Epic Games forums have been breached again, and passwords for almost 808,000 Unreal Engine and Unreal Tournament forum accounts have been stolen. The hackers have also stolen some users records, which include e-mail addresses, date of births and private massages.
However, in response Epic Games has clarified that passwords for Unreal forums accounts were not compromised, and for that very reason the company will not force account resets.
We believe a recent Unreal Engine and Unreal Tournament forum compromise revealed email addresses and other data entered into the forums, but no passwords in any form, neither salted, hashed, nor plaintext. While the data contained in the vBulletin account databases for these forums were leaked, the passwords for user accounts are stored elsewhere. These forums remain online and no passwords need to be reset.
Accounts that are active since July 2015 that were used on older game forums including legacy Unreal Tournament titles, Gears of War, and Infinity Blade were hacked and their passwords have been exposed.
The hackers exploited a vulnerability in SQL Injection of the forums, however, this vulnerability only exists in the older version of vBulletin CMS. So basically it seems that Epic Games have been paying attention to the security of their forums.
According to a security website, who analyzed the copy of the stolen database, confirmed that the attack on the Epic Games forums was launched on August 11.
The hackers now also have the access to Facebook access tokens that were included in the database for those users who signed in using the social media website.
In related news, according to founder of Epic Games, Tim Sweeny, Unreal Engine has saved the studio from dying.
Last year was our best engine year ever. By a significant margin. If we didn’t have the engine, we would have died. We would have died three times.
This is not the first time the Epic Games forums have been hacked, as last year the forums were hacked and data for thousands of accounts was stolen.