EPIC GAMES has admitted that an attack on its forums has compromised 808,000 user accounts. Exposed information includes email addresses, dates of birth and private messages exchanged on the site.
The company is the developer behind Unreal, Infinity Blade and, in particular, the Unreal Engine that is widely used in PC gaming.
Epic admitted to the breach on Tuesday, but claimed that, while passwords were revealed in the attack on legacy forums covering Infinity Blade, UDK, old Unreal Tournament games and archived Gears of War forums, the compromise of the current Unreal Engine developer tool and Unreal Tournament forums did not include passwords in any form.
The firm blamed an SQL injection flaw in an outdated version of the vBulletin forum management software.
"We believe a recent Unreal Engine and Unreal Tournament forum compromise revealed email addresses and other data entered into the forums, but no passwords in any form, neither salted, hashed nor plaintext," said Epic in a post on its website.
"While the data contained in the vBulletin account databases for these forums was leaked, the passwords for user accounts are stored elsewhere. These forums remain online and no passwords need to be reset.
"Also, we believe a compromise of our legacy forums covering Infinity Blade, UDK, previous Unreal Tournament games, and archived Gears of War forums revealed email addresses, salted hashed passwords and other data entered into the forums.
"If you have been active on these forums since July 2015, we recommend you change your password on any site where you use the same password."
Epic claimed that no other forums were affected, but this is not the first time that the firm's security has been cracked, having suffered a similar breach in July last year.
The attack came to light just weeks after the Dota 2 Dev forums were hacked, spilling almost two million credentials, including user names, emails, passwords and IP addresses. News of the Dota 2 hack came to light only after 1,923,972 records were published on LeakedSource.
The hack underscores the danger of using the same password on multiple web sites as one breach could endanger multiple websites as crackers try out the credentials gained in one hack on other sites. µ
The IoT has gone unsecured for too long, says DCMS and NCSC
Mobile-friendly app will offer a 'desktop-class' experience
Alexa, show me half-arsed implementation
Samsung reportedly orders in 6.66in OLED panels