Game Company Ubisoft Hacked, User Accounts Compromised

French video game developer and publisher company Ubisoft suffered a hack to one of their websites according to a statement published today. Customer data including names, emails and encrypted passwords were accessed by unauthorized third parties and should be considered part of the public domain now.

It is not clear how the breach happened as Ubisoft declined to share all the details: “Credentials were stolen and used to illegally access our online network. We can’t go into specifics for security reasons.“. However, their comment seems to suggest that a Ubisoft employee’s credentials were stolen (spear phishing attack perhaps?) and those credentials were sufficient to access sensitive data.

The company prompted its users to change their password immediately while insisting the passwords were not stored in plain text, but rather encrypted, which makes it more difficult for the bad guys to retrieve them.


Despite coming forward and apologizing, Ubisoft is getting hit with hundreds of nasty comments on its forum, although many are uncalled for:

Congrats UBISOFT for making me change all my passwords for everything I use. Bank, Credit Cards, Email, Utilities, Cell Phone, College. How about some compensation! Your ignorance leads to unnecessary burdens on your users. This bit of having accounts compromised has grown old. No body learned anything from Sony. The Uplay thing is junk and there’s no reason for it. Played hawx back in 2006 forget I even had a UBISOFT account. Didn’t realize you guys even existed anymore.

If that person is using the same password for Uplay as his banking account then I really don’t feel sorry for him.

Here are some things to take away from this:

  • Do not reuse the same password on multiple online accounts.
  • Choose a strong password (encrypted passwords can indeed be retrieved if they match a dictionary word or are weak)
  • Only disclose the information required (additional tidbits you give are used for marketing purposes and are golden nuggets for identity thieves).
  • Watch out for phishing scams asking to reset your Uplay password. Now that email addresses have been collected, such scams will come out.


Jérôme Segura

Principal Threat Researcher