[ATTACH=CONFIG]12967[/ATTACH]
Unity confirmed today that their forums were hacked over this past weekend. Unity director of security Andreas Haugsnes issued a statement about the security breach.On April 30, our public forum website was attacked and successfully compromised due to poorly implemented password routines; our investigations show no theft of passwords in this attack, nor impact to any other Unity service.
However, the attack did result in defacement of the site (which has since been fixed) and subsequent messaging to all of our registered forum users.
We’re actively working to improve the authentication options in our services, and to help protect your data we’ll be rolling out the following in the next few weeks:
2FA Authentication
2FA will enable you to use one time passwords tied to the Unity Authentication platform. This will also be enforced in forums.
Device Identification
Device Identification will alert and/or prompt you if a new PC or Mobile device tries to connect to a Unity service, with your credentials.
Password Policy
Enable a per organization password reset, rotation and strength policy.
We’re sorry. We know you put your trust in us. We will learn from our mistakes.
However, the attack did result in defacement of the site (which has since been fixed) and subsequent messaging to all of our registered forum users.
We’re actively working to improve the authentication options in our services, and to help protect your data we’ll be rolling out the following in the next few weeks:
2FA Authentication
2FA will enable you to use one time passwords tied to the Unity Authentication platform. This will also be enforced in forums.
Device Identification
Device Identification will alert and/or prompt you if a new PC or Mobile device tries to connect to a Unity service, with your credentials.
Password Policy
Enable a per organization password reset, rotation and strength policy.
We’re sorry. We know you put your trust in us. We will learn from our mistakes.
The hack originally came to light when Unity users said that they were receiving emails from Unity's account in which a group called OurMine claimed that they hacked the site and had access to a database of two million users. OurMine were at least kind enough to also inform people that they should probably change their passwords.
(Corridor was rushing to meet a deadline to get the latest video out [the shadow video], while Sam and Niko are away busy working on Lifeline. So this incident REALLY DID NOT HELP AT ALL with their rush project.)
I get that it's nice to raise awareness to anybody who are too arrogant to listen, but I really don't see how so many people are calling OurMine "White Hat Hackers" who are doing harmless acts to force people to close off vulnerabilities. If I break into somebody's home, use dry-erase markers to vandalize their property, leave behind cleaning equipment that is guaranteed to restore said property to its original condition, replace the busted door with a new identical model and keep the original lock intact, lock said door, and then leave, does this mean I did nothing wrong? Would the police applaud my efforts to show them that their lock isn't strong enough to stop people from breaking in? Would they pat me on the back and say, "Please continue breaking into homes and doing non-harmful acts to their property?"
My understanding of "White Hat Hackers" (I hate using the word hack so much) is that they are either contracted by companies to find vulnerabilities in their own systems, or they contact companies explaining what they found when screwing around for fun and education. If they're ignored, they move on and let them suffer the consequences. They don't push it and force a live example to prove their point since it has nothing to do with them.