[=;709810]
So, I woke up today to someone buying $500 worth of items on the Marketplace using my account. I would HIGHLY suggest you remove any info from your account and change all passwords. @PolyPixel3D they seemed to really like your stuff though, they bought 3 of your packs (don’t hate me if you see those sales refunded).
I’m pretty paranoid about phishing scams and such, so I don’t think this breach was on my end - but I’ll wait and see what the Epic guys find out (I literally sent Chance a PM at 5am this morning so I’m sure they haven’t gotten in yet to check things out).
[/]
Hey ,
I’ve passed this post on to our specialist to take a further look into this situation. Can you pm me or email the details of what has occurred? Specifically, we need to know which email address/account the purchases are tied to.
I’ve passed this post on to our specialist to take a further look into this situation. Can you pm me or email the details of what has occurred? Specifically, we need to know which email address/account the purchases are tied to.
Thanks!
[/]
Done. I also just noticed this was an older account I had on here (pre-Forum hack), so they may have gotten the info that way. Safest bet is to just obliterate that old account.
EDIT: I logged into that old account, removed info, and changed the password. But I’d still like it to just be nuked from orbit.
So I got the 3rd party info leak email the other day that required me to reset my password. (I am not a marketplace creator).
I reset my password to something very different. But today I have been using some other computers that had my forum account logged in, and the epic launcher logged in, from before the password change. They did not ask me to enter the new password and I was still able to access my account. I didnt try buying anything from the marketplace but this sequence of events made me wonder if there is a massive flaw in the current system? Once I logged out I needed to use the new password to get back in but if someone stays logged in with compromised password in the past, despite the reset, what good is that?
They should make it like Gmail “Log out on all devices” so you can make sure you’re logged out everywhere otherwise changing password doesn’t do any good if someone else has access to your account and have not logged out of it yet.
[]
I reset my password to something very different. But today I have been using some other computers that had my forum account logged in, and the epic launcher logged in, from before the password change. They did not ask me to enter the new password and I was still able to access my account.
[/]
Oh wow, this is indeed a security hole of an epic proportions
[=SteveElbows;709856]
had my forum account logged in, and the epic launcher logged in, from before the password change
[/]
Interesting indeed! The session system should not provide renewal upon password change and most definitely not for long expired session keys. This is a serious flaw in the system and must be fixed immediately!
What i also would like to add to this conversation; everybody is very obsessed by email’s and logins, but nobody seems to suspect the probablity where local computers gets hacked, where the attacker can simply download saved passwords from basically any storage (eg, browser passwords, text files on your desktop/documents, etc). Last time i got hacked over the Auto Update system of puush, they slipped in a malicious program via this service which was simply downloaded and submitted contents from my local computer.
There are great many ways an attacker can gain access to services of any sort, and will not be limited to a profile login or a change to the subscription. People, you must buckle up to the next coming, and make your computers and routers safe as possibly you just can. Avoid fixed ip’s on the network, and use dynamic ones. Restart your modems and routers on regular basis to make sure you are getting new ip address from your provider, this can reduce the chances of getting your computers hacked. Oh, and turn off auto updates as well, especially for the free softwares.
[=Konflict;709960]
Interesting indeed! The session system should not provide renewal upon password change and most definitely not for long expired session keys. This is a serious flaw in the system and must be fixed immediately!
What i also would like to add to this conversation; everybody is very obsessed by email’s and logins, but nobody seems to suspect the probablity where local computers gets hacked, where the attacker can simply download saved passwords from basically any storage (eg, browser passwords, text files on your desktop/documents, etc). Last time i got hacked over the Auto Update system of puush, they slipped in a malicious program via this service which was simply downloaded and submitted contents from my local computer.
There are great many ways an attacker can gain access to services of any sort, and will not be limited to a profile login or a change to the subscription. People, you must buckle up to the next coming, and make your computers and routers safe as possibly you just can. Avoid fixed ip’s on the network, and use dynamic ones. Restart your modems and routers on regular basis to make sure you are getting new ip address from your provider, this can reduce the chances of getting your computers hacked. Oh, and turn off auto updates as well, especially for the free softwares.
[/]
I can also concur with this revelation that the forums do not log out on all devices if you have a password change. As mentioned throughout this page, that is a major security flaw and defeats the purpose of a password change.
As for your last point, I think it’s becoming more and more evident that this isn’t on the user side. Between the UE4 user email leaks just the other day, the fact that UE4 was hacked in the past and that a group that recently hacked Unity got a hold of PolyPixels account suggests that Epic was a recent victim of cyber attacks. It’d have to be a VERY huge coincidence were this to be local attacks and they all just happened to affect people who have UE4 accounts. Not to mention that theory is predicated on our email addresses/systems being compromised and many of us have already confirmed that wasn’t the case. The MO of your typical hacker is to get into a users email, change the credentials and wreak as much havoc as they can. Not get into an email address, change no login credentials, and only target UE4 related activities.
What also makes hacking easy are the mobile phones that people have forgot what they are designed for. They are not secure, and nobody should use them to log into services they hold dear. As a matter of fact, these days the only services people log in are the most sensitive, using the weakest possible device regarding security. I’m sure both communities are very strong on mobile usage, so let’s just not pass these possibilities, since this would be a very strong common point to attack anyone disregarding unity or unreal activities. Session keys are hard to obtain by third parties, unless they get access to local devices/computers which makes it easier to dig the browser history. You can see this for yourself, just bring up your browser history, the entry for the last login you made to the site will contain some keys in the url. It only is exists on your local pcs/mobiles that easy to obtain for a common attacker as it would seem. I’m sure Epic will revise and tighten the security to avoid future incidents, however your personal devices and computers are your duty to clean them up. When epic gets hacked, the website will be down for good, twitch and sites gets cleaned up and refilled with disgusting content, since that is exactly what happens when some frustrated idiot kid does some wreak and havoc.
Security is a very sensitive and critical part of life, as it closely aligns with privacy. So while it’s easy to assume what might of happen, it’s also awesome to know it didn’t go any further. It’s obvious something went wrong, we can throw everything at it but hacking is part of life. I think what’s important is that we focus on doing what did rightly; which was** report that something had happened**. Alerting everyone is quite possibly the best and only thing you can do to help others prevent from falling to hacks. Hacking is purely about not being aware, and once it’s made obvious. It’s very easy to spot and protect yourself. So thanks for pointing this out. I think being on high-alert now-a-days, is more important than ever before.
[=SteveElbows;709856]
So I got the 3rd party info leak email the other day that required me to reset my password. (I am not a marketplace creator).
I reset my password to something very different. But today I have been using some other computers that had my forum account logged in, and the epic launcher logged in, from before the password change. They did not ask me to enter the new password and I was still able to access my account. I didnt try buying anything from the marketplace but this sequence of events made me wonder if there is a massive flaw in the current system? Once I logged out I needed to use the new password to get back in but if someone stays logged in with compromised password in the past, despite the reset, what good is that?
[/]
I was expecting some sort of official response to this.
To be clear: I do not want/need you to do anything to my account, please do not disable it or anything. But I want Epic to investigate whether the behaviour I think I saw is accurate, and to reassure us that this issue is going to be fixed if it does indeed behave in this way.
Crikey. Would have been nice to have received some sort of email from Epic about such a leak… time to change my address to the CIA HQ in Arlington or something similar. : |
Hey all, sorry for the wait here! The team has been doing some deep investigation to understand the scope and scale of the incident, and we’ve gotten down to the bottom of it.
We were recently subject to two separate attacks earlier this month:
A brute force attack from parties using information leaked from other sources
A more targeted, isolated spoofing strike.
While the brute force attack was unsuccessful, a handful of accounts were compromised in the spoofing incident, leading us to reset account passwords (the reports you’ve seen here in this thread.) Here’s a breakdown of the timeline:
On May 8, we had been made aware of 7 accounts that had been compromised. Fortunately, we were able to disable these accounts and issue password resets within a couple hours with the help of the account holders and we began investigation at that point.
Later in the week, we had identified suspicious behavior from the IPs responsible for the spoofing and preemptively reset a little over 150 passwords as a safety precaution. Upon further investigation, we verified that only 9 total (including the 7 identified on May 8) fell victim to the attack, and accounts affected had had their passwords reset.
Since then, our teams have been discussing a large number of changes to both our internal policies and tools and planning out a number of safeguards in order to mitigate vulnerability going forward in order to better protect all involved. Multi-factor authentication is one of the steps in this direction and slated to head to Epic accounts later this year.
Thanks everyone for your patience while we continued our investigation, let me know if you have any further questions!
I hate to be the one to keep bringing this back up, but my situation doesn’t fall under either of those reasons. My login information was 100% unique to this site, and my email associated with the site was never publicized. The only thing I could think of in that regard is the reported leaks of UE4 account emails from the May Day sale, in which case I’m curious to know if steps have been taken to ensure something like that doesn’t happen again?
Multi-factor verification is a step in the right direction and I’m glad to see that will be added this year. I’m assuming this will also factor in when dealing in person to person matters involving sensitive information?
[]
My login information was 100% unique to this site, and my email associated with the site was never publicized
[/]
It’s quite possible that you were in the 150+ group that we pre-emptively reset.
[]
reported leaks of UE4 account emails from the May Day sale, in which case I’m curious to know if steps have been taken to ensure something like that doesn’t happen again?
[/]
sent out an email to all marketplace sellers that participated in the May Flash Sale, but did not use BCC, so our emails were revealed to everyone in the email chain.
[=;715599]
sent out an email to all marketplace sellers that participated in the May Flash Sale, but did not use BCC, so our emails were revealed to everyone in the email chain.
[/]
Ah, thanks for the info. Yes, this was done in error, though it should have only been the publicly available support email address listed on the sellers’ profiles. Still a mistake on our end that we’re certainly aiming to not repeat.
[=;715567]
Just heard back from the team was the case. Sorry for any inconvenience amigo, but your data is safe
[/]
Thanks for the clarification on that.
[=;715656]
I mentioned it above already too, but maybe its worth repeating here again in light of this… Anyone using the same email for Marketplace + Discord / Slack back in Aug 2016?
If so, it might be safer to assume that email is compromised somewhat now too. Why???
Everyone’s emails were publicly visible in the Team Directory at that point (Still the case?).
Any scammer / cybercrim who joined would have access to that list like an open CC list…
Or any malware infected PC’s from even a single UE4 user, may have slurped that data…
[/]
I used a different email for that as well, though interesting to know the addresses were plastered all over the wall over there.
[=;715687]
Ah, thanks for the info. Yes, this was done in error, though it should have only been the publicly available support email address listed on the sellers’ profiles. Still a mistake on our end that we’re certainly aiming to not repeat.
[/]
