Epic Games, the creator of titles like Unreal Tournament and Fortnite, has confirmed that their Unreal Engine, Unreal Tournament Forums and even some of the legacy forums have been breached by an unknown hacker. According to a post from the company, the attack has left email addresses “other data entered into the forums” compromised.
According to a breach notification site, LeakedSource, which obtained a copy of the database, the attack was carried out on 11 August. The attack potentially puts an average number of 800,000 users at the risk of credential exposure including IP addresses, usernames, email addresses, scrambled passwords, user activity data, private messages, posts and birth dates.
We have placed our forums in maintenance mode while we investigate the recent compromise.
— Epic Games (@EpicGames) August 23, 2016
The hacker allegedly exploited a known SQL injection vulnerability generally found in outdated versions of vBulletin forum software.
However, Epic Games said in a blog post that passwords on the Unreal Forums have not been compromised, “We believe a recent Unreal Engine and Unreal Tournament forum compromise revealed email addresses and other data entered into the forums, but no passwords in any form, neither salted, hashed, nor plaintext,” the blog post further noted, “While the data contained in the vBulletin account databases for these forums were leaked, the passwords are stored elsewhere.”
But the company also notified users that their legacy forums for their old Unreal Tournament, Gears Of War and Infinity Blade have also been breached, which places data such as email addresses and passwords at the risk of exposure and so they have advised that, “If you have been active on these forums since July 2015, we recommend you change your password on any site where you use the same password.”