Codemasters' Website Hacked 76
skybon writes "After similar attacks on Sony and Square Enix, Codemasters' website has now been hacked as well. The intrusion took place on 3 June, and is believed to have compromised members' names, usernames, screen names, email addresses, date of birth, encrypted passwords, newsletter preferences, any biographies entered by users, details of last site activity, IP addresses and Xbox Live Gamertags. In a letter sent out to CodeM subscribers, the company recommended changing passwords as soon as possible."
Epic Forums (Score:2)
Re: (Score:1)
Re: (Score:3)
Sites th
DDOS (Score:2)
Re: (Score:2)
Re: (Score:2)
Even at that rate, a random 10-character password is essentially uncrackable.
The standard way of artificially strengthening the hash is to N-round HMAC-SHA1 (or HMAC-MD5, I suppose), where N is chosen so that the computation takes a fair amount of time. This is better for client-side encryption, where you have time to waste per request, and less popular for server-side encryption, where you don't want to consume that much processing power. Still usable server-side, though.
Re: (Score:2)
"Salting is now mostly irrelevant because the latest consumer ATI card can calculate 5.5 BILLION MD*/SHA* hashes per second."
And that's why you write your own non-standard algorithm that makes GPU busting almost impossible due to modern GPU architecture.
Notice how ATi cards are beating nVidia cards in bitcoin generation. It's almost purely an architectural issue.
Re: (Score:2)
Re: (Score:1)
This is yet another reason that the whole idea of forcing users to use their real names on Battle.net and Blizzard/Activision forums was a fucking awful one. And yeah, the problem with the passwords is that they point out that the passwords were hashed, but they don't mention whether they were salted. It seems obvious, but many people who bother to hash their password database don't bother to salt that hash.
Re: (Score:2)
But what if I crack your hack when I hack your crack?
--Jack
Codemasters' Rootkit? (Score:5, Insightful)
Hey, you're not allowed to hack companies who aren't flagrantly, explicitly evil! It's almost like you're hacking companies whose security is weak, rather than acting as moral crusaders. How could that be?
Re: (Score:1)
"LulzSec"
Are they like C-Sec, but just for the "Lulz"?
Re: (Score:1)
Yay! Someone got my geeky reference!
Re: (Score:2)
Storing personal data without appropriate security controls in place is 'evil'. If companies develop an expectation that they *will* be hacked without good security measues then that is a good thing.
Eheh, Lotro Online Europe (Score:2)
Evil enough for anyone. You don't get two products taken away from you if you don't suck to high heaven (Turbine took both DDO and Lotro back from Codemasters inept handling).
Re: (Score:2)
Hey, you're not allowed to hack companies who aren't flagrantly, explicitly evil! It's almost like you're hacking companies whose security is weak, rather than acting as moral crusaders. How could that be?
No sympathy. Their copy protection bullshit has on more than one occasion caused me more grief than most other company's crap (and I am not a pirate by the way). Hate that my account may have been compromised, especially since I haven't used it in years (quite literally).
#ifndef MASTERS (Score:3, Funny)
I'm going to go right ahead and say they ain't codeMASTERS if they got hacked....
Re: (Score:1)
so, let me see ....................
some one has mastered the masters
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
When eligibility depends on the birthday (Score:2)
the real lessons they should take here are that they should not even ask for things like date of birth - they could just ask for the year for example
Some web sites have legal reasons to require all users to be at least 13, 18, or 21 years old (to use examples of thresholds from U.S. federal law). Say your web site requires all users to be at least 18 years old. If the sign-up form asks for just the Gregorian year, how would the site distinguish an 18-year-old, whose birthday is before today, from a 17-year-old, whose birthday is after today?
Re: (Score:3, Insightful)
Interesting thought, but this is the same public that now accepts getting groped at TSA checkpoints by 300lb, $14/hr rentacops because somebody could be a terrorist. If Anonymous or somebody else were to break into the credit bureaus or some other high-value target - I fully expect there may be a couple of nominal changes, but the anger will be focused squarely on the "terrorists" who are trying to undermine our country's economy.
Re: (Score:2)
3rd of June? (Score:1)
That was 8 days ago! I am so glad they reported this so promptly.
Epic Games too (Score:1)
Our Epic Games web sites and forums were recently hacked. After some downtime, they're back up and running now.
The hackers may have obtained the email addresses and encrypted passwords of forum users. Plaintext passwords weren't revealed, but it's possible that those passwords could be obtained by a brute-force attack on the encrypted passwords. Therefore, we have reset all passwords. Your new password at the bottom of this message.
The Unreal Developer Network (UDN) hasn't been compromised. Thankfully, none of our web sites ask for, or store, credit card information or other financial data.
We're sorry for the inconvenience, and appreciate everyone's patience as we wrestle our servers back under control.
Tim Sweeney
Founder, Epic Games Inc
Re: (Score:1)
The mail omitted a crucial advise:
"Please log in and change your password to a new value as soon as possible."
Since the reset password was transmitted unencrypted over email, it should not be treated as secure.
Re: (Score:2)
Encrypted, not hashed. Assuming they actually do mean encrypted. You'd still have to worry about whether they compromised the key as well, unless they're using something like a PrivateServer HSM - although I suspect that might be considered over kill for a games website.
Valve/Steam (Score:4, Informative)
If Valve's servers get hacked with disastrous consequences (Steam accounts get deleted/hacked/etc, credit card details, other personal info), all hell will break loose. There will also be much smugness from those who don't use Steam for this very reason.
Re: (Score:3)
The fact that they haven't, while smaller targets have fallen already, might be telling...
Re: (Score:2)
Of course they haven't [slashdot.org].
Re: (Score:2)
Thats hardly Steam, is it?
Re: (Score:1)
Re: (Score:1)
Re: (Score:2)
steam accounts get hacked all the time, but usually through the users computers.
Valve has actually been pretty proactive on this front. They recently released their SteamGuard system which authenticates logins from new computers via email. It doesn't help if the user uses one password for both his email and Steam, but it's pretty good against most password thefts.
Re: (Score:2)
Steam and Google are the two sole online businesses that I know of (bar, say, banks) that have more than a simple username/password identification. The former forces you to authenticate every PC you use it on, which can only be done through your email. The latter uses 2-factor authentication through smartphones.
I think Steam is fairly safe. You'd have to be able to get the passwords (which are very likely salted and hashed) and could only attack those people who reuse the same password for both their Steam
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
Actually, compared to a debit card a credit card is pretty safe. Debit cards are easier to get but you lack many of the protections (like chargeback) that credit cards offer.
Be careful all in all - not having a credit card might actually bite you in the ass if you ever decide to buy a home or get some type of loan. No credit is practically worse than bad credit.
Re: (Score:1)
Re: (Score:2)
I had no problems buying stuff online with debit card. (from Amazon; for noname shops there's Paypal; I wouldn't trust them with my CVV)
Re: (Score:2)
It's the reason I use a virtual credit card with one-time numbers online. I only use my real credit card at a limited number of places.
What's the point in hacking? (Score:1)
Re: (Score:1)
The answer is surprisingly simple.
Hackers have very tiny penises.
Re: (Score:2)
whats the point of going to slashdot and making a comment? same reason
This shoud get all of us very worried... (Score:1)
I have the best security (Score:1)
I hack my my own servers daily. My security is 31337 (Pull the Plug)
Good! (Score:1)