indigo-cyclops
Member
Yet the maximum is 16 characters, still. Changed it anyway.
-
Hey, guest user. Hope you're enjoying NeoGAF! Have you considered registering for an account? Come join us and add your take to the daily discourse.
Ubisoft security incident [Update your uPlay password]
- Thread starter benny_a
- Start date
Relaxed Muscle
Member
Stumpokapow
listen to the mad man
??? in the digital future, everyone with half a brain has a password manager and a different 60+ character password for every site they visit so they don't need to worry about this sort of stuff?
fabricated backlash
Member
yep, maintenance for me too..
Fucking hell.
Fucking hell.
StevePharma
Member
I want LastPass to get this GIF into my vault
I want to live in your world.
IllumiNate
Member
Yeah I just got the email, FFS
Nope, I've checked the email addresses I use and none of them received anything from Uplay (ever, let alone just this password stuff). In the Assassin's Creed games I always logged in to Uplay via my PSN account rather than a direct Uplay account.
I guess that means I'm unaffected?
CambriaRising
Member
Could this be why my email address has been bombarded by spammers?
Fucking ubisoft, I haven't been able to play far cry 3 for a month because of uPlay either.
Fucking ubisoft, I haven't been able to play far cry 3 for a month because of uPlay either.
And then someone hacks your password manager.
Viral marketing
Avallon
Member
Who would?
Stumpokapow
listen to the mad man
This is not an accurate report of the situation. LastPass noticed some bizarre traffic coming from one of their servers. They immediately notified users of this and forced a master password reset. "We know roughly the amount of data transfered and that it's big enough to have transfered people's email addresses, the server salt and their salted password hashes from the database. We also know that the amount of data taken isn't remotely enough to have pulled many users encrypted data blobs." In the end they concluded that either no or a very very very very small portion of data was breached (no one could actually prove any data was taken). All of that data was very securely encrypted and required the user's master password, which is supposed to be 12+ characters at a minimum, to get the underlying passwords. They brought in multiple external security firms to help audit. The real problem was that they reacted in an overkill way--they were too responsible in their disclosure, leading people to believe that the end result was that they were thoroughly hacked.
That's the summary of the event:
"For those of you who are curious: we don't have very much data indicating what potentially happened and what attack vector could have been used and are continuing to investigate it. We had our asterisk phone server more open to UDP than it needed to be which was an issue our auditing found but we couldn't find any indications on the box itself of tampering, the database didn't show any changes escalating anyone to premium or administrators, and none of the log files give us much to go on."
You can trust LastPass.
Baron von Loathsome
Member
For crying out loud.
hey_it's_that_dog
benevolent sexism
Same. I probably just used the same one again when creating a new one. Oh well.
BrokenEchelon
Banned
Changed it. Isn't this the second time this has happened with them?
Relaxed Muscle
Member
Maybe, but I would change it just to be sure.
"we listened to customer feedback and have decided to require a security token, yours for only 19.99 plus S&H. Oh, we also amended the TOS so that it's your fault by default"
I know i did but i can't remember what e-mail i used. I have 4 different email accounts >.<
How does this work? Genuinely curious because typing a 60 character password on my phone whenever I want to log into something sounds pretty exhausting. I guess you mean just for the important stuff with things like bank details stored etc?
Stumpokapow
listen to the mad man
With all due respect, that's not going to happen. First because most password managers use local storage, so it's not possible to blanket hack them. Second because those that don't still use absurdly strong encryption and rely on the user having a secure master password--it's not remotely similar to your standard hack a vulnerable web server, steal a gazillion unsalted md5 passwords scenario, so a hack wouldn't result in the kind of data disclosure that's problematic here.
The first half of the sentence explains how it works--you use a password manager. You don't "type a 60 character password".
rbanke
Member
can't be said enough. These things happen all the time regardless of industry and will continue to happen. Took me all of 30 seconds to change my ubi-unique password with 1password.
This x2.
I can't though, Uplay doesn't recognize any of my emails. :lol I'm sure I don't need to change my PSN password either.
This is how i just found what email is linked, i was cycling through my multiple gmail accounts and noticed the email.
I only have 2 games on it from PC and no real person info on the account so it wouldn't really bother me if someone got on it. All they would get was an outdated password that isn't used for anything else, outdated email and 2 decent PC games along with a bunch of fake name/address stuff.
I use LastPass myself. My only complaint is that its Android app doesn't integrate with the phone's default browser and LastPass' own browser is terrible, but I don't do a lot of stuff on my phone that requires access to my vault, anyway.
ROBOKITTYZILLA
Member
Fucking Uplay.... Good thing I had a strong randomized password but I'm still not happy about my e-mail potentially being compromised.
Stumpokapow
listen to the mad man
Lastpass: Free on your computer, $1/month on your mobile, they store your data.
1password: Absurdly expensive but beautiful and very easy to used, upfront app cost on your mobile, you store your own data and sync it using whatever service you want (Dropbox). Also major version upgrades (every 2-3 years) require you to re-buy.
Keepass: I think totally free, but not sure what your mobile options are.
I use 1password but I wouldn't if I had had to pay for it.
Skimmed the thread so maybe this has been answered already, but Yes, if you have used UPlay on consoles, a UPlay account exists in the email that your Gamertag is listed under. The actual username will have been randomly generated by UPlay however, but an account exists nontheless.
This was the case for me, my first PC UPlay title was Farcry 3, and since you had to make a UPlay account for it, I found out I had one already -- from console. It was generated when I first played Ghost Recon Advanced Warfighter, in 2006.
To add to this, semi-fringe case, but iCloud Keychain in iOS7/Mavericks once they're out publicly, free and works well (in it's current beta form).
I've been satisfied with LastPass but I think they are all good.
rbanke
Member
I've used 1password for quite a long time and it works well. There is definitly a hump to get over when you first start using it. It sucks the first week, gets easier the second, and eventually you don't even think about it.
It took you more effort to make that post than it would have to click the link in the original post and see the post date was 6/28/2013.
UpperCaseN
Member
Just got the email, I didn't even know I had an account.
ROBOKITTYZILLA
Member
I've tried Lastpass and 1Password and I was the most satisfied with 1Password. It is a bit costly though...
Thank you.
I don't "do" a lot of mobile log-ins, so I'll be taking a look at lastpass and keepass.
:edit: For keypass there is a highly rated (free) android app https://play.google.com/store/apps/details?id=com.android.keepass&hl=en.
Thanks for the feedback. It's a bit on the expensive side, so I hope the free/cheaper alternatives will suffice for my limited needs.
rbanke
Member
May be worth noting that 1password goes on sale fairly regularly
Dedication Through Light
Member
Thats unfortunate, I hope they protect our data better in the future, this shouldnt be happening in 2013 after the lessons learned in 2012 and earlier.