Epic Games Forums Breached Again

Breach Notification , Breach Response , Data Breach

Vulnerability in vBulletin Forum Software Exploited Epic Games Forums Breached Again

Epic Games has temporarily shut down some of its user forums for maintenance after data on about 808,000 accounts was stolen, marking the second data breach of the game maker in 13 months.

See Also: A Smarter Approach to Third-Party Vendor Risk: A Case Study

The compromise involved several forums maintained by Epic Games, based in Cary, N.C., that center on games and developer tools.

The most affected forums are Infinity Blade, UDK, Gears of War archives and those for previous Unreal Tournament games. Email addresses, hashed and salted passwords and data entered into forums were leaked.

Passwords that are hashed have been run through a one-way algorithm to create mathematical representations of passwords. In theory, the hashed value should not be able to be reversed into the original plaintext password. But it is possible for a password to be recovered if a weak hashing algorithm was used (see We're So Stupid About Passwords: Ashley Madison Edition).

"If you have been active on these forums since July 2015, we recommend you change your password on any site where you use the same password," Epic Games says in a statement.

Password hashes that have "salt" added are harder to reverse. Salt is other data added to a password hash that's intended to make it more difficult to crack.

Also affected were the Unreal Engine and Unreal Tournament forums. Email addresses and data entered into forums were leaked, but not password-related data. Those forums remain online, and users do not need to reset passwords.

The Paragon, Fortnite, Shadow Complex and SpyJinx forums are not affected.

"We apologize for the inconvenience this causes everyone and we'll provide updates as we learn more," Epic Games says.

The new breach alert follows the company warning in July 2015 that usernames, email addresses, passwords and dates of birth might have been compromised after a breach, according to the gaming publication Kotaku. That cyberattack affected UDK, Infinity Blade, Gears of War and Bulletstorm as well as prior Unreal Tournament games.

SQL Injection Attack

After the latest breach, the Epic Games data first appeared on LeakedSource, a website that sells subscriptions to a repository of data breaches that are obtained through opaque sourcing. The number of Epic Games accounts affected is about 808,000, Leaked Source tells Information Security Media Group.

When asked how the service obtained the Epic Games data, a LeakedSource representative says that hackers "know that we don't resell or trade data for any reason, and some of them 'just want to watch the world burn,' which means exposure to data sets and people panicking" (see LeakedSource: 'Assume Every Website Has Been Hacked').

The hacker who stole the data exploited a SQL injection vulnerability in the popular vBulletin forum software, the LeakedSource representative said. "SQLi" is a common type of web attack where a back-end database fails to filter malicious requests and returns data.

Of the 20 most recent batches of breached data that LeakedSource has acquired, 16 of them have been via a vulnerability in vBulletin, the representative says.

New vulnerabilities get regularly disclosed by vBulletin, says Troy Hunt, a data breach expert who runs the Have I Been Pwned? data breach notification service (see Troy Hunt: The Delicate Balance in Data Breach Reporting).

Web Forums: Endless TLC Required

While vBulletin regularly issues related patches to fix the problems, many administrators choose to host their own vBulletin software and never get around to applying the fixes, Hunt says. And that creates a "perfect storm of software with holes in it that people don't maintain," he says.

The Epic Games forums were breached on Aug. 11. Although it's unclear which vulnerability was exploited in that breach, vBulletin recently issued patches for a problem that could allow an attachment to exploit a system for vBulletin versions 3.8.7 and up.

For better security, an improved approach for vBulletin users would be to pay vBulletin Solutions to host the software, Hunt says, which would ensure the software gets promptly patched.

"Having your own web application running on any platform is like having a child," Hunt says. "You need to give it TLC for the rest of its life. It's worse than having a child. Children grow up and leave home. You've got to continue to look after this [web application]."