Another day, another hack: 800,000 credentials compromised in Epic Games forum attack

Unreal developer 'loses' user names, passwords and more due to SQL injection attack

Epic Games, the developer behind the popular Unreal first-person shooter and the widely used Unreal Engine used in games development, has admitted that an attack on its forum has compromised more than 800,000 user accounts.

Information exposed by the attack includes email addresses, dates of birth and private messages exchanged on the site.

Epic admitted the breach on Tuesday, but claimed that, while passwords were revealed in the attack on legacy forums covering Infinity Blade, UDK, old Unreal Tournament games and archived Gears of War forums, the compromise of the current Unreal Engine developer tool and Unreal Tournament forums did not include passwords in any form.

The company blamed a SQL injection flaw in an outdated version of the vBulletin forum management software.

"We believe a recent Unreal Engine and Unreal Tournament forum compromise revealed email addresses and other data entered into the forums, but no passwords in any form, neither salted, hashed nor plaintext," said Epic in a post on its website.

"While the data contained in the vBulletin account databases for these forums was leaked, the passwords for user accounts are stored elsewhere. These forums remain online and no passwords need to be reset.

"Also, we believe a compromise of our legacy forums covering Infinity Blade, UDK, previous Unreal Tournament games, and archived Gears of War forums revealed email addresses, salted hashed passwords and other data entered into the forums.

"If you have been active on these forums since July 2015, we recommend you change your password on any site where you use the same password."

Epic claimed that no other forums were affected, but this is not the first time that the firm's security has been cracked, having suffered a similar breach in July last year.

The attack came to light just weeks after the Dota 2 Dev forums were hacked, spilling almost two million credentials, including user names, emails, passwords and IP addresses. News of the Dota 2 hack came to light only after 1,923,972 records were published on LeakedSource.

The hack underscores the danger of using the same password on multiple web sites as one breach could endanger multiple websites as crackers try out the credentials gained in one hack on other sites.