“Incident”
The French game company Ubisoft, which titles include the popular video game series Far Cry and The Prince of Persia, confirmed that it had suffered a ‘cyber security incident’ [1] that was first reported by The Verge on March 10, and confirmed by Ubisoft on March 11 [2].
Ubisoft is a gaming company that has been around since the late 1980’s, growing to feature a collection of major video game franchises including Just Dance to a myriad of Tom Clancy and Assassin’s Creed titles [3].
Same actors?
According to the Verge, a leaked screenshot from the Telegram channel hosted by the hacker group LAPSUS$ shared the group’s reaction to the said incident’s article, possibly implying their connection to the cyber attack, although neither confirming nor denying it. The official statement from Ubisoft confirmed the incident, which they claim caused a “temporary disruption to some of our games, systems, and service,”[1] yet attesting that no player information was exposed as a result, however they issued a company wide mandate requiring their employees to change their passwords.
LAPSUS$ has been in the news quite frequently following a string of ransomware attacks on companies such as the major chip maker NVIDIA, and tech conglomerate Samsung. Confidential information such as private source code, employee records, and personal information were stolen and then threatened with public leaking, unless certain ideological demands were met [4].
Thoughts
With little information being provided officially from Ubisoft of the actual attackers, it is only speculation at this moment as to what happened, and by whom. The company-wide password reset mandate could possibly point to a scenario where a weak and/or duplicate password was used by an individual employee, or some sort of social engineering or phishing attempt was used to acquire login information. The fact that the LAPSUS$ group has also not claimed direct responsibility, whereas they did with the NVIDIA and Samsung ransomware attacks[4], it is possible the hackers didn’t completely accomplish all they had hoped to. For example, a successful ransomware attack would be acquiring relevant enough data in order to extort the company into complying to their demands and/or financial compensation.
When a company is attacked, and the personal information of its company is released, there is not much one can personally do at that point. Even though customers and their data may not be the main target, rather a demand for change in company policies or practices, as was the case with the LAPSUS$ vs. NVIDIA incident, our personal information can easily become collateral damage in these situations. I believe it is best to give these companies as little personal information as possible when purchasing or using their products, which these days seems almost impossible, especially if requiring a credit card and billing address to purchase something.
As someone who has been a victim of a company’s customer data being leaked, I can personally attest to the insane increase in the amount of phishing emails and unauthorized login attempts to many other online services that shared the same email. It was a great reminder to never use the same password, and shows just how vulnerable we all are with giving our information to companies, knowing nothing of their security practices.
Sources
- https://news.ubisoft.com/en-gb/article/3tSsBh25mhHhlbGSy1xbRw/ubisoft-cyber-security-incident-update
- https://www.theverge.com/2022/3/11/22972768/ubisoft-cyber-security-incident-hack
- https://en.wikipedia.org/wiki/Ubisoft#Games
- https://blog.checkpoint.com/2022/03/07/lapsus-ransomware-gang-uses-stolen-source-code-to-disguise-malware-files-as-trustworthy-check-point-customers-remain-protected/
It’s scary to think that even the big household names in tech are susceptible to attackers. I agree with you that you should be required to only give the minimum amount of personal information. Personally, when I sign up for a service I make sure to use an alternate email just in case they decide to spam me. However, after reading your article I will definitely be more wary of where I decide to disclose my personal email and information.
I agree! I have different emails for different accounts that I make because I just don’t want them to be able to trace other things from my main account and I too don’t want to get spammed. I feel like I am being too cautious but I feel like with the online world there’s never a way to be too cautious because of how strong these attackers are getting.
This is an interesting topic. Gaming is now one of the first choices of entertainment for many people. Exquisite pictures and plots that cannot be experienced in reality have become the main reasons for attracting more and more young people. But it has also led to more and more personal information being streamed online through games.
Attacks such as these are in a morally grey area for me. Ubisoft has had a very toxic corporate environment and I advocate for action to rectify it and hold the toxic people accountable, but I can’t condemn attacks such as these as they put many innocent users at risk. Although I suppose that is the point, to make less people feel comfortable using their services, so in a way there are no issues here from the point of view of the attacker(s).
Exactly Ubisoft and EA are known for their evil practices and not to mention their attempt at running amazing franchises like the Assassins Creed. But again, it is important to consider shareholders who may involve innocent victims caught in the middle of this. Clearly, many individuals would be made scapegoats ensure the company’s reputation remains intact at all costs. However, as you mentioned that a boycott of their services would go a long way to promote positive change within the company and potentially improve their practices. Furthermore, I can see why this might be a morally grey area for you because it is also for me but I have to consider alternative consequences that might not be apparent in the first place.
wow, its truly scary how little we can do to prevent our private data from being leaked to the public by these malicious groups. I definitely agree with giving these companies as little data as possible, but in the modern world, its very hard to do so. I also find it interesting how big companies like Ubisoft and Nvidia are so susceptible to these attacks, they should definitely consider adding more security measures
In the recent era, we have seen that one of the most common source of entertainment is gaming. Not only teenagers but also elderly people spend a significant time playing games. This means that almost everyone with a gaming console can lose their personal information if they get hacked. Hackers getting access to such graphics card company means they might get not only the intellectual property of the company but also confidential information of the users. It is really concerning that even big industries with a team of IT specialists can get hacked. What would happen to a common person?
It seems that even tech giants aren’t immune to having information comprised. Seeing as Ubisoft has their own account credentials and interacts with consoles one would think that they deal with quite a bit of user information and would try to avoid these kinds of things. Especially, since they have a younger members of their audience who may not be choosing the best passwords and as a result could endanger parents information. Although, there security could be better than imagined trusting that they are telling the truth about users not having any data leaked and LAPSUS$ either failing to attack or not being involved in the first place. We’ll just have to wait and see how companies handle these kinds of attacks moving forwards.
It seems that this hacking group is becoming inceasingly more active with their attacks against Samsung and NVIDIA being done pretty recently. This is the second company that they have attacked with a link to gaming and all three companies have a large effect on the younger generations. Employees of a tech company such as Ubisoft should be aware of best password practices and so it is strange that a weak password or phishing email was the most likely vulnerabilty that was exploited in this attack. Although it is unlikely hopefully these hackers are apprehended and brought to justice before their next attack.
Great post. It’s very surprising to see that even big gaming companies such as Ubisoft can get hacked. What’s even scarier is that such hacks can result in the private information of gamers being leaked. Since gaming has become such a popular mode of entertainment, possibly the most popular, there needs to be security precautions taken to make sure that online gaming is safe. Otherwise, these gaming companies will take a big hit since people won’t feel safe to play their games anymore.
With a big target like Ubisoft, it is surprising that LAPSU$$ isn’t claiming responsibility yet if they are the ones who lead the attack. With them being such a big company, I feel people would be jumping at the chance to claim that they were the ones who breached their systems. Regardless, good post and interesting to see Ubisoft isn’t talking much about the situation’s specifics.
That’s a very good point. There is a lot of information that leads to LAPSU$$ being the responsible party, so it seems weird that they wouldn’t claim responsibility in this case when they did previously. While it may be useless to speculate, it could prove fruitful for understanding the motivations for these groups. In my estimation there’s two possibilities: either this is a different group that is emulating LAPSU$$ and trying to let them take the fall for the attack, or LAPSU$$ had some sort of backlash last time that caused them to not want to take credit this time. Either way, it will be interesting to follow.
The moment you named the organization, I had an uncanny feeling that I have heard that name before. Although it sucks what happened to Ubisoft, I personally feel invested in their demise after what they did to the Assassin Creed franchise. They took a decent game and turned it into God knows what! Aside from that, I think you explained the consequences of ransomware attacks quite accurately. I think I gain a better understanding of how ransomware can impact lives and create panic in the organization. Good job overall
Hi,
This was a nice topic to read about. I’ve been always suspicious to the online accounts on giving my personal informations. Because all my personal informations can be hacked and used for bad purposes. It is amazing how hackers even think about hacking one of the big gaming companies in the world. It is also interesting to hear stories like this and finding out how these companies deal with getting hacked!
I honestly don’t see how users of these services can ultimately eliminate the threat of personal information leaks. The world is only demanding more of an online presence, and with that comes information being stored in servers all around the planet. If only there was a way to manage your data/online presence in a central way. It seems mitigation is the only option we have so far.
Great Topic , good choice of words and information . The gaming companies are right now maybe the target number one for attackers . They provide a source of entertainment to gamers , but also a source of fortune for these attackers ( through ransoms…) . It is really bad for the gaming community to hear these news , as it can affect the future of gaming in the world .
Great job !
Hey, that was a fantastic post. It’s worrisome how little we can do to prevent these malicious organisations from disclosing our private information to the public. I feel that giving these companies as little information as possible is good, however in today’s day and age, many companies want credit card and billing address to buy items. I also find it amazing that huge organisations like as Ubisoft and Nvidia are so vulnerable to these attacks. These companies should strongly consider toughening up their security systems.
It definitely puts the consumer in somewhat of a bind if they have to question the integrity of the company that they have shared personal information with. The hackers are most certainly at fault, but there is also the sense of responsibility that Ubisoft shares in this attack. For such a big-name company, it worries me that something of this scale could even occur. Hopefully this serves as a wakeup call for them. Interesting read!
While tech companies indeed rake in the cash and are usually considered safe investments, the increasing number of cyberattacks and increasing knowledgeability of attackers will likely increase the risk associated with such enterprises, similar to how commodities face pricing risks, I feel like technology securities will begin to face similar ramifications if investors become more aware of the many attacks that occur; a higher discount rate and lower valuation due to digital security risks. This will only compound the issue, as public and private tech companies will find it more difficult to raise capital in an efficient manner and therefore have less cash to invest in security. It really makes me sad to see such a innovative and life-improving industry faced with such issues; it is probably much more lucrative and and discrete to attack a company with malware than it is to say, rob a bank. That being said, at the current rate cyberattacks on companies with lots of cyber infrastructure will probably increase. Thank you for the post and sorry for the financial rant.
Obviously with the ever growing medium of gaming, it fair to say that there will be more chances of cyberattacks, however it’s worrying that companies as large as these still don’t take the steps necessary to circumvent this risk to their consumers. The amount of times this type of news comes out increases my distrust in these companies.
After having seen a post talking about the same offender attacking Nvidia not too long ago, and then seeing this, I do wonder what motive Lapsus has. Both of these companies seem to have almost little to no relation with one another, not to mention that samsung is also a victim. If I were to speculate based off the blog I had seen on the attack involving Nvidia, I would surmise that there is some loose connection in all of this with cryptocurrencies. While it is not much, I am aware that ubisoft does have minimal but some involvement with certain crypto companies, and it was also rumoured that Nvidia was attacked because of the limitations their graphics cards had on crypto mining. Of course aside from that, I cannot see any further connection. Overall though I am glad that this was brought to my attention in a very simple and straightforward post!
Interesting Post! The company as a precautionary measure it has stated that it has initiated a “company-wide password reset,” and that its IT teams are working with “leading external experts” to investigate the cyber incident.
Really interesting post, I can totally relate with you on the whole being victim of data leakage before. My email I had used that got leaked in the past also is just flooded with random scam emails (thankfully I have moved away from using this email). Because of that, I am glad that no person user data was breached. By LAPSUS$ implying their involvement while not directly claiming it, makes we wonder how many cyber attacks have been hijacked by hacking groups that claim responsibility without having done it.
The thing which surprises and scares me the most is that a massive company like Ubisoft got hacked which is filled with tech savvy employees as it is a game-development company. This reiterates the importance of cyber Security as even the most knowledgeable people can fall victims to it. The best Ubisoft can do is educate and monitor their employees but that would cost too much resources considering their number of workers. It’s even sad to imagine that even in this day and age, simple phishing emails might have broken into a company like Ubisoft.
Great post! I have been reading a lot about how big companies have been getting attacked by hackers and it makes me wonder how such huge corporations with such sophisticated security systems get compromised by amateur hackers. Every time I see a data leak, I get anxious that this leak probably is going to cost me my personal information. Honestly, if this was an attempt by the hacker group to actually force Ubisoft into bringing some policy changes, kudos to them because Ubisoft is not always known for its great business practices. I do not condone such ransomware attacks to blackmail companies but as long as it’s bringing change without hurting the customers, I say why not.
Recently I have been using this website called https://haveibeenpwned.com/ where if you put in your email, they will show you if your data has been found in any of the recent data leaks. The first time I used it, I found out that I have actually had my information leaked from 5 different websites/services and all of them were big-name services, not just any random site. So I feel like customers need to be more vigilant when it comes to handling their own data and be wary of where and what they’re signing up for.
Great post, it is very bad to know that the smallest mistakes can cause the biggest implications, but the company is lucky that the group never pulled through , and that is good news because then if they were able to complete the hack, alot of information would have been on the open, it is always good to take measures so as to be safe from cyber attacks.
The Lapsus$ hacking group is a rather fascinating cyber-terror group, as their primary focus is on data theft and extortion. They are known to gain access to victims through the use of phishing attacks, which allows them to steal sensitive victim data without needing to deploy data-encrypting malware. According to experts in the field, this group is comprised of “talented individuals”, yet, are also believed to be an “inexperienced operation”, suggesting that the room for their cyber-criminal activities to grow, is yet to be seen. Lapsus$ only emerged recently and in the short time that they have existed, they have hacked Brazil’s health ministry, the Portuguese media company Impresa, telecom companies Claro and Embratel, and the Brazilian car company Localiza. They have also deployed similar attacks in Argentina and Britain, against major tech companies. In my opinion, the world must remain weary of this ransomware group. They are clearly skilled and furthermore, possess malicious intent. Unlike other hacking collectives, they do not appear to be motivated by a political agenda, but instead, by a personal one, fuelled by greed. As a result, we should expect any future attacks levied by this group to be random, aggressive and unsuspecting. They are clearly ambitious, reckless, and highly disruptive. Their intentions do not benefit a larger collective, and thus, they are highly dangerous. The lesson here? We should not be caught off guard by this group even though they are very different from their counterparts in the cyber-terror space. If anything, Big Tech companies should be aware of this collective, as it is evident that no target is out of reach for them.
This is a fantastic article. It’s shocking to learn that even large game businesses like Ubisoft can be hacked. What’s worse alarming is that such hacks have the potential to expose players’ personal information. Because gaming has become such a popular, if not the most popular, form of entertainment, security procedures must be made to ensure that online gaming is secure. Otherwise, these gaming firms will suffer a significant setback since players would no longer feel secure playing their games.
That is true for sure, I kind of feel more scared to play games from Ubisoft, even though prior to this incident I have played a lot of their games and I loved them, so this is just unfortunate.
Another suffering one, several days ago NVIDIA was hacked by this hacker group and today it’s Ubisoft’s turn. Honestly I have played several games of Ubisoft. It is a great company although their servers are extremely terrible. Players often make fun of this and call their servers as “potato”. But they are not that bad as to be subjected to this type of cyber attacks, I hope similar companies will pay more attention to their data and cyber security.
I wonder why companies like Ubisoft hesitate to share any information about their breaches. Is it to preserve their reputations (e.g., by keeping embarrassing screw-ups in security a secret)? Or is it because explaining how the breach occurred might reveal things about their system that other hackers might be able to use to their advantage? It is unfortunate because we might all benefit from more concrete information about actual data breaches. That being said, we keep seeing familiar themes in the breaches we know about: bad passwords, bad security settings, etc.
Having our personal data leaked seems to be a constant threat these days, and not only from video game companies, but from just about every company that has our personal information. It certainly is troubling to think that no matter what you sign up for, you’re basically forced to give a good chunk of personal information to a company in order to use their product/service, and we have to trust nothing will happen to that data, even though we see leaks occur time and time again. I have a friend who actually uses an alias when signing up for things that don’t require a whole lot of info, which honestly, isn’t a bad idea. Maybe it’s my jaded views on major corporations, but I’m wondering how much they actually care when leaks occur? Especially if they have a firm grip on a certain market (IE it’s tough to move services because no one else is as good as the one you’re currently using).
Interesting post! Nowadays, people have been gaming a lot and hacking a game development company would lose a lot of personal data and could potentially also damage the game and I think this kind of attacks would increase in number in future as people would be more involved in gaming sector. I hope this kind of companies would also invest in cybersecurity for a safe future of their company.
The size of the gaming community is massive, so it is no surprise that these companies become targets of cyberattacks. These organizations should consider strengthening their security systems by taking additional measures and security procedures to ensure that their services provide safe online gaming. Otherwise, these gaming companies would lose their customers since gamers would no longer feel safe and comfortable using their services.
Good post! Reading all these cyberattack posts every week, it is certain that no matter how big a company is, they are not immune to cyberattacks. It is scary to think that tech gaints can also be a victim to attacks. We, users, can not do anything to stop our personal information from getting leaked, but what we can do it to give the minimum amount of personal details. We should also perform healthy practices such as using an alternate email address, not using the same password everywhere, etc.
That’s a great article. It’s wondering how we are losing our privacy and security just to deal with our daily life. Wherever we are trying to have access we need to provide our information through which kinda lose our identity to the world.
Good Post! So far I have read a good chunk of posts detailing ransomware and cyber attacks targeting the customers of large companies, but so far the focus has been on damages to the companies that were attacked. Your post highlights the effects that these types of attacks have on the customer base of an attacked company, from a loss of trust to having one’s data be leaked or stolen. I can definitely understand your reluctance to hand over personal information to any company asking for it in exchange for service. I personally do use the same password for a decent chunk of websites that I use and I definitely need to go back and change them.
Companies like Ubisoft have alot of users and many people are relying on them for security of their information. The risk of personal information from players being leaked should be evaluated before signing up for any service online. You rightly said that in this day and age, we are willing to give our information to companies without knowing anything abiut their security practices.
Great post! Cyberattacks against companies (and especially gaming companies) aren’t all that uncommon, but when an attack is successful it can be a huge deal. If a company as large as Ubisoft had a credentials leak, that’s a big problem. As you said, the most a user can do is change their password and be more mindful about how much information they give companies.
Very interesting post. It’s hard to imagine a game company as big as Ubisoft being hacked. Games have become one of the essential products for people’s leisure and entertainment, we should be in the entertainment at the same time, to guard against their information leaked out. Makes me wonder if my game account will be the next to be hacked and used by hackers for malicious purposes. It’s a wake-up call for other game companies.
That’s a great post. I mean in this time people are more into gaming thing, specially young people and when they are signing up for gaming they are not sure what they are signing up for all they know it’s a game and if big companies like this get hacked a lot of young people will lose their privacy without knowing them. So we have be careful about it.
Neat post! This hacker group seems to be targeting a specific sector of the tech field, namely game developers and the hardware producers that seem to co-exist with those developers. Do you think that there is a reason for this, or is it just coincidence. Furthermore, it’s kind of insane how often you hear about this sort of thing and it all comes back to someone not having a very good password.
The gaming industry is another medium through which hackers exploit lack of security of privacy of it’s users. The level of security should increase in these higher corporation type companies as they will lose a lot of market share if people feel reluctant to even buy games on their platform through their credit card.
Really cool post! It’s unfortunate that this happened with Ubisoft. I have played their games a lot and I loved them. Ubisoft is a major video gaming company, so I was a bit surprised to see this happen. This just shows that even the big gaming companies have to step up their game when it comes to security (no pun intended).