If you’re an avid video gamer, chances are that you know of Epic Games.
They’re the developers of popular games such as Infinity Blade, Gears of War, Unreal Tournament… and – if you’re as old as me – you might even remember their founder Tim Sweeney’s classic DOS era shareware game ZZT.
In other words, they’re great at making video games.
But if you visit the forum of Epic Games right now, this is what you’ll see…
We’re performing some Epic maintenance tasks. Everything will be back shortly!
“Maintenance tasks” sounds harmless enough, doesn’t it? But it’s not telling you the full story.
Because what’s really happened is that hackers managed to compromise the forum, and may now have their paws on members’ usernames, email addresses, passwords, and dates of birth.
An email sent out by Epic Games to forum members shares some of the sorry details.
So, that’s why the Epic Games forum is offline. They are resetting passwords and (hopefully) improving their security.
If you were a member of the forum you should not only reset your password when you next access the site, but also change your passwords anywhere else on the net if you were using the same credentials.
Furthermore, be aware that hackers might now have your email address and other personal information such as dates of birth. They may even have read private messages that you exchanged on the forum. All of this data could be abused to create carefully crafted phishing messages designed to dupe you into making unwise choices, or tricking you into clicking on dangerous links or attachments.
No details of precisely what went wrong have been shared publicly, but it’s possible that software being used to run the forum was not being properly maintained with updates, and that the hackers were able to exploit a vulnerability to gain access.
When I looked at a cached version of the Epic Games forum I found it was still using VBulletin 4.2.0 as its forum software, which should have received a number of updates and security fixes in the last couple of years.
Another potential explanation could be that a hacker managed to phish credentials from a moderator of the Epic Games forum, logged into the moderator’s account and was able to escalate their privileges to such an extent that they could steal users’ credentials.
VBulletin itself suffered a damaging hack in November 2013, which saw hackers run off with user IDs and hashed passwords, and the popular Apple News site MacRumors had its 860,000 members put at risk after its VBulletin forum was compromised.
Earlier in the same year, Ubuntu Forums was brought down after a hacker exploited a security hole in its vBulletin software, and defaced it with a picture of a gun-wielding penguin.
So, it’s clear that if you are running a web forum you need to treat its security as a priority – you owe it to your members to do that.
And as regular users of the internet, we must all adopt sensible password practices.
That means not just choosing complex, hard-to-crack passwords that hackers won’t be able to guess. But also making sure that each password we use on the net is unique.
Because, when a hack like the one that’s just occurred at Epic Games happens, there is always the danger that hackers might try to use the passwords they have stolen against other online accounts. So, if you are using the same password at Epic Games that you are using at, say, your Gmail account – they might be able to unlock much more of your online identity, with the resulting potential for mayhem.
Of course, you’re only human. And you can’t remember more than two or three complex, gobbledygook passwords.
So, my suggestion to you is that you should stop trying to remember them. Instead, get on the bus with a good password manager that will dream up and remember all of your internet passwords for you, and store them in an encrypted vault. That way, you only need to remember *one* strong complex password.
tags
Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s.
View all postsSeptember 06, 2024
September 02, 2024
August 13, 2024