Search Unity

Update on the Unity Forum Hack.

Hi all,

On April 30, our public forum website was attacked and successfully compromised due to poorly implemented password routines; our investigations show no theft of passwords in this attack, nor impact to any other Unity service.

However, the attack did result in defacement of the site (which has since been fixed) and subsequent messaging to all of our registered forum users.

We’re actively working to improve the authentication options in our services, and to help protect your data we’ll be rolling out the following in the next few weeks:

2FA Authentication

2FA will enable you to use one time passwords tied to the Unity Authentication platform. This will also be enforced in forums.

Device Identification

Device Identification will alert and/or prompt you if a new PC or Mobile device tries to connect to a Unity service, with your credentials.

Password Policy

Enable a per organization password reset, rotation and strength policy.

 

We’re sorry. We know you put your trust in us. We will learn from our mistakes.

Andreas Haugsnes

Director of Security

 

—–

Update: May 2

Thanks to all of you for waiting patiently. In Security, we’ve been looking at every question that you’ve submitted and are making our best effort to answer them. Below is a list of the most frequently asked questions, and we hope this addresses a few of your concerns.

Q: What steps are you taking to help prevent this attack from happening again ?

A: As posted in the original blog entry, we’re rolling out three key features for authentication and password management. With these features, each registered user and organization will over time have more control over their security features at Unity. These controls will give us new insights into unauthorized access attempts, helping us better detect and combat such attempts.

Q: Are the forums safe to use now ?

A: There’s no such thing as perfect or complete security, especially for high risk targets like public forums. In this case, we’ve identified the entry point for the unauthorized access and have since closed it. The forums have been restored from backups to the state prior to the incident to remove any data the unauthorized access may have caused to be left behind.

Q: Was my e-mail address exposed ?

A: There was unauthorized access to servers and an unauthorized email blast. This means that email addresses were exposed. However, this does not necessarily mean that any or all of those email addresses were separately collected and stored. This is part of the ongoing investigation.

Q: How did Unity store the passwords on the forum ?

A: No passwords were stored in the forum database.

Q: Is my password at risk ?

A: Our investigations have determined that no passwords were stolen in this incident. No one can ever guarantee the safety of your passwords, thus reasonable measures should always be taken to protect them. For instance, subscribing to user and password compromise notification services, while protecting your accounts with unique passwords in a password manager, can help reduce your exposure considerably. The combination of having a unique password per site, and changing them frequently, also assists in increasing your security.

Q: Is Unity taking any additional actions to help protect my passwords ?

A: Yes. The first phases of “Device Identification” as mentioned in the original blog post has started to rollout. If we detect that your registered account has been brute forced or flagged in a compromised account list (“known hashes”), your account will be prompted to reset the password on next login.

Q: What should I do to protect myself ?

A: While we can’t give advice in individual cases, here are some general recommendations and best practices:

  1. If you received the e-mail sent by “ourmine” via Unity’s systems, discard it.
  2. Check if your address has been a part of a prior breach.
  3. If your information was leaked on other sites, make sure to change your passwords.
  4. Use a password manager to reduce your exposure.

60 Comments

Subscribe to comments

Comments are closed.

  1. Will 2FA support Google Authenticator or Authy? Or, will it use SMS?

    I ask because of the SS7 routing protocol issues reported a couple of weeks ago.

    (i.e., https://arstechnica.com/security/2017/05/thieves-drain-2fa-protected-bank-accounts-by-abusing-ss7-routing-protocol/)

  2. Don’t try tell me you don’t expectied virtual attack. Public forums are one of most atractive hack targets and it is only question of time before next attack occurs. Welcome in reality, sooner or later everithing become target for hackers and better security is only better challenge for hackers because something like “Hack-proof security” don’t exist and it will never exist.

  3. Anne Schmidt

    May 7, 2017 at 9:04 pm

    Hi,

    I’m glad to know that the forums are as secure as can be again! Nice work!

    I changed my password during the time the forums were down and everything went fine. There is something though that I’d like to know: what is the length limit for a password here? I haven’t seen this mentioned anywhere.

    Thank you.

  4. jwvanderbeck

    May 7, 2017 at 7:16 pm

    P”lease don’t force regular password changes. Forced password changes result in less secure passwords over all rather than more secure passwords! This has been shown time and time again in study after study. The average when prompted to change regularly tends to more often choose less secure passwords than they normally would so that they can be remembered, and they also tend to choose pattenered passwords. In fact studies have shown that when passwords are changed often, not only are the passwords used by users less secure than they otherwise would be, but due to the patterned passwords it is much easier to determine what future passwords would be, completely nullifying the entire purpose of regular password changes. So you are left with no benefit, and worse passwords.

    1. I concur. I am the IT lead for my company, and we have moved from forced changes to higher quality standards and encouraging use of password managers so machine-generated random passwords become practical for nontechnical users. I’ve seen too many cases of forced password refreshes causing users to implement low-quality passwords in a predictable pattern.

  5. I guess we have to assume, based on the fact it was asked several times and always ignored or side stepped, that our passwords were not hashed. I use a password manager so not a big deal to me, but that information should be owned up to so anyone who is using a password they use anywhere else knows for sure they need to go change it, regardless of whether Unity things passwords were accessed or not.

    1. We do not store passwords in plain text or reversible hash.

  6. Gerold_Meisinger

    May 3, 2017 at 11:38 am

    Were the passwords salted?

  7. I have another security suggestion for Unity. As an Asset Store publisher I frequently receive UnityPackages from strangers (customers) asking for support. A malicious attacker could easily embed scripts in the package that would immediately execute as the package is importing. Other programs (Blender, Visual Studio etc…) prompt me before allowing scripts in downloaded packages to execute. I would suggest Unity implement a similar system.

    It is only a matter of time before hackers notice Unity’s large user base and begin to exploit this.

    1. Thank you for the feedback and suggestions. This is an area we’re heavily focused on and hope to be sharing updates soon.

  8. Thanks team!

    2FA will be sweet

  9. Strange and scary… Could not change my password. Always getting errors. Is it still in a compromised state?

    1. Matthew Pruitt

      May 2, 2017 at 11:21 am

      The forums are no longer compromised. Please reach out to our support team for assistance (https://unity3d.com/contact).

  10. Adam Gascoine

    May 1, 2017 at 11:31 pm

    Kudos for the response. Great community management and honesty.

  11. Unity is not being completely honest here. If it was just the forum being compromised then why did I receive an email that stated my credit card number which is just used for my Unity subscription?

    When I saw that I immediately called and had that card cancelled. But there is no way it could have been obtained anywhere else because I only use it for my Unity sub.

  12. Hi!, i can log in all services but when i try log on the forums i get the following error “Unity Community – Error | Email addresses must be unique. The specified email address is already in use.”

    PS: My email address is attached to my name.

    1. Matthew Pruitt

      May 2, 2017 at 11:15 am

      This is not related to the compromised situation with the forums – please contact our support team (https://unity3d.com/contact).

      1. Thanks!

  13. I had a very difficult password and basically it was not crackable without eons of parallel compute power but I know for a fact that thieves stole it from an internet site that I use it on and then proceeded to use it to log into my credit card account. Also I started getting inundated with phishing emails.

    LOL, well honestly it’s stupid to do so. Don’t they have a clue as to the average debt many people carry and their meager savings? I read a few of those articles and it’s clear the criminals are embarrassed at how little they’ve been able to steal. They’d have a higher chance of success by applying for one of their government handouts for a IT startup small business funding and build something legitimately good.

    Anyway…so I went through and created a 1/2 dozen long-winded email addresses – one for each place, turned on 2 factor authentication where it was possible, and again very long and un-crackable passwords that I don’t keep written down on my computer…

    I use different browsers according to what I’m doing…ie I won’t use Unity or 3D modeling sites in the same browser I use to do banking…I use those browsers password management facilities so they’ll be encrypted and that can’t be gotten with a keyboard logger…

    …but it can all be broke in a minute if those password databases at those remote sites aren’t secured properly.

    And yes, it’s OK to have your own opinion about forums but they need every bit the same security as financial internet sites and both could use a lot more security.

    That said, I’m impressed with the improvement in password and internet security at most places. It won’t be long before political and criminal abuse of login accounts is a thing of the past.

    Thanks for the quick repair.

  14. Am I reading this right that 2FA is going to become a hard requirement?

  15. Do you recommend resetting passwords at this time or should we wait until the investigation is complete?

    1. As a rule of thumb, if you need to ask that question its usually the time to do it.
      (not trying to be funny or sarcastic)

    2. Sara Cecilia

      May 1, 2017 at 5:06 pm

      It is recommended to change your password on a regular basis. While your password was not accessed as part of this incident, we do encourage you to do so.

      1. I thought research showed the opposite. Regular email changes (especially when forced) leads to weaker security. Users struggle to remember passwords when they have to come up with new ones often and use them for short periods. So the tendency is to go for simpler passwords and/or writing them down.

  16. Wow. Very quick recovery. Nice Unity!

  17. Quick recovery. Nice work guys.

  18. It was Russia ?

    1. Andrey Sirota

      May 1, 2017 at 3:20 pm

      Yes we are

  19. Thank You Unity

  20. The forums were clearly rolled back, but there’s no mention of this. I lost posts. Are these lost forever or will they be recovered?

    1. Sara Cecilia

      May 1, 2017 at 5:12 pm

      We restored a backup of the forums timestamped at 14:01 CEST on 4/30. Unfortunately, any posts made after that backup were lost. We apologize for this major inconvenience.

  21. Thanks for this update. I haven’t seen a weird email, so I guess I’m lucky :)

  22. I didn’t get an email from the hack incident btw. does that mean i’m special?

  23. I agree with mgear, whilst its reassuring to hear passwords were not accessed, I feel there is far too little information here.

    For example it appears all unity accounts received the email from the hackers, does this mean they have access to our email addresses or did they just use some internal server method that sent out posts to the emails in the database? i.e. they did not actually have access to actual addresses just a mechanism to send to them all.

    They mention accessing the database, so what information is stored in the database and what information could they use?

    Even if the hacker group did not access or use the database the fact that there is an exploit could have meant someone else did, what steps have Unity taken to ensure this hasn’t happened in the past?

    Does Unity suggest resetting our password or not or to wait until these new systems are in place?

    Its confusing that the forum website has its own profile/settings page, with two-step verification ( not Unity ID 2FA ), yet the profile itself is tied into ones Unity ID. It also feels rather bad that every Unity service from website to editor is tied into the same Unity ID and thus the same password since if that is ever exposed via one service it compromises all services.

    The forums already have two-step verification will this be replaced with 2FA?

    As for 2FA on the forums, that is going to be frustrating considering i’m signed out every few days for no apparent reason. This seems to occur with all Unity services, including the editor! While i’ll take 2FA for the added security its going to add even more frustration to this issue, so i’d like to see it addressed.

    1. I agree completely.

    2. Sara Cecilia

      May 1, 2017 at 5:01 pm

      To answer some of your questions:

      – The email received by our users was sent using the forum’s built-in mass email feature.
      – Unity is committed to providing the most secure and trusted service to our customers. We have implemented immediate changes to our credential management system across our user base. We will be rolling out a number of changes in the next few weeks to improve our service further.

      1. Thanks for the reply, however

        1. You didn’t answer whether or not our emails were also exposed by the hack or if the use of the forum mailer meant they were not?

        2. This doesn’t answer any of my questions.

        I can appreciate some aspects of my questions might need longer to ascertain, in which case just tell us that.

        1. Thanks for your patience while we continue our investigations. The blog above has been updated with the latest information.

  24. I guess this means Unity is now also going to force me to pick a password I can’t possibly remember because the first 19 passwords I tried were all “Not strong enough. We don’t like the password you want to use. Pick another one”

    God, how I hate it when someone else decides what my password must be. What’s the point of having a password if you can’t remember it? How “secure” is the password if you have to write it down and save it somewhere where everyone can get to it anyway? Oh that, right, download a third party application and every time you want to go to a site you first open that application, type in the name of the site or scroll down the list till you find it, click on “copy password” then go to the site and paste the password then go back to the other application and close that before returning to the site you were on… Yeah, that sounds like a billion $ worth of fun right there….

    Tell me something… If someone has my forum username and password, how do they use MY login details to deface YOUR site? I know my username and password and I can’t deface your site. How does MY password and how I log into the forum affect the source code of your website?

    Why make my life more frustrating than it has to be because YOU got hacked? Overcomplicate YOUR life, not mine.

    1. Kieron Lanning

      May 1, 2017 at 1:57 pm

      Actually, I know three passwords.

      1. Login to my computer
      2. Login to my phone
      3. Login to my 1Password account

      All of my passwords are randomly generated – usually 64 characters in length – made from alpha/ numeric and symbols, if the site allows.

      Never use the same password twice.

      It’s not hard, it’s rarely annoying, and it’s massively secure.

      1. Having to look up password on a 3rd party website or app every time you need to remember one is of course annoying. You’ve oversimplified the pain in the backside that it is.

        1. That’s the “rarely annoying” part. It IS quite rare. I have to manually copy a password about once every other month (when using a guest or new device).

    2. @Jacco Use lastpass with 2 step authentication and a single strong password you can remember. Also the reason they. It will also auto complete most passwords fields on all sites after you set it up. Additionally they never claimed your password or any users password was used to deface the site, read the fucking post. ” poorly implemented password routines” is business talk for someone on their end.

    3. I assume the blogs comment about ‘poorly implemented password routines’ would be at the system level rather than a user level, in that the hack exposed the database. Alternatively it may have just been an exploit in the password routine itself, meaning that some method permitted getting some form of access to database.

      As for your concern about new passwords, there is generally no problem with writing them down as the majority of hacks will be online and not physical, so a random hacker isn’t going to steal you’ll little black book of logins. However some caution should be taken, important passwords for banks and the like should be remembered if possible and you should never store your written passwords with devices that use them – i.e. keeping a list of passwords in your phones ‘notes’ application is a bad idea.

      Besides if you are worried about writing down passwords you do realize if you ever have your browser remember logins ( on desktop or laptops – unsure about apps) they are available for anyone with physical or remote access to read anyway ( they may even be in plaintext too! ). If using firefox then you should at least set up a master password to ‘protect’ your stored passwords, while Chrome will use your account login.

    4. A password you can easily rememer is likely to be a password which can easily be cracked. Unity (and most serious websites for that matter) ask you to chose a strong password for your protection. There is no such thing as 100% security, but if your password is strong then hackers won’t be able to crack it.

      Kind of similar to Kieron I know only 1 password, which is the master password for my password manager (I use Keepass). It’s 25 characters long and kind of random (makes sense to me though). I don’t even know my PC password as I can use a PIN code on Windows 10. I have a different password on each account, and I can access them from my PC or my phone. It’s really super convenient and I finally feel really secure. XYZWebsite passwords were stolen? No problem, I know I only have to change my password for this website, and that the hackers were definitely not able to crack the one they stole (but still it’s better to change it of course in the long run).

      1. Alkis Tsapanidis

        May 1, 2017 at 6:57 pm

        The easy to remember easy to hack moniker is a fallacy. Provided there are no max password length policies in place, which some services insist on for some god forsaken reason, you can make massively secure passwords that are just English sentences. Make us something surreal related to what the password is for. Even if it’s all lower case Latin and no special characters, I’d like to see a dictionary attack succeed on a made up sentence 64 character password.

        Sentences that are nonsense tend to be easy to remember and have ridiculous entropy.

        1. You’re right and that’s why I wrote “is likely to be easy to crack”, not “is easy to crack”. Definitely if your password is a 64 characters long sentence you’re safe :)
          Unfortunately most people settle for 8~9 characters password like fluffy123 and whatnot. Anyhow in the end of the day you should have a different password for each account, hence the necessity of using a password manager.

      2. So a password that cant be hacked is a password you cant remember, how nice.

        1. That is not what I said :)
          I said that if it is easy to remember then it is likely to be crack, but not necessarily if you know what you are doing. I was just referring to the fact that most people use rather short passwords which are easy to remember but also easy to crack.

  25. Ughghgh…. Using the forums is already a pain in the ass since every single inbox notification I get or any email I get that links me to the forum results in a “You need to be logged in first” page showing up. All I have to do is click on anything on that page and suddenly it recognises that I am actually logged in… THEN I can navigate to the inbox or page manually….

    So the site is already a pain to use (even after I notified them of this bug months back) and now they are going to make it MORE of a pain in the ass to connect to the website? Good grief… And there are actually people THANKING them for increasing the frustration levels of using this site?

    I am so depressed by this news that I don’t even know what more to say…

    1. You shouldn’t work in IT, may I suggest a career in bonsai tree gardening?

  26. i think needs bit more details.. since they mention about having access to database https://twitter.com/EliotLeo/status/858807115300962307 so just in case, how were the passwords stored there? (and if those passwords are same in other unity pages, like asset store, where people might have saved creditcard/payment details?)

    1. Sara Cecilia

      May 1, 2017 at 4:52 pm

      A group of individuals gained access to a limited set of data on the forum website. No passwords, payment information, or other Unity properties were compromised.

      1. If that is true, why are you forcing everyone to change their passwords now? Something doesn’t add up.

        If they got a hold of your passwords or any other account information you should let us know ASAP.

        1. Hi Nick, the first phases of “Device Identification” as mentioned in this blog post have started to rollout. As part of that rollout, we’ve also further tightened general account security. Any account that needs to have information or identity validated is requested to perform a password reset on next sign-in. Please see the latest update to the blog above for the latest information.

  27. Thank you very much for the update! I am sure it is only partially your fault for not implementing stronger security, but that does not excuse the “marketing” strategy the group used.

    I am excited to see better security policies being implemented and am looking forward to them!

  28. Impressive, Thanks for the honesty and responsibility.

  29. Thanks for the update

  30. Dylan Bennett

    May 1, 2017 at 12:47 pm

    Thank you, thank you, thank you for implementing 2-Fac Auth. This is hugely appreciated.

  31. A nice honest update and some good steps. Thank you.