Please Read: Hack attempts against our websites and forums

Over the past weekend, a hacker group attempted an unlawful intrusion of our websites to gain access to data. We believe we have taken appropriate action to protect our data against these attacks. While no personal financial information or credit card data was obtained, the hackers may have gained access to some user names, email addresses, and/or passwords. As a precaution, we recommend that all our fans immediately change passwords on all our sites — including our community forumsstatistics site for Brink, and here on the blog.

If your username/email address/password is similar to what you use on other sites, we recommend changing the password at those sites as well. As we don’t know what further plans the hackers may have, we suggest that you keep an eye out for suspicious emails and account activity.

We regret any inconvenience that these attacks on us cause for you. These attacks will be evaluated to determine if there are any additional protections we might take that would be prudent.

Reader Comments

  1. I am beginning to feel unsafe on the internet, I have recently changed all my passwords to individual ones, this is too far. Why can’t companies protect their servers more? Surely hiring security “Professionals” should be enough and not too much to ask for the protection of our personal information?

  2. Thank you for prompt disclosure! *Some* companies sit around for weeks on knowledge of a breach without warning their customers…

  3. Okay, regardless of whether or not this was Anon they are the face of the hackers right now. They have emboldened these ignorant, self absorbed sons of bitches.

    As such, I propose a twitter trend.

    #anonotgoingtogetlaid

  4. @Kradath: doesn’t matter, encrypted passwords can still be attacked via bruteforce/dictionary/etc, no reason not to change it to be safe

  5. I am glad that you guys were able to keep the major info secure. I wonder if this is the same group that hit Codemasters?

  6. hackers are getting out of hand. need to make penalties stiffer due to all the attacks recently. if this keeps up, no one will want to be online. back to writing checks and snail mail.

  7. @Kradath
    Sure they were encrypted, with algorithms available for study by hackers. The only way to have an even remotely bullet proof encryption is to write it yourself and then of course you’ll have to write your own database software because MySQL will not accept your new algorithm. Then you’ll have to write forum and website software too because none of the software available will work with your custom database software.

    I’ve had over 100 new members sign up on my site in the last week and about 5-6% of them had malicious intent. I use the second most secure forum software available so all of the attacks were foiled without any intervention on my part.

    This is normal for post E3 activity. If you think back you’ll realize that the exact same thing happened after FO3 AND Oblivion were presented at E3.

  8. its official, the hackers are all playing games with the companies. They are all competitng with each other who can hack this certain company first. And also they mostly look for company that do not take customers data seriously as the secruity level for their DPA are rightfully exposed.

  9. Thanks for the heads up Gstaff. I know there was a thread going yesterday that had came to that conclusion because the official Elder Scrolls site was acting strange.

    Can you imagine what great things all these hackers could accomplish if they put their talents to something useful?

  10. First Eidos and this. I wonder what’s going on. I hope the hackers don’t think their being rebellious against some higher power by doing this. Or maybe it’s someone bored. Beats me.

  11. I’m sure they were. But that’s the thing about the new rush of hackers…encryption to them is child’s play

  12. worm82075, wtf. There are hashing algorithms that haven’t been broken yet (SHA-256) and AES is certainly not broken. AES is in MySQL since more or less forever and SHA-2 hashes are in there now. In any case the claim that you have to “write your own database software” is incredibly flawed – even if the DB doesn’t support it natively, your forum software can implement it itself; even if that support isn’t there it’s trivial to add to anything decent. You certainly would not have to “write forum and website software”, at most you’d have to create a small patch, most of the time you would have to do just toggle an option somewhere.

    SHA-1, or even MD5, with an appropriate salt would stop these passes being owned.

  13. I suggest if you catch these guys you do something similar to what Caeser would do, Crucifixion seems pretty fitting.

  14. Seems like Lulz Security was behind your attack. I went to their Twitter account to see if my guess was right and it was.

  15. @ Treyster:

    That’s probably exactly what they think. The fact that they get so many people so stirred up probably makes them feel all big and important.

  16. Can’t Bethesda make something like a forced password reset? Where everyone gets sent a new password. I mean, the number of people reading this news compared to the registered on the forums is likely to be small.

  17. If you followed Lulzsec on twitter you’d know yesterday that they were going to hack it. They always mention who they are going to hack before they do it…well, most of the time anyways.

  18. Man I think Lulzsec is just stupid, at least with Anonymous there was SOME reasoning when they hack. Instead of just going around doing it to a bunch of different websites because honestly I think Lulzsec is made up of a bunch of kids who just learned how to hack and are saying ‘Ooh look what I can do!’.

  19. In all fairness, Brink is a REALLY bad game.

    I don’t agree with the hacking of Bethesda because they make some of the greatest games ever. I do however think it’s absolutely hilarious.

  20. lol, does anyone else think this looks silly for lulzsec?

    they have all these high-profile, big-name hacks, then they go after a game forum and a slightly popular new game? they’re just trying to stay in the news, now. yawn.

  21. @Anonymous

    bull!! and bank robbers have thier reasoning to rob banks. my neighbor had his reasons for beating his wife. oh please, there is NO reason to break the law.

  22. @worm82075

    MySQL can encrypt with AES but the decryption keys and the decryption logic (inside the app) needs to take place in a compartmented environment i.e. separate from the other web server apps and also separate from the MySQL database server instance itself.

    Also — it is widely known around the world that “writing encryption yourself” is an absolute no-no. By making both of these statements, might I suggest that you are in dire need of application security consultants that use SAST and DAST e.g. HP Fortify WebInspect On-Demand, Veracode, IBM Rational Appscan On Demand, etc? Many of your competitors (e.g. Sony, EA) use appsec consulting companies such as Cigital, Aspect Security, and nVisium Security (all local to your area).

    For more information about MySQL’s use of AES, in addition to other little-known MySQL security features, be sure to check out the Core Security Patterns blog on the matter — http://www.coresecuritypatterns.com/blogs/?p=970

    I suggest assessing your MySQL infrastructure using a fast tool such as nmap, configured with additional NSE script checks such as found on this blog — http://www.cqure.net/wp/2011/06/using-nmap-to-audit-your-mysql-database/

    You can assess your external web applications with an open-source tool such as Wapiti, Andiparos, or the OWASP Zed Attack Proxy (ZAP). Your PHP source code can be assessed using the open-source RIPS scanner (probably one of the easiest ways to locate troublesome file inclusion, XSS, or SQL injection vulnerabilities).

    While web application firewalls will not prevent contextual output encoding problems such as found in SQL injection and Cross-Site Scripting — they can whitelist input and also monitor for these sorts of issues in order to detect when an attack is in progress (which may or may not be useful during a breach, but it may allow you to be more proactive). The free, open-source ModSecurity web application firewall is excellent to put into monitoring mode — and should be placed in your network as a reverse proxy if at all possible (the embedded version only works with the Apache web server). You can get alerts from ModSecurity to OSSEC, and in turn from OSSEC to your SIEM (OSSIM is a good open-source SIEM if you don’t already have one) — http://holisticinfosec.blogspot.com/2009/09/using-ossec-to-monitor-modsecurity-and.html — and not only that, but you can also leverage OSSEC with MySQL as well — http://blog.rootshell.be/2011/01/07/auditing-mysql-db-integrity-with-ossec/

    The LAMP stack doesn’t necessarily make you more vulnerable to these attacks, but an outdated LAMP stack could definitely increase your attack surface and the capabilities of data exfiltration. My primary suggestion would be to replace Apache with Nginx so that you can run the Roboo anti-DDoS and anti-webapp-hacking tool. I also highly suggest the Django-Security framework (mentioned here along with many other secure framework components — http://software-security.sans.org/blog/2011/06/06/safer-software-through-secure-frameworks ) if the goal is to replace or augment existing LAMP stack technologies.

    Best of luck during these hard times.

  23. I don’t get it…

    I mean, I understand why Anon went after $ony…. but Bethesda? WTF did they ever do to incite hacker aggression?

    If you ain’t got a reason for it, knock it the hell off… ur givin hacking a bad name

  24. Lulz Security released your internal data via thepiratebay. Just a heads up to all the users, follow the words of Gstaff and change your passwords if you’re a registered user!

  25. how about get some DECENT security? most of the websites hacked, weren’t prepared at all for this kind of breach… and no offense, but Bethesda deserves this after what it done to Fallout series

  26. @abadidea

    If you are referring to Sony they didn’t sit around for weeks. Think before you post. Some weak minded people may take your comments to be true.

    @This is too far

    You can only do so much. To make any device or network secure would mean that it would have to be 100% closed too. Take for example device hacking. Engineers spend quite a bit of time on their product security so hackers get around that via memory overflows. Often security is quite a bit more than simple SQL injection protection. Then you have to consider physical security too.

  27. If it’s any reassurance to anyone, 4chan’s up in flames about this as well. There’s absolutely no support for these clinically-deranged bastards. Just gotta’ wait until those kids get dragged out of their basements by the FBI…

  28. If hacker’s aren’t holding these companies accountable for poor security practices, then who will?

    Go LulzSec, hack everything. It’s only through challenge that anything changes and gets better.

  29. gstaff, I would like to have some more information about the storage practices of passwords. Which hash function was used to store the passwords and was any salt used?

  30. Holy Cow! I guess hackers are really on the move right now. Good for me that I have no Bethesda-related account anywhere… :P

  31. @Proweler: Judging by the data in the files lulzsec is distributing, they’re encrypted using the usual MD5 or SHA methods. Beyond that it’s hard to say, but unless these guys have access to supercomputers, they’re not going to break them. Not like they needed to given they have all this crap to begin with.