Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?

Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

Security Games

Codemasters' Website Hacked 76

Posted by Soulskill
from the when-in-rome dept.
skybon writes "After similar attacks on Sony and Square Enix, Codemasters' website has now been hacked as well. The intrusion took place on 3 June, and is believed to have compromised members' names, usernames, screen names, email addresses, date of birth, encrypted passwords, newsletter preferences, any biographies entered by users, details of last site activity, IP addresses and Xbox Live Gamertags. In a letter sent out to CodeM subscribers, the company recommended changing passwords as soon as possible."
This discussion has been archived. No new comments can be posted.

Codemasters' Website Hacked

Comments Filter:
  • The Epic forums got hit too, with usernames and encrypted passwords. At least, the UDK forums did, and I assume the Gears and other game-specific ones did too. Got the email about that today. At least they encrypted passwords, hopefully with a good salt.
    • by Seumas (6865)

      This is yet another reason that the whole idea of forcing users to use their real names on Battle.net and Blizzard/Activision forums was a fucking awful one. And yeah, the problem with the passwords is that they point out that the passwords were hashed, but they don't mention whether they were salted. It seems obvious, but many people who bother to hash their password database don't bother to salt that hash.

  • by TheVelvetFlamebait (986083) on Saturday June 11, 2011 @03:31AM (#36409464) Journal

    Hey, you're not allowed to hack companies who aren't flagrantly, explicitly evil! It's almost like you're hacking companies whose security is weak, rather than acting as moral crusaders. How could that be?

    • Storing personal data without appropriate security controls in place is 'evil'. If companies develop an expectation that they *will* be hacked without good security measues then that is a good thing.

    • Evil enough for anyone. You don't get two products taken away from you if you don't suck to high heaven (Turbine took both DDO and Lotro back from Codemasters inept handling).

    • by syousef (465911)

      Hey, you're not allowed to hack companies who aren't flagrantly, explicitly evil! It's almost like you're hacking companies whose security is weak, rather than acting as moral crusaders. How could that be?

      No sympathy. Their copy protection bullshit has on more than one occasion caused me more grief than most other company's crap (and I am not a pirate by the way). Hate that my account may have been compromised, especially since I haven't used it in years (quite literally).

  • by waddgodd (34934) on Saturday June 11, 2011 @03:41AM (#36409504) Homepage Journal

    I'm going to go right ahead and say they ain't codeMASTERS if they got hacked....

    • by rust627 (1072296)

      so, let me see
      some one has mastered the masters ....................

    • In fairness, they never claimed to be php/SQL masters. They're probably referring to being masters at trying to sell you cheat codes to games they make.
    • by gl4ss (559668)
      the website was probably ran by some dweebs they found on the street. but the real lessons they should take here are that they should not even ask for things like date of birth - they could just ask for the year for example, and even then store it ONLY if the user wants it to be shown on the forums. it makes it much easier for someone to do something with the hacked data - and they got about zero guarantee about the data being right so it's not much use for codemasters itself...
      • the real lessons they should take here are that they should not even ask for things like date of birth - they could just ask for the year for example

        Some web sites have legal reasons to require all users to be at least 13, 18, or 21 years old (to use examples of thresholds from U.S. federal law). Say your web site requires all users to be at least 18 years old. If the sign-up form asks for just the Gregorian year, how would the site distinguish an 18-year-old, whose birthday is before today, from a 17-year-old, whose birthday is after today?

  • That was 8 days ago! I am so glad they reported this so promptly.

  • Got a couple of emails from them:

    Our Epic Games web sites and forums were recently hacked. After some downtime, they're back up and running now.

    The hackers may have obtained the email addresses and encrypted passwords of forum users. Plaintext passwords weren't revealed, but it's possible that those passwords could be obtained by a brute-force attack on the encrypted passwords. Therefore, we have reset all passwords. Your new password at the bottom of this message.

    The Unreal Developer Network (UDN) hasn't been compromised. Thankfully, none of our web sites ask for, or store, credit card information or other financial data.

    We're sorry for the inconvenience, and appreciate everyone's patience as we wrestle our servers back under control.

    Tim Sweeney
    Founder, Epic Games Inc

    • The mail omitted a crucial advise:
      "Please log in and change your password to a new value as soon as possible."
      Since the reset password was transmitted unencrypted over email, it should not be treated as secure.

  • Valve/Steam (Score:4, Informative)

    by atomicbutterfly (1979388) on Saturday June 11, 2011 @05:27AM (#36409718)

    If Valve's servers get hacked with disastrous consequences (Steam accounts get deleted/hacked/etc, credit card details, other personal info), all hell will break loose. There will also be much smugness from those who don't use Steam for this very reason.

    • The fact that they haven't, while smaller targets have fallen already, might be telling...

    • by gl4ss (559668)
      steam accounts get hacked all the time, but usually through the users computers.. also cs keycodes were rampantly generated and hacked and traded, but the success of counter strike really made steam a target as soon as it started.
      • steam accounts get hacked all the time, but usually through the users computers.

        Valve has actually been pretty proactive on this front. They recently released their SteamGuard system which authenticates logins from new computers via email. It doesn't help if the user uses one password for both his email and Steam, but it's pretty good against most password thefts.

    • by Nemyst (1383049)

      Steam and Google are the two sole online businesses that I know of (bar, say, banks) that have more than a simple username/password identification. The former forces you to authenticate every PC you use it on, which can only be done through your email. The latter uses 2-factor authentication through smartphones.

      I think Steam is fairly safe. You'd have to be able to get the passwords (which are very likely salted and hashed) and could only attack those people who reuse the same password for both their Steam

    • Valve's server DID get hacked back before the release of Half Life 2, which resulted in the source code for their Source engine, and an unfinished build of Half Life 2 getting leaked. I have a feeling they learned their lesson after that. They definitely have the money to do security correctly, if they wish.
  • Why is there so many hacking lately? I really don't understand people's motive to hack some servers, websites. Ok one could be money (credit card info, mail databases to sell, etc.) and maybe the other challenge for someone. But hacking is never harmeless.
    • by Anonymous Coward

      The answer is surprisingly simple.

      Hackers have very tiny penises.

    • by Osgeld (1900440)

      whats the point of going to slashdot and making a comment? same reason

  • At least news like this gets me very worried... why? cos all this announcements ware not made by the companies who got their servers hacked... but ware made by the hackers who did that... i wonder how many hackings are done without anyone knowing ... without anyone making those attacks public... and in theory security engineers learn from things like that.... is called Forensics right? hmmm and some ppl say " There is not such thing as ethical hacking..".... why not? i know from experience that you need
  • I hack my my own servers daily. My security is 31337 (Pull the Plug)

"Text processing has made it possible to right-justify any idea, even one which cannot be justified on any other grounds." -- J. Finnegan, USC.