Industry News

Epic Games forum hacked – change your online passwords, and beware of phishing

If you’re an avid video gamer, chances are that you know of Epic Games.

They’re the developers of popular games such as Infinity Blade, Gears of War, Unreal Tournament… and – if you’re as old as me – you might even remember their founder Tim Sweeney’s classic DOS era shareware game ZZT.

In other words, they’re great at making video games.

But if you visit the forum of Epic Games right now, this is what you’ll see…

epic-games-forum

We’re performing some Epic maintenance tasks. Everything will be back shortly!

“Maintenance tasks” sounds harmless enough, doesn’t it? But it’s not telling you the full story.

Because what’s really happened is that hackers managed to compromise the forum, and may now have their paws on members’ usernames, email addresses, passwords, and dates of birth.

An email sent out by Epic Games to forum members shares some of the sorry details.

epic-games-email

So, that’s why the Epic Games forum is offline. They are resetting passwords and (hopefully) improving their security.

If you were a member of the forum you should not only reset your password when you next access the site, but also change your passwords anywhere else on the net if you were using the same credentials.

Furthermore, be aware that hackers might now have your email address and other personal information such as dates of birth. They may even have read private messages that you exchanged on the forum. All of this data could be abused to create carefully crafted phishing messages designed to dupe you into making unwise choices, or tricking you into clicking on dangerous links or attachments.

No details of precisely what went wrong have been shared publicly, but it’s possible that software being used to run the forum was not being properly maintained with updates, and that the hackers were able to exploit a vulnerability to gain access.

When I looked at a cached version of the Epic Games forum I found it was still using VBulletin 4.2.0 as its forum software, which should have received a number of updates and security fixes in the last couple of years.

Another potential explanation could be that a hacker managed to phish credentials from a moderator of the Epic Games forum, logged into the moderator’s account and was able to escalate their privileges to such an extent that they could steal users’ credentials.

VBulletin itself suffered a damaging hack in November 2013, which saw hackers run off with user IDs and hashed passwords, and the popular Apple News site MacRumors had its 860,000 members put at risk after its VBulletin forum was compromised.

Earlier in the same year, Ubuntu Forums was brought down after a hacker exploited a security hole in its vBulletin software, and defaced it with a picture of a gun-wielding penguin.

So, it’s clear that if you are running a web forum you need to treat its security as a priority – you owe it to your members to do that.

And as regular users of the internet, we must all adopt sensible password practices.

That means not just choosing complex, hard-to-crack passwords that hackers won’t be able to guess. But also making sure that each password we use on the net is unique.

Because, when a hack like the one that’s just occurred at Epic Games happens, there is always the danger that hackers might try to use the passwords they have stolen against other online accounts. So, if you are using the same password at Epic Games that you are using at, say, your Gmail account – they might be able to unlock much more of your online identity, with the resulting potential for mayhem.

Of course, you’re only human. And you can’t remember more than two or three complex, gobbledygook passwords.

So, my suggestion to you is that you should stop trying to remember them. Instead, get on the bus with a good password manager that will dream up and remember all of your internet passwords for you, and store them in an encrypted vault. That way, you only need to remember *one* strong complex password.

About the author

Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

1 Comment

Click here to post a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  • The theft of usernames and passwords would be little more than an inconvenience if everyone used a unique password for each site. Meanwhile, back in the real world, the task of educating the masses on sound security practices continues.

    The theft of email addresses is somewhat more troublesome. Spam is the first and most obvious consequence, but in conjunction with stolen date of birth information, it’s a potential identity theft disaster.

    I have yet to hear a convincing explanation as to why any commercial web site needs my date of birth. And for a gaming forum, it’s an utterly absurd requirement. If they want to know whether I meet a minimum age requirement, then they can bloody well ask for my age. But if they ask for my date of birth, they’re going to get fiction. It’s none of their business.

    Thanks for a great article as usual, Graham.