- Nov 23, 2011
http://www.securityweek.com/unity-game-engine-forum-hackedSecurity Week said:Over the weekend, hackers breached the official forum of the Unity cross-platform game engine developed by Unity Technologies. The attackers claim to have stolen user data, but the company has denied that any sensitive information has been compromised.
The hacker group calling itself OurMine has defaced the Unity forum and abused it to send out emails to registered users via a built-in mass email feature. In their message, the hackers informed recipients that they had gained access to a database containing the details of 2 million users, and advised everyone to change their passwords.
In a blog post published on Monday, Unity confirmed the breach and blamed it on “poorly implemented password routines.” However, the company claims the hackers only accessed “a limited set of data,” and assured users that no passwords, payment information or other Unity services had been compromised.
“No passwords were lost in the breach, but we still recommend a password change due to possibility of the group having emails and passwords from another source, which could be used to access their account,” Unity representatives said.
The company says it does not store passwords in clear text, and it plans on rolling out additional account protections in the next few weeks, including two-factor authentication, alerts for logins from unrecognized devices, and new password policies.
The forum was taken offline following the hack, but it has now been restored. Some posts may have been lost as the forum was restored using a backup timestamped April 30, 14:01 CEST.
Gaming-related forums have often been targeted by cybercriminals. The list of breached websites includes ones dedicated to Bohemia Interactive’s DayZ, Epic Games’ Unreal Engine and Unreal Tournament, and Valve’s Dota 2.
OurMine, which describes itself as a group that provides security services, has targeted numerous high profile social media accounts in the past months.
The hackers have taken over the online accounts of Sony Music Entertainment, Facebook CEO Mark Zuckerberg, Google CEO Sundar Pichai, Spotify founder Daniel Ek, and many others. The group recently also hijacked several high profile YouTube accounts.
Related: Flaw in Unity Web Player Allows Theft of Personal Data
Related: Hacker Group Disrupts Video Game Service in DDoS Attack
https://blogs.unity3d.com/2017/05/01/unity-forum-hack-update/Unity said:Hi all,
On April 30, our public forum website was attacked and successfully compromised due to poorly implemented password routines; our investigations show no theft of passwords in this attack, nor impact to any other Unity service.
However, the attack did result in defacement of the site (which has since been fixed) and subsequent messaging to all of our registered forum users.
We’re actively working to improve the authentication options in our services, and to help protect your data we’ll be rolling out the following in the next few weeks:
2FA will enable you to use one time passwords tied to the Unity Authentication platform. This will also be enforced in forums.
Device Identification will alert and/or prompt you if a new PC or Mobile device tries to connect to a Unity service, with your credentials.
Enable a per organization password reset, rotation and strength policy.
We’re sorry. We know you put your trust in us. We will learn from our mistakes.
Director of Security
So are they saying certain user(s) passwords were compromised or guessed and that's how they gained XF and server access? If so, it doesn't sound like a XF issue, but general password management and best practice issue.our public forum website was attacked and successfully compromised due to poorly implemented password routines
If so, sounds like a good reason to get on top of better password complexity suggestions and best practice explanations at registration
I'm currently using this and it works well
Edit: It seems some users on their forum think it may be to do with username and password reuse from previously hacked sites.