Epic’s forums hacked again, with thousands of logins stolen

Share this…

More than 800,000 usernames and email addresses were taken, but most of the passwords aren’t readable or easily crackable. The company later confirmed.

A hacker has stolen hundreds of thousands of forum accounts associated with Unreal Engine and its maker, Epic Games.


More than 808,000 accounts were stolen in the attack — with more than half a million from Unreal Engine’s forums alone. Breach notification site LeakedSource.com, which obtained a copy of the database, said the attack was carried out August 11.

The hacker, whose name isn’t known, exploited a known SQL injection vulnerability found in an older vBulletin forum software, which allowed the hacker to get access to the full database.

The hacker acquired usernames, scrambled passwords, email addresses, IP addresses, birthdates, join dates, their full history of posts and comments including private messages, and other user activity data from both sets of forums.

Facebook access tokens were stolen for those who signed in with their social account.

But most of the passwords were scrambled in a way that were not readily or easily crackable, suggesting that Epic Games used a different kind of password scrambling algorithm than seen in other breaches, like Dota 2, and more recently, DLH.net.

A member of the LeakedSource group told me that it’s “hard to tell without more effort or examining source code”.

When we last checked at the time of publication, the Epic Games’ forum appeared to be down, but the company’s Unreal Engine forums were still active.

This latest hack marks yet another attack on sites operating out-of-date and unpatched forums. Despite similarities, it’s not thought that that the hack is related to similar breachesaround the same time — in part because the vulnerabilities are widely known among underground hacker groups.

But it’s not the first time that Epic Games has suffered at the hands of hackers. Last year, the gaming giant owned up to a hack that saw a hacker steal thousands of accounts.

LeakedSource added the breached data into its database, including the password hashes, even if they aren’t readable in plain text, to allow possible victims to search their data.