Unreal Tournament and Fortnite developer Epic Games has confirmed that the Unreal Engine and Unreal Tournament forums as well as some of its legacy forums were compromised in a massive breach affecting over 800,000 users. According to breach notification site LeakedSource which obtained a copy of the database, the attack was carried out on 11 August.
Allegedly exploiting a known SQL injection vulnerability usually found in outdated versions of vBulletin forum software, the unknown hacker has stolen data from hundreds of thousands of forum accounts including usernames, email addresses, scrambled passwords, IP addresses, birth dates, user activity data, private messages and posts, ZDNet reports. The publication also notes that Facebook access tokens for users who signed in with their social account were swiped.
The famed developer behind the successful Gears of War series and popular MOBA Paragon, however, insisted that passwords were not compromised on the Unreal Forums.
"We believe a recent Unreal Engine and Unreal Tournament forum compromise revealed email addresses and other data entered into the forums, but no passwords in any form, neither salted, hashed, nor plaintext," Epic staff wrote in a blog post. "While the data contained in the vBulletin account databases for these forums were leaked, the passwords are stored elsewhere."
They also noted the forums are still online and users will not be required to reset their passwords.
However, Epic said that a compromise of its legacy forums covering Infinity Blade, Unreal Development Kit (UDK), previous Unreal Tournament games and archived Gears of War forums did reveal email addresses, salted hashed passwords and other user data entered into the forums. Players who have been active on these forums since July 2015 have been advised to change their passwords on any website where they have used the same password.
The developer says its other Epic-related forums, including Paragon, Fortnite, Shadow Complex and SpyJinx were not affected and will provide updates on the breach as they learn more.
The latest breach is yet another example of a site operating out-of-date forums falling victim to hackers exploiting known weaknesses by using readily available tools to gain access and nab user data.
In July, the official forum for popular mobile strategy game Clash of Kings was reportedly breached in a similar attack. DLH.net, a gaming news site that provides news, reviews, cheat codes and forums, was also reportedly infiltrated last month by an unknown hacker who swiped over nine million Steam game keys. The same hacker was also allegedly responsible for the Dota 2 forum breach earlier in August.