so glad they reported this so promptly.

Epic Games too

[grim-one]

Got a couple of emails from them:

Our Epic Games web sites and forums were recently hacked. After some downtime, they're back up and running now.

The hackers may have obtained the email addresses and encrypted passwords of forum users. Plaintext passwords weren't revealed, but it's possible that those passwords could be obtained by a brute-force attack on the encrypted passwords. Therefore, we have reset all passwords. Your new password at the bottom of this message.

The Unreal Developer Network (UDN) hasn't been compromised. Thankfully, none of our web sites ask for, or store, credit card information or other financial data.

We're sorry for the inconvenience, and appreciate everyone's patience as we wrestle our servers back under control.

Tim Sweeney
Founder, Epic Games Inc

Re:

[maxwell demon]

The mail omitted a crucial advise:
"Please log in and change your password to a new value as soon as possible."
Since the reset password was transmitted unencrypted over email, it should not be treated as secure.

Re:

[_Shad0w_]

Encrypted, not hashed. Assuming they actually do mean encrypted. You'd still have to worry about whether they compromised the key as well, unless they're using something like a PrivateServer HSM - although I suspect that might be considered over kill for a games website.

Valve/Steam

[atomicbutterfly]

If Valve's servers get hacked with disastrous consequences (Steam accounts get deleted/hacked/etc, credit card details, other personal info), all hell will break loose. There will also be much smugness from those who don't use Steam for this very reason.

Re:

[Richard_at_work]

The fact that they haven't, while smaller targets have fallen already, might be telling...

Re:

[wo1verin3]

Of course they haven't [slashdot.org].

Re:

[Richard_at_work]

Thats hardly Steam, is it?

Re:

[twocows]

If Valve hasn't been hacked since 2004, I'm perfectly content with their ability to protect my data.

Re:

[gl4ss]

steam accounts get hacked all the time, but usually through the users computers.. also cs keycodes were rampantly generated and hacked and traded, but the success of counter strike really made steam a target as soon as it started.

Re:

[FutureDomain]

steam accounts get hacked all the time, but usually through the users computers.

Valve has actually been pretty proactive on this front. They recently released their SteamGuard system which authenticates logins from new computers via email. It doesn't help if the user uses one password for both his email and Steam, but it's pretty good against most password thefts.

Re:

[Nemyst]

Steam and Google are the two sole online businesses that I know of (bar, say, banks) that have more than a simple username/password identification. The former forces you to authenticate every PC you use it on, which can only be done through your email. The latter uses 2-factor authentication through smartphones.

I think Steam is fairly safe. You'd have to be able to get the passwords (which are very likely salted and hashed) and could only attack those people who reuse the same password for both their Steam

Re:

[Beelzebud]

Valve's server DID get hacked back before the release of Half Life 2, which resulted in the source code for their Source engine, and an unfinished build of Half Life 2 getting leaked. I have a feeling they learned their lesson after that. They definitely have the money to do security correctly, if they wish.

Re:

[XionOfChaos]

This is one of the reasons why I will not get a credit card!

Re:

[Ihmhi]

Actually, compared to a debit card a credit card is pretty safe. Debit cards are easier to get but you lack many of the protections (like chargeback) that credit cards offer.

Be careful all in all - not having a credit card might actually bite you in the ass if you ever decide to buy a home or get some type of loan. No credit is practically worse than bad credit.

Re:

[XionOfChaos]

Have had no problems getting loans without a credit card. Of course you can't buy anything online without one.

Re:

[sourcerror]

I had no problems buying stuff online with debit card. (from Amazon; for noname shops there's Paypal; I wouldn't trust them with my CVV)

Re:

[_Shad0w_]

It's the reason I use a virtual credit card with one-time numbers online. I only use my real credit card at a limited number of places.

What's the point in hacking?

[Scissorsman]

Why is there so many hacking lately? I really don't understand people's motive to hack some servers, websites. Ok one could be money (credit card info, mail databases to sell, etc.) and maybe the other challenge for someone. But hacking is never harmeless.

Re:

[Anonymous Coward]

The answer is surprisingly simple.

Hackers have very tiny penises.

Re:

[Osgeld]

whats the point of going to slashdot and making a comment? same reason

This shoud get all of us very worried...

[mihamicka]

At least news like this gets me very worried... why? cos all this announcements ware not made by the companies who got their servers hacked... but ware made by the hackers who did that... i wonder how many hackings are done without anyone knowing ... without anyone making those attacks public... and in theory security engineers learn from things like that.... is called Forensics right? hmmm and some ppl say " There is not such thing as ethical hacking..".... why not? i know from experience that you need

I have the best security

[NSN A392-99-964-5927]

I hack my my own servers daily. My security is 31337 (Pull the Plug)

Good!

[tittledavid]

Thanks for info, http://exercisesto-reducetummy.com/articles/exercises-to-reduce-tummy-how-i-lost-50-pounds [exercisest...etummy.com]