Search Unity

  1. Megacity Metro Demo now available. Download now.
    Dismiss Notice
  2. Unity support for visionOS is now available. Learn more in our blog post.
    Dismiss Notice

Unity site hacked?

Discussion in 'General Discussion' started by ForceX, May 1, 2017.

  1. ForceX

    ForceX

    Joined:
    Jun 22, 2010
    Posts:
    1,102
    Edit: May 2, 2017

    On April 30, 2017 Unity forums were hacked and some users were sent emails via the Unity Forum messaging system.

    The email sent is below with redacted information for the purpose of not promoting the group responsible.

     
    Last edited: May 2, 2017
  2. LaneFox

    LaneFox

    Joined:
    Jun 29, 2011
    Posts:
    7,462
  3. neginfinity

    neginfinity

    Joined:
    Jan 27, 2013
    Posts:
    13,554
    You might want to remove that email address fro your post.

    Also, it explains why unity forums were in maintenance mode for half of a day.
     
  4. AcidArrow

    AcidArrow

    Joined:
    May 20, 2010
    Posts:
    11,631
  5. greggtwep16

    greggtwep16

    Joined:
    Aug 17, 2012
    Posts:
    1,546
    Just a friendly reminder that while it is always a good idea to change your passwords after a breach, that in general you want to wait to do so after you are sure that the hackers don't have a presence on Unity servers anymore or they might intercept your change. Especially since they are clearly not white hats as they claim and specifically asked you to do so.

    If you are password sharing between websites, obviously you shouldn't, but you should obviously change all the other websites that share that password immediately.
     
  6. Setmaster

    Setmaster

    Joined:
    Sep 2, 2013
    Posts:
    239
    From what I read the only thing they did wrong was not following responsible disclosure, did they do something else?
     
  7. ForceX

    ForceX

    Joined:
    Jun 22, 2010
    Posts:
    1,102
    @LaneFox : Thanks for the links they make for a good repository on this subject.

    Unless I am reading it wrong that email belong to the hacker group. So nuts to them.
     
  8. greggtwep16

    greggtwep16

    Joined:
    Aug 17, 2012
    Posts:
    1,546
    Other then the hackers themselves, no one knows what they have or haven't done once breaching the servers. So the list of what they've done may be long or short. But from what we know they:

    1. Didn't follow disclosure protocol
    2. Actually breached and took over the website

    Either of these clearly shows they are not white hats, grey hats at best, or more likely black hats. White hats are great and if they follow the protocol of notification to the company with how many days before the public is notified (not website taken over) is a great service for us all. Black hats are definitely bad. Grey hats it's debatable but there isn't really any ground to stand on unless protocol has been followed first and ignored.
     
    Setmaster likes this.
  9. goat

    goat

    Joined:
    Aug 24, 2009
    Posts:
    5,182
    That group is on record in interviews saying they are selling customer data to criminal organizations. They are crooks, no need for debate.
     
  10. ForceX

    ForceX

    Joined:
    Jun 22, 2010
    Posts:
    1,102
    My assumption is that they did this in an attempt to gain access to user payment information. We have the asset store and now Unity as a service. That's two payment sources with a huge pool of users. When this wasn't secussfull they just resorted to vandalism of the site.

    Still If you have a credit card on file with Unity just watch it a bit more closely. If you use PayPal your probably fine.
     
  11. neginfinity

    neginfinity

    Joined:
    Jan 27, 2013
    Posts:
    13,554
    Precisely. That's why I recommend to remove it. No need to advertise anyone. Especially if:
     
  12. ForceX

    ForceX

    Joined:
    Jun 22, 2010
    Posts:
    1,102
    Your right it could be seen as a victory mark. Removed.
     
  13. Kiwasi

    Kiwasi

    Joined:
    Dec 5, 2013
    Posts:
    16,860
    They basically tried to hold the site to ransom. When I first tried to access it yesterday morning every page was replaced with a banner. It basically said "Come visit our site and pay us money to get your site back".

    That makes them malicious in my book.
     
  14. elmar1028

    elmar1028

    Joined:
    Nov 21, 2013
    Posts:
    2,355
    That's strange, I haven't received an email from them. Could be probably because I signed out from newsletter :p

    Wait, I thought they only hacked forums, asking owners (Unity) to contact them to restore forums. Didn't know they actually help Unity website for ransom.
     
  15. Kiwasi

    Kiwasi

    Joined:
    Dec 5, 2013
    Posts:
    16,860
    The Unity forums were up for ransom, the rest of the website was fine.

    It was somewhat disturbing to me to realise how many times a day I log into this place ;)
     
  16. GarBenjamin

    GarBenjamin

    Joined:
    Dec 26, 2013
    Posts:
    7,441
    A strong (and unfortunate) reason the Internet and whole digital age thing can never really reach its full potential. Every time people become (near) fully relaxed using it crap like this happens to put everyone on guard again. Another plus for my grand plan to one day "go off the grid".
     
    theANMATOR2b likes this.
  17. elmar1028

    elmar1028

    Joined:
    Nov 21, 2013
    Posts:
    2,355
    That's strange. I saw a banner yesterday, but no sign of them saying that they were holding forums for ransom.

    You have like 13,000 posts and I joined weeks before you :p
     
  18. Ryiah

    Ryiah

    Joined:
    Oct 11, 2012
    Posts:
    20,964
    Honestly it's not as bad as it seems. Remember Unity doesn't exactly have a track record for web development. After the entire fiasco with that broken forum software we had I'm not at all surprised that they got themselves hacked and it's good to see that they've acknowledged in their blog post that they had a security problem.

    One thing this has encouraged me to do though is start looking into a password manager so I can use tougher passwords without the risk of forgetting what they are. I already use random strings of characters for my web hosting passwords but I'm thinking of using them for everything now.
     
    elmar1028, GarBenjamin and Kiwasi like this.
  19. GarBenjamin

    GarBenjamin

    Joined:
    Dec 26, 2013
    Posts:
    7,441
    Oh yeah I get that. Other than here I use a pretty strong password as well. But sometimes I just get tired of it all. Tired of even thinking about all of these thieves. lol

    It's like the morons running around stores with cc readers in their pockets. Just this new wave of thieves make me sick. At least the ones from decades ago had the guts to pull a knife or a gun (granted still a very cowardly thing but still in person instead of hiding in the shadows). It be different if it was just more bold in real life then we could kick their ass. But no this modern thing... the Internet makes everyone feel like a Billy Bad Ass becauae they can hide. [/end of rant]
     
    Deleted User likes this.
  20. angrypenguin

    angrypenguin

    Joined:
    Dec 29, 2011
    Posts:
    15,615
    I've been thinking that for a while now. The main roadblock for me is the sheer number of devices I use my passwords on.
     
  21. Meltdown

    Meltdown

    Joined:
    Oct 13, 2010
    Posts:
    5,816
    Well I tried to update my password and....

     
  22. angrypenguin

    angrypenguin

    Joined:
    Dec 29, 2011
    Posts:
    15,615
    I got that too, but the new password seemed to have been applied anyway.

    Just in case, I'll be changing it again soon...
     
  23. greggtwep16

    greggtwep16

    Joined:
    Aug 17, 2012
    Posts:
    1,546
    You guys have a lot of confidence that Unity has removed the hackers presence from their servers, especially since their email stated to change your password and there are issues currently with updating your password. Password changing is surely important but only after the issue is completely resolved. It takes time to crack properly salted/hashed passwords en masse, however in transit is a weaker point if they aren't completely gone.
     
  24. angrypenguin

    angrypenguin

    Joined:
    Dec 29, 2011
    Posts:
    15,615
    I didn't get any email to make me wary of such things.

    You're assuming they're "properly salted/hashed". I don't know that. They should be, but in so many cases they aren't. (Edit: Even the official thread talks about "poorly implemented password routines" without saying exactly what was "poor" about it.)

    And no, I don't put a lot of trust in Unity... at least no more trust than I do in any other site that I need to give a password, which is little, because you never know what's going on behind the scenes, who's doing it, or how competent even the honest ones are.

    If you want secure passwords then they need to be long, they need to be unique on a per-account basis, and they need to be changed regularly. Which is difficult and painful, hence password managers being useful.
     
    Meltdown likes this.
  25. ShilohGames

    ShilohGames

    Joined:
    Mar 24, 2014
    Posts:
    3,015
    I switched to using long, purely random passwords many years ago. I generate a different random password for every login. Too many people try to use a password they can remember, and that is scary because memorable passwords are usually guessable.
     
  26. greggtwep16

    greggtwep16

    Joined:
    Aug 17, 2012
    Posts:
    1,546
    This is the post that indicated they are properly salted/hashed.

    https://www.reddit.com/r/Unity3D/comments/68htdw/unity_forums_hacked/dgz96ci/

    That particular post isn't a Unity employee but they were in the thread and seemed to indicate that the 3rd party mentioned was used. I'm sure they do have other security issues and perhaps your right that they aren't but Unity has tended to rely on 3rd parties for forum software.

    There was an email sent out by the hackers to most users and it tried to make them look like white hats and also stated to change your passwords.

    I also don't trust Unity to have things figured out at this point and it feels a bit too soon to change it. I don't reuse passwords though and usually black hats target financials which my Unity account doesn't have.
     
    Last edited: May 2, 2017
  27. angrypenguin

    angrypenguin

    Joined:
    Dec 29, 2011
    Posts:
    15,615
    My distrust isn't specific to Unity, it's broad and general. It only takes one individual to make one mistake, and the best way to compartmentalise the results of that is to have unique passwords so that accounts are only compromised one at a time when it happens.
     
  28. neginfinity

    neginfinity

    Joined:
    Jan 27, 2013
    Posts:
    13,554
    IMO: When in doubt, use Murphy's law.

    Right now you're making a guess based on pieces of unverified information you found on the web. This is not a good idea.
     
  29. UziMonkey

    UziMonkey

    Joined:
    Nov 7, 2012
    Posts:
    206
    Has there been any official word whether the password hashes were accessed? All I've seen from them is a Reddit comment more or less saying "don't worry, they're hashed." That's not reassuring considering tools like hashcat can chew through millions of guesses a second or something crazy like that, if they were stolen you can guarantee they're being brute forced right now. If they've been shared than hundreds of people all over the world could be working on brute forcing them.

    Unity is being less than transparent about the most important part of this situation and that's a problem. There's other information that could have possibly been accessed as well, such as credit card information. If the forums are on complete different servers and they were not able to access all that stuff and everything is fine then they should just say that. Don't leave us guessing.

    Regardless, change your Unity password and if you used that password anywhere else change it there as well. You shouldn't be using the same password on multiple sites for this exact reason.
     
  30. Setmaster

    Setmaster

    Joined:
    Sep 2, 2013
    Posts:
    239
    Unity said in their blog post that "our investigations show no theft of passwords in this attack", so I guess not.
     
  31. greggtwep16

    greggtwep16

    Joined:
    Aug 17, 2012
    Posts:
    1,546
    I hear what your saying either way is an assumption though. Either way, you shouldn't share passwords with other sites for this very reason so the risk would be minimal. I don't have anything financial tied to Unity and don't share passwords.

    You either feel that you should change your password for Unity now because of the breach or you are a bit hesitant to because the hackers still might have a presence on their servers and specifically wanted you to change them.

    Assumption 1 would be great if they don't have a presence and you changing it would leave you safe if they had access to the database and they are trying to crack it or if it wasn't properly hashed/salted and had your old password. Assumption 1 would be bad if they have a listener for when you change a password.

    Assumption 2 would be bad if they aren't hashed/salted properly as they have your current password. Assumption 2 would be good for a bit if they are hashed/salted properly and it will take them time to run through the database and you aren't transmitting a new one over the network.

    Everyone is free to pick whichever they think is more likely and hopefully practiced good hygiene in the first place.
     
  32. angrypenguin

    angrypenguin

    Joined:
    Dec 29, 2011
    Posts:
    15,615
    Or you don't care, or you change it multiple times...
     
  33. greggtwep16

    greggtwep16

    Joined:
    Aug 17, 2012
    Posts:
    1,546
    Multiple times is the safest bet for sure.
     
  34. Le_Tai

    Le_Tai

    Joined:
    Jun 20, 2014
    Posts:
    442
    FYI these same guys also hacked some popular Youtuber recently and their video's title and description. It weird that I don't receive any mail. If they breached the email database they should have all of our mail rights?
     
    Last edited: May 2, 2017
  35. ForceX

    ForceX

    Joined:
    Jun 22, 2010
    Posts:
    1,102
    Actually they used the Unity Forums messaging system to send the emails. So the email came from the noreply address of Unity.

    I won't claim to understand why some of us received the message and others didn't.
     
    Last edited: May 2, 2017
  36. AcidArrow

    AcidArrow

    Joined:
    May 20, 2010
    Posts:
    11,631
    I tried to login on the forums and was told that my password "expired". So I'm guessing Unity is making mandatory that everyone changes their password.

    But... why?

    According to Unity, passwords were not stolen. Also I don't think the hackers defacing the forums has anything to do with the user passwords. They probably found access in another way.

    So why are we the users forced to change our passwords?

    Seems fishy. Care to offer any explanations Unity?

    If there is a chance the hackers got the passwords, we should know.
     
    Kiwasi likes this.
  37. QFSW

    QFSW

    Joined:
    Mar 24, 2015
    Posts:
    2,906
    I haven't been prompted to change my password yet, so not sure if you're an isolated case or not
     
  38. AcidArrow

    AcidArrow

    Joined:
    May 20, 2010
    Posts:
    11,631
    Log out and log in again.
     
  39. Kiwasi

    Kiwasi

    Joined:
    Dec 5, 2013
    Posts:
    16,860
    I've got all email notifications from the forums turned off. And I didn't receive an email. I'm picking that's the reason.

    It's annoying. And it also requires a resign in everywhere, including the editor. And it's now mandatory once a year. Seems like a pain just for the sake of the appearance of security changes, as opposed to actually increasing security.

    It's not like the hackers used my password to break into the forums.
     
  40. QFSW

    QFSW

    Joined:
    Mar 24, 2015
    Posts:
    2,906
    Got it now, thanks :)
     
  41. DominoM

    DominoM

    Joined:
    Nov 24, 2016
    Posts:
    460
    It's also likely that the hack was caught before all the emails were sent and the job queue sending them was cancelled.
     
    Kiwasi likes this.
  42. Ryiah

    Ryiah

    Joined:
    Oct 11, 2012
    Posts:
    20,964
    It's poorly implemented too. I was able to enter the exact same password I had been using. :p
     
    Kiwasi likes this.
  43. HemiMG

    HemiMG

    Joined:
    Jan 17, 2014
    Posts:
    911
    Dang. I wish I would've thought to try that. It would save having to update the password on half a dozen devices. I did think it was odd they didn't ask me to confirm the password. That's so standard that I even double check the domain name to make sure it wasn't some elaborate phishing scheme. Come to think of it, they were hacked, are we sure it isn't one?
     
  44. chelnok

    chelnok

    Joined:
    Jul 2, 2012
    Posts:
    680
    I just tried to log out / log in, but didn't get the "expired" notice.
     
  45. HemiMG

    HemiMG

    Joined:
    Jan 17, 2014
    Posts:
    911
    When did you last change your password? When it happened to me, they said that passwords need to be changed after a year. Maybe your current one is fresher than that?
     
  46. chelnok

    chelnok

    Joined:
    Jul 2, 2012
    Posts:
    680
    @HemiMG I don't believe i have ever changed my password (4 years or so)
     
  47. HemiMG

    HemiMG

    Joined:
    Jan 17, 2014
    Posts:
    911
    That's strange. I don't know what triggers it then. It seems like something they rushed in though. Sites usually (always?) make you confirm the password and make sure you don't enter the previous password but they neither of those apparently.
     
  48. GarBenjamin

    GarBenjamin

    Joined:
    Dec 26, 2013
    Posts:
    7,441
    Why is there no official participation from Unity in here? As @HemiMG mentioned how do we even know the problem has been resolved? For all we know the hackers are currently in control of and running the site.

    Of course, even if a post was made showing a Unity rep that still wouldn't prove anything as the hackers themselves would be able to do that. Still hey hackers you can at least participate in the discussion to give everyone a false sense of security. :)
     
    HemiMG likes this.
  49. AcidArrow

    AcidArrow

    Joined:
    May 20, 2010
    Posts:
    11,631
    There's an update here :

    https://blogs.unity3d.com/2017/05/01/unity-forum-hack-update/

    Which contains this:

    Does that mean that for those of us that were prompted to change our password, our accounts were compromised?
     
    chelnok and kittik like this.
  50. HemiMG

    HemiMG

    Joined:
    Jan 17, 2014
    Posts:
    911
    I'd like to know too. For me, the FAQ just created another Q and gave very little in the way of an A. ;-)
     
    Martin_H and kittik like this.