Epic Games Forums Hacked, User Details Exposed

In a new blog post, Epic says that it believes its Unreal Engine and Unreal Tournament forums have been compromised, with the attackers gaining access to email addresses and other information.

Unreal Tournament and Fortnite developer Epic Games has confirmed that the Unreal Engine and Unreal Tournament forums as well as some of its legacy forums were compromised in a massive breach affecting over 800,000 users. According to Google cache, they were using vBulletin 4.2.2, which has known security vulnerabilities including SQL injection. As a result, data including ’email addresses and other data entered into the forums’ was exfiltrated. “While the data contained in the vBulletin account databases for these forums were leaked, the passwords for user accounts are stored elsewhere”, the company explained.

That’s not the case for its legacy forums covering Infinity Blade, UDK, previous Unreal Tournament games, and archived Gears of War forums, Epic said. This attack, Epic admitted, ‘revealed email addresses, salted hashed passwords and other data entered into the forums.

Again, this is why you shouldn’t use the same password on every site. Sadly, this offers little protection for short and otherwise easily-guessable passwords.

This implies that your data was compromised when you used the forums (e.g. while logging in or posting), rather than simply because you had an account on one of them.

They also noted the forums are still online and users will not be required to reset their passwords.

Epic claimed that no other forums were affected, but this is not the first time that the firm’s security has been cracked, having suffered a similar breach in July past year.

“We apologize for the inconvenience this causes everyone and we’ll provide updates as we learn more”, Epic Games says.

More than 808,000 accounts were reportedly compromised. “SQLi” is a common type of web attack where a back-end database fails to filter malicious requests and returns data. Although it’s unclear which vulnerability was exploited in the that breach, vBulletin recently issued patches for a problem that could allow an attachment to exploit a system for vBulletin versions 3.8.7 and up. “You need to give it TLC for the rest of its life”. Children grow up and leave home.