XenForo Unity Game Forum Hacked

R0binHood

Habitué
Joined
Nov 23, 2011
Messages
1,413
Security Week said:
Over the weekend, hackers breached the official forum of the Unity cross-platform game engine developed by Unity Technologies. The attackers claim to have stolen user data, but the company has denied that any sensitive information has been compromised.

The hacker group calling itself OurMine has defaced the Unity forum and abused it to send out emails to registered users via a built-in mass email feature. In their message, the hackers informed recipients that they had gained access to a database containing the details of 2 million users, and advised everyone to change their passwords.

In a blog post published on Monday, Unity confirmed the breach and blamed it on “poorly implemented password routines.” However, the company claims the hackers only accessed “a limited set of data,” and assured users that no passwords, payment information or other Unity services had been compromised.

“No passwords were lost in the breach, but we still recommend a password change due to possibility of the group having emails and passwords from another source, which could be used to access their account,” Unity representatives said.

The company says it does not store passwords in clear text, and it plans on rolling out additional account protections in the next few weeks, including two-factor authentication, alerts for logins from unrecognized devices, and new password policies.

The forum was taken offline following the hack, but it has now been restored. Some posts may have been lost as the forum was restored using a backup timestamped April 30, 14:01 CEST.

Gaming-related forums have often been targeted by cybercriminals. The list of breached websites includes ones dedicated to Bohemia Interactive’s DayZ, Epic Games’ Unreal Engine and Unreal Tournament, and Valve’s Dota 2.

OurMine, which describes itself as a group that provides security services, has targeted numerous high profile social media accounts in the past months.

The hackers have taken over the online accounts of Sony Music Entertainment, Facebook CEO Mark Zuckerberg, Google CEO Sundar Pichai, Spotify founder Daniel Ek, and many others. The group recently also hijacked several high profile YouTube accounts.

Related: Flaw in Unity Web Player Allows Theft of Personal Data

Related: Hacker Group Disrupts Video Game Service in DDoS Attack
http://www.securityweek.com/unity-game-engine-forum-hacked


Unity said:
Hi all,

On April 30, our public forum website was attacked and successfully compromised due to poorly implemented password routines; our investigations show no theft of passwords in this attack, nor impact to any other Unity service.

However, the attack did result in defacement of the site (which has since been fixed) and subsequent messaging to all of our registered forum users.

We’re actively working to improve the authentication options in our services, and to help protect your data we’ll be rolling out the following in the next few weeks:

2FA Authentication

2FA will enable you to use one time passwords tied to the Unity Authentication platform. This will also be enforced in forums.

Device Identification

Device Identification will alert and/or prompt you if a new PC or Mobile device tries to connect to a Unity service, with your credentials.

Password Policy

Enable a per organization password reset, rotation and strength policy.



We’re sorry. We know you put your trust in us. We will learn from our mistakes.

Andreas Haugsnes

Director of Security
https://blogs.unity3d.com/2017/05/01/unity-forum-hack-update/


our public forum website was attacked and successfully compromised due to poorly implemented password routines
So are they saying certain user(s) passwords were compromised or guessed and that's how they gained XF and server access? If so, it doesn't sound like a XF issue, but general password management and best practice issue.

If so, sounds like a good reason to get on top of better password complexity suggestions and best practice explanations at registration

https://xenforo.com/community/threads/set-password-complexity.2139/

I'm currently using this and it works well

https://xenforo.com/community/resources/kl-password-tools.4495/

Edit: It seems some users on their forum think it may be to do with username and password reuse from previously hacked sites.
 
Last edited:

Mouth

Enthusiast
Joined
Oct 3, 2009
Messages
193
I enforce 2FA for mods and admins. XF inbuilt standard functionality.
 

R0binHood

Habitué
Joined
Nov 23, 2011
Messages
1,413
Sounds like they didn't because they're planning to 'Roll it out in the next few weeks'.

Although actually, rereading it, it sounds like they mean integration in their main unity system as well as the forums.

We’re actively working to improve the authentication options in our services, and to help protect your data we’ll be rolling out the following in the next few weeks:

2FA Authentication

2FA will enable you to use one time passwords tied to the Unity Authentication platform. This will also be enforced in forums.
 

Gus

Enthusiast
Joined
Jan 15, 2017
Messages
156
Screw those lame script kiddie skids, they should get a life.
 

maksim

Serial Entrepreneur
Joined
Apr 9, 2009
Messages
550
So again though, how did they get in?

Guessed someone's password or found a vulnerability somewhere in the code?
 

Mouth

Enthusiast
Joined
Oct 3, 2009
Messages
193
Guessed someone's password
This, although they're not saying directly. All available information and logic points to this being the issue. A hacker guessed or brute forced a moderator/admin account.
 

mysiteguy

Migration Expert
Joined
Feb 20, 2007
Messages
3,093
This, although they're not saying directly. All available information and logic points to this being the issue. A hacker guessed or brute forced a moderator/admin account.
Agree, it sounds like they are trying to dodge around this issue by being vague about the cause.
 

Gus

Enthusiast
Joined
Jan 15, 2017
Messages
156
And they should also get 10 to life, with no possibility of parole.
in prison? For mildly inconveniencing a group of people on the internet? That's a little harsh if you ask me, but then again I don't take the internet too seriously these days. I just think hackers are jerks. They should have their computers taken away and denied service from all the ISP's in their town.
 

maksim

Serial Entrepreneur
Joined
Apr 9, 2009
Messages
550
in prison? For mildly inconveniencing a group of people on the internet? That's a little harsh if you ask me, but then again I don't take the internet too seriously these days. I just think hackers are jerks. They should have their computers taken away and denied service from all the ISP's in their town.
You mean for breaking and entering into someone's private space, defacing their property and stealing valuable assets?

Where do you draw the line?

They can have computers taken away but do you honestly think that can stop them or make them think twice?

While 10 years in prison may be too much, I am in full support of massive monetary damages and/or jail time or community service, and lots of it.... perhaps teaching underprivileged kids and seniors how to use computers.
 

mysiteguy

Migration Expert
Joined
Feb 20, 2007
Messages
3,093
in prison? For mildly inconveniencing a group of people on the internet? That's a little harsh if you ask me, but then again I don't take the internet too seriously these days. I just think hackers are jerks. They should have their computers taken away and denied service from all the ISP's in their town.
hy·per·bo·le
noun
exaggerated statements or claims not meant to be taken literally.
synonyms: exaggeration, overstatement, magnification, embroidery, embellishment, excess, overkill, rhetoric;
 

Tracy Perry

Opinionated asshat
Joined
May 25, 2013
Messages
4,986
in prison? For mildly inconveniencing a group of people on the internet? That's a little harsh if you ask me, but then again I don't take the internet too seriously these days. I just think hackers are jerks. They should have their computers taken away and denied service from all the ISP's in their town.
So, you find no issue with someone putting sugar in your gas tank or letting the air out of your tires? After all, it's a mild inconvenience to have to re-air your tires or drain your fuel tank.
 

doubt

Tazmanian
Joined
Feb 25, 2013
Messages
4,855
So, you find no issue with someone putting sugar in your gas tank or letting the air out of your tires? After all, it's a mild inconvenience to have to re-air your tires or drain your fuel tank.
You would be extremely lucky if the only thing to do was draining your fuel tank.
 

R0binHood

Habitué
Joined
Nov 23, 2011
Messages
1,413
You're not exactly mildy inconveniencing a load of internet people when you're brining down the system that a company uses to interact with it's customers 24 hours a day.

How much time, money and man hours do you think were wasted trying while cleaning this mess up after they hacked the site? It probably adds up to a decent chunk of change for a 1500+ employee company such as Unity.
 

maksim

Serial Entrepreneur
Joined
Apr 9, 2009
Messages
550
in prison? For mildly inconveniencing a group of people on the internet? That's a little harsh if you ask me, but then again I don't take the internet too seriously these days. I just think hackers are jerks. They should have their computers taken away and denied service from all the ISP's in their town.
Gus Instead of disagreeing with a bunch of people here with a sophomoric post reaction, why not discuss why you believe it is no big deal?

Are you seriously suggesting that you would be fine with someone breaking into your forum? And having them get a slap on the wrist?
Or do you draw the line at if they destroyed your database?

For any active forum, a "silly hacker" is destroying lines of communications and the ability for hundreds of thousands of people to get the information that they need. That is not even discussing them doing anything more sinister like a database wipe or reselling people's private information.

But I am sure you had enough people tell you that already.
 

Tracy Perry

Opinionated asshat
Joined
May 25, 2013
Messages
4,986
You would be extremely lucky if the only thing to do was draining your fuel tank.
One reason carbs are better than injectors!
If it does get ingested, simply requires a line flush and fuel filter replacement. If you have injectors you may have to replace them.. but again - that's only a minor inconvenience comparable to having to restore an entire server from scratch. :whistle:
 

zappaDPJ

Administrator
Joined
Aug 26, 2010
Messages
7,321
I'd take a guess that a lot of people who would 'hang 'em high' when it comes to crimes committed by hackers would be a little less inclined to advocate such severe penalties for other forms of digital crime such as file sharing, enjoying the odd pirate download or installing unlicensed software for 'evaluation purposes'? :D
 

maksim

Serial Entrepreneur
Joined
Apr 9, 2009
Messages
550
I'd take a guess that a lot of people who would 'hang 'em high' when it comes to crimes committed by hackers would be a little less inclined to advocate such severe penalties for other forms of digital crime such as file sharing, enjoying the odd pirate download or installing unlicensed software for 'evaluation purposes'? :D
But herein lies the major issue....

Unlicensed distribution Vs actually breaking into and destroying someone's private property.

You can easily assign a monetary damage to someone downloading software illegally and in the vast majority of the cases it is WAYYYY to small for most people to prosecute over.

When someone destroys your property and work.... big freaking difference.

The better equivalent would be someone hacking into and defacing Apple's website, stealing information from Google, or defacing a government website. Not downloading a torrent.
 
Top