Why Gaming Network Hacks Prove The Need for Two Factor Authentication

If you’ve been wondering why you can’t sign into your gaming network, it might be because the service has been hacked. This is something that has happened all too often in recent years, and it continues to happen on a massive scale and in individual cases.

Avoidance is best achieved through vigilance (which might mean regularly changing your password and employing two-factor authentication where possible), but to give you an idea of the scale of the problem, here’s a rundown of five gaming network hacks in recent years.

Sony PlayStation Network

In April 2011, the Sony PlayStation Network was breached, with the hack (which affected PSN, Qriocity, now Music Unlimited, and the Sony Online Entertainment SOE subscription service) resulting in the data of as many as 77 million people being stolen.

According to Sony, a variety of personal data types were accessed, such as name and address, PSN login details, email address, DOB and even credit card details. While the latter were encrypted, the strength of the encryption has been in doubt ever since.

As a result of the breach, which Sony took responsibility for and worked to improve their security, Sony gave customers digital goods as part of a $15 million settlement in response to a class-action lawsuit. Having your PlayStation account hacked is no fun, as our own James Bruce discovered.

Since then, Sony’s online security has improved. Apart from 2014’s North Korea-blamed attack on Sony Pictures, of course.

The Ghost of Christmas Hacks

Back in December 2014, while the world was shaking its head over the reactionary response to the Sony Pictures hack, an Anonymous-affiliated group called Lizard Squad targeted Amazon, Ubisoft, Hulu, Microsoft’s Xbox Live system, PSN, and online gaming site Twitch.tv among others.

The resulting attack knocked Xbox Live and PSN offline over Christmas. For those with new hardware from Santa Claus, this was a disaster. Later, Lizard Squad leaked a relatively modest 13,000 accounts.

Appearing on the BBC’s Radio 5 Live, two men claiming to be from Lizard Squad said that they had been acting in the “public good”:

“[We did it] largely to raise awareness regarding these issues. …We are also doing it to amuse ourselves but there is definitely the aspect of the public good involved.”

There’s nothing better than screwing people over in the name of the public good at that time of year that promotes peace and goodwill to all men, is there?

Hacking Boiled Water Vapor

PC uses chortling away to themselves over the ineptitude of the PSN and Xbox Live might do well to remember that various desktop-based game distribution and achievement recording services have been hacked over the years.

Most memorable is Steam, which in mid-2015 was the subject of a bug in the forgotten password retrieval system which attackers could use to hack user credentials. Embarrassingly, the retrieval tool could be used without all of the supposedly required information being entered, as depicted here.

Valve soon confirmed the bug, which existed from 21-25 July, and enforced a password change on all accounts that had reset their passwords during this time. Additionally, the affected accounts were locked down for five days.

Ubisoft UPlay

Possibly the most unpopular video game publisher in the world, Ubisoft was hit by a major breach in 2013, affecting the Uplay servers – those ones that insist on being contacted by your games in order to authenticate the aggressive DRM system.

(How anyone could have an axe to grind against Ubisoft continues to baffle me, but there you go…)

In a statement, the French company advised:

“We are recommending you to change your password. Out of an abundance of caution, we also recommend that you change your password on any other Web site or service where you use the same or a similar password.”

Names, email addresses and encrypted passwords were stolen in the hack, although Ubisoft insists that financial data is (rightfully) stored separately. Prior to the hack, user accounts were already targeted by hackers, so none of this came as a huge surprise.

It’s just a shame Ubisoft didn’t spend as much time and money protecting the data of its paying customers as it did imposing DRM.

GOG Credentials Hacked

Fans of retro games love GOG, a digital distribution service that offers DRM-free versions of classic titles stretching back to the 1990s. But even GOG.com users are subject to having their accounts hacked.

muo-gaming-w10-retro-drm-gog

While there has been no mass hack resulting in credentials being leaked, GOG does have a bit of a poor record when it comes to responding to individual accounts that have been hacked. This isn’t a reason to avoid using the service (it’s a great way to revive old titles and guarantee they will work on your machine, particularly useful to Windows 10 users), but it is worth remembering that if your account is hacked, you may have a bit of a wait for GOG.com’s support people to provide a resolution.

Your Gamer Accounts Are Gold to Hackers

The lesson here, of course, is that your gaming accounts are just as important as your banking and online shopping accounts. Employing regular password changes (creating a memorable-yet-secure password isn’t as hard as you think) and two factor authentication wherever possible are your best options for keeping things secure at your end, but if the hack happens on the game network’s server, then you have the option of abandoning that service.

While this may mean that you can no longer play your game(s), you will have improved your security.

Is this a step you’re willing to take? What can gaming networks and digital distribution services do to improve the situation? Tell us your feelings in the comments.