Epic's forums hacked again, with thousands of logins stolen


One of the forums is designed to support the Unreal Engine development community. (Image: Wikimedia Commons)

A hacker has stolen hundreds of thousands of forum accounts associated with Unreal Engine, and its maker, Epic Games.

More than 808,000 accounts were stolen in the attack — with more than half a million from Unreal Engine’s forums alone. Breach notification site LeakedSource.com, which obtained a copy of the database, said the attack was carried out on August 11.

The hacker, whose name isn’t known, exploited a known SQL injection vulnerability found in an older vBulletin forum software allowed the hacker to get access to the full database.

That allowed the hacker to acquire includes usernames, scrambled passwords, email addresses, IP addresses, birthday, join dates, their full history of posts and comments including private messages, and other user activity data from both sets of forums.

Facebook access tokens were stolen for those who signed in with their social account.

But most of the passwords were scrambled in a way that were not readily or easily crackable, suggesting that Epic Games used a different kind of password scrambling algorithm than seen in other breaches, like Dota 2, and more recently DLH.net.

A member of the LeakedSource group told me that it’s “hard to tell without more effort or examining source code.”

When we last checked at the time of publication, the Epic Games’ forum appeared to be down, but the company’s Unreal Engine forums were still active.

This latest hack marks yet another attack on sites operating out-of-date and unpatched forums. Despite similarities, it’s not thought that that the hack is related to similar breaches around the same time, in part because the vulnerabilities are widely known on among underground hacker groups.

But it’s not the first time that Epic Games has suffered at the hands of hackers. Last year, the gaming giant owned up to a hack that saw a hacker steal thousands of accounts.

LeakedSource added the breached data into its database — including the password hashes — even if they aren’t readable in plain text, to allow possible victims to search their data.

When reached on Monday, an Epic Games spokesperson was not able to comment by the time of publication. We’ll update once we hear back.