GameMaker Forums Hacked – Unencrypted Passwords Leaked

Updated 22/04/2013 – ‘Exclusive: Interview With The GameMaker Community Hacker‘

The official GameMaker Community forums (GMC) have been inaccessible over the past 48 hours, and today YoYo Games, the developers behind GameMaker: Studio, have announced that this was due to the discovery of a successful hacking attempt. Between 5000-8000 user accounts are estimated to have been compromised by a password logging script which was introduced to the core files within the GMC’s forum software, IP.Board (IPB). It is also possible that the email addresses of all 216,000+ registered members have been compromised.

Mike Dailly, head of development at YoYo Games, addressed the issue today saying “We don’t know how long this has been active, or if they ever downloaded [the data], but to be safe I’d assume all username and passwords used on here are now known by someone else,” further advising users of the popular forum to “change your passwords as soon as possible.”

While passwords stored within the forum’s SQL database are hashed, the exploit was made directly to a local PHP file that processed login attempts. Incoming user credentials were therefore not secure. The forum’s long-outdated software has been blamed for the vulnerability, and YoYo Games have taken steps to upgrade IPB to a newer version now that the hack has been uncovered. This resulted in significant downtime on the forum over the past 12-24 hours. The forum theme has been reset to the default IPB theme, however this is only temporary.

The exploit, which is the largest that Game Maker Blog has ever reported, allowed the attacker to compile a significant list of private information which may be sold on the online black market. Websites operated by YoYo Games have been hacked multiple times in the past, however typically a rogue advertisement was introduced by the attacker, which may be considered harmless in comparison to this exploit. YoYo Games have only issued a brief announcement on the GMC regarding the hacking, so many users are unlikely to be aware that their details have been leaked.

Since the logging script recorded both successful and failed login attempts, users effected by the GameMaker Community forum hack should consider whether their other online accounts have also been compromised, and should take appropriate steps to address this problem as soon as possible.