Codemasters Hacked, First Details

By Jim Rossignol on June 10th, 2011 at 2:47 pm.


Earlier in the week John noticed that all Codies websites were pointing at their Facebook pages. But why? Well, Codemasters have been hacked by miscreants. The British company has started contacting affected persons, and the details of that missive are posted below.

On Friday 3rd June, unauthorised entry was gained to our Codemasters.com website. As soon as the intrusion was detected, we immediately took codemasters.com and associated web services offline in order to prevent any further intrusion.

During the days since the attack we have conducted a thorough investigation in order to ascertain the extent and scope of the breach and have regrettably discovered that the intruder was able to gain access to the following:

Codemasters.com website

Access to the Codemasters corporate website and sub-domains.

DiRT 3 VIP code redemption page

Access to the DiRT 3 VIP code redemption page.

The Codemasters EStore

We believe the following have been compromised: Customer names and addresses, email addresses, telephone numbers, encrypted passwords and order history. Please note that no personal payment information was stored with Codemasters as we use external payment providers, meaning your payment details were not at risk from this intrusion.

Codemasters CodeM database

Members’ names, usernames, screen names, email addresses, date of birth, encrypted passwords, newsletter preferences, any biographies entered by users, details of last site activity, IP addresses and Xbox Live Gamertags are all believed to have been compromised.

Whilst we do not have confirmation that any of this data was actually downloaded onto an external device, we have to assume that, as access was gained, all of these details were compromised and/or stolen.

The Codemasters.com website will remain offline for the foreseeable future with all Codemasters.com traffic re-directed to the Codemasters Facebook page instead. A new website will launch later in the year.

Advice

For your security, in the first instance we advise you to change any passwords you have associated with other Codemasters accounts. If you use the same login information for other sites, you should change that information too. Furthermore, be extra cautious of potential scams, via email, phone, or post that ask you for personal or sensitive information. Please note that Codemasters will never ask you for any payment data such as credit card numbers or bank account details, nor will Codemasters ask you for passwords or other personal identifying data. Be aware too of fraudulent emails that may outwardly appear to be from Codemasters with links inviting you to visit websites. The safest way to visit your favourite websites is always by typing in the address manually into the address bar of your browser.

Unfortunately, Codemasters is the latest victim in on-going targeted attacks against numerous game companies. We assure you that we are doing everything within our legal means to track down the perpetrators and take action to the full extent of the law.

We apologise for this incident and regret any inconvenience caused.

We are contacting all customers who may have been affected directly.

, , .

65 Comments »

Sponsored links by Taboola
  1. banski83 says:

    Why hit Codies?

    • Axess Denyd says:

      Because it’s there?

    • John P says:

      Something to do? Just seems like twattery without a cause.

    • Cooper says:

      Because you can’t “hit” everything and anything you might want to. I’d guess this is less Codies being specifically targetted, so much as targetting Codies payed off. We never hear about ‘failed’ intrusions…

      Some companies, believe it or not, keep their data very safe.

      Clearly Codies, and other companies who have been “hit” don’t keep their data as safe as they should or could. Someone found a way in. You can be certain people are trying to find ways in to all sorts of company databases, and have not been able to.

      That their business are firmly based around computer, internet and information technologies makes these breaches all the more embarassing.

      Oh, and I’m sure this is twattery with a very specific cause. Thousands of ‘confirmed’ (i/e: actually existing, working, in-use) email addresses, names and phone numbers are worth a heck of a lot to scammers.

    • McDan says:

      @JohnP: we need gamings version of horatio kane to come and say: ” Why did they do it? We don’t know, all we do know is that they had no just cause (2)”

    • Zacqary Adam Green says:

      Because they can. And that’s the point: if they can, then Very Large Corporation, Incorporated is not doing their job.

      Not that hacking into stuff is good, but as frustrated security professionals will attest, it may be the only way to get some companies to fix things.

    • BAReFOOt says:

      Do you all realize, how hacking such sites is done in practice?
      There is no human there, going “IMMA FIRIN MA LAZOR!”.
      It’s a program, automatically scanning IPs for known security holes with existing exploits. And another program, automatically setting up phishing sites and sending phishing mails. By the bazillions.

      That’s why „But who would care about me?“ doesn’t work.
      Codemasters seems to have failed at security, the scanner/phisher got triggered, a human got notified, entered the system (probably with Metasploit) using the known exploit , looked around for juicy stuff, and done.
      Simple as that.

      Why? Because.

    • Premium User Badge

      bglamb says:

      No, not “just because”.

      Because this amount of data (email addresses, log-ins and passwords) is worth real money.

      These aren’t just kids doing it for a laugh, this is a business.

    • westyfield says:

      Disgruntled Operation Flashpoint: Cold War Crisis fans, methinks.

    • Premium User Badge

      Zak T Duck says:

      Maybe the hackers were pissed about Codies not planning to announce a new Dizzy game at E3.

    • speedwaystar says:

      because genuine websites do not Fade?

    • whydidyoumakemeregister says:

      Why Codemasters? Because you either have to have a one-time-use Dirt 3 VIP code or pay $10 to unlock multiplayer and vehicles that come on the disc?

    • Ginga121 says:

      because these guys are complete losers. Ive read so many stories about them hacking companies in the last half an hour that im starting to wish that someone would just shoot them

  2. Avenger says:

    Is it the industry standard to wait for damn 7 DAYS before informing your customers?

    • Premium User Badge

      JB says:

      Seems that way, doesn’t it. Just got an email from Codies.

    • keith.lamothe says:

      Actually I think the average delay is quite a bit longer than 7 days. It can take a while to make sure you have all the information, have understood it correctly, and can articulate it to a not-necessarily-technical crowd in a way as to not cause an unduly weak or unduly strong reaction. And that doesn’t even get into all the bum-covering the legal department’s going to want.

      Or how many of these “security events” no one is ever told about.

    • Megagun says:

      If you wait more than a day before announcing stuff like this, you’re a huge ass as a company.
      Here’s what you should do:

      Day 0: Someone notices something is iffy, and suspects that there has been an intrusion. People start looking through the data and logs to see if there was an intrusion. Later on in the day, it starts looking more and more clear that things have been compromised. If possible, announce that things have been compromised and people should await further details.
      Day 1: At the start of the day, announce that things have been compromised. People should await further details. Tell people how they can contact your company. Provide enough means to do so.
      Day 2 — Day N: Figure out more stuff, communicate with customers, release more information, provide people with plans to get their accounts back and provide people with the option to delete all their data off your servers.

      Remember, announcing that something is up should be done as soon as possible. This allows people to change passwords for other sites before stuff starts to get too messy.

    • Premium User Badge

      Wisq says:

      Because offering people the ability to delete their data off your servers after the data’s been compromised is totally going to put those horses back in the barn.

      Not everyone has the manpower to hunt these things down as quickly as you’d like. Often one of the biggest hurdles is just getting secure access to the machine in a way that an attacker can’t exploit or hasn’t already prevented. More and more these days, servers are hosted halfway across the country from the owners, so you can’t just walk down the street and pull the box out for local analysis.

      I agree that they should at least send out a mail addressing the more pressing concerns, like “if you used the same password at our site as somewhere else, you should go change those”. But you can’t give a proper assessment of the situation when you don’t know the situation, and you can’t start giving out half-assessments without causing either undue panic or a false sense of security.

      (Of course, the passwords are encrypted, so the “change your password” thing only applies if you used a particularly _weak_ password. And used it in a bunch of other places too. So, um … Internet much?)

    • My2CENTS says:

      I’m sure they want to give time to the intruders to at least try to steal your money, before they inform you.

  3. DevilSShadoW says:

    just got my email as well…
    I really wonder what they did to attract hacker attention.

    • Ignorant Texan says:

      Exist?

    • BAReFOOt says:

      Read my comment above, about how this is fully automated, and the program making no difference between the Pentagon, and your nice quiet grandma.

    • Thecreeperskg says:

      Haven’t riffled through all the comments, so I’m not sure if someone else has proposed the following – and quite logical – reason for hacking CM:
      Cross-reference.

      The people who hacked PSN, then hacked CityBank, now they hack CM. Why? They need at least 2 positive matches of your user name and password in order to be absolutely certain that they have the correct combination of details.
      I have at least 3 different user names and 2-4 forms of password, most people today tend to have the same. Sounds sensible…

  4. Daz says:

    Just got this email, I never even knew I had a codemasters account :P Can’t for the life of me think what game of theirs required me to login… Oh well, buggers :(

    • chesh says:

      Me too, I can’t think of anything I would have given them my address for. What do they do besides racing games that I might have signed up for?

    • Zelius says:

      Same thing. Got the email, don’t remember ever signing up.

      And because their site is down, I can’t check.

    • Daz says:

      The only Codemasters games I can ever remember buying were Dirt (1) and Operation Flashpoint. Oh and micromachines for the megadrive ;)

    • Creeping Death says:

      Only non racing games I can think of that might have you registered with them are DnD Online, LotRO, and the OPFlashpoint games. Got any of those?

    • thegooseking says:

      Treasure Island Dizzy.

      Wait, that doesn’t require a login. Never mind.

  5. Jac says:

    I thought this was going to be about a racing game called hacked!

  6. Recidivist says:

    Was this LulzSec again? Damn, those assholes need to just die already.

  7. Coins says:

    Dammit, game companies. Keep your damn data safe.

  8. Coldini says:

    Took me a while to figure out what I was signed up there for: Probably jumpgate evo beta signup/newsletters and LOTRO when it was with codemasters since I tried that out a few years back so nothing vital for me.

    • Daz says:

      Aha, must have been LOTRO for me also then!

    • Zelius says:

      Ah! Thanks for pointing out that Jumpgate is with Codemasters. I signed up for that beta as well. Shouldn’t be a big deal then, since I don’t think I needed a password for that.

    • tanith says:

      Not if you didn’t change it. When I signed up for the beta they generated a password and sent it to me but I cannot remember whether I logged in and changed it or not.
      I don’t think I did, though.

  9. Lobotomist says:

    Excuse me for using foul language here , but FUCK YOU HACKERS!

    Anonymous , or who ever they are. Do not hit anything for moral reasons. They deploy their crawl bots. Detect security weakens and hack it.

    After that they invent some “moral” story behind it.

    Only reason they do it, is because they can.

    They probably killed Sony. But also shaken the trust in online subscription globally.

    Now they hack Codemasters. Showing that your CC info is safe nowhere.
    Whats next Steam ? Apple ? You think they are safer than Sony or Codemasters ?

    Well fuck you for plunging us on the way to stone age again , lame asses.

    I just hope FBI puts them behind the lock doors and throw away the key.

    • SF Legend says:

      Your opinion is incredibly well informed and not at all biased.

    • Kdansky says:

      Anon most certainly didn’t do it, for reasons well explained here:

      http://www.escapistmagazine.com/articles/view/columns/experienced-points/8922-Experienced-Points-On-Anonymous

      Or watch last week’s Extra Credits if you prefer videos over text. And yes, I got an account there. Luckily, I am not stupid enough to use the same password twice.

    • Premium User Badge

      FunkyB says:

      Calm down. Yes the hackers are breaking the law, but the companies who are not securing your data correctly are being negligent. The important thing is to lay blame at all parties, hackers and companies.

    • Lobotomist says:

      I do not care about law.

      But if you are going against corporate injustice. Please do. But stop hitting ordinary people.

      As for anonymous , there is no such thing.

      Its just random jerks. Griefers. And new age bullies. Few years ago they were making viruses that erase your HD. Just because they can. Now they steal credit card numbers and destroy peoples fun.

      And when they succeed in something. They call them selves anonymous because its trend. A new cool in l33t circles.

      But Anonymous does not exist. Not more than Anarchy party or misanthrope social club.

    • BAReFOOt says:

      Wow, n00b overload.
      I’m a “hacker”. I hack on my keyboard, to tinker with systems, to understand them and their quirks better. To make something cool. Or to find something cool.
      Crackers is what The Sun readers like you mean. But you insult us. Every time.

      You realize you would have been part of Anonymous too, right at the moment you wrote this comment, if you had posted anonymously?
      Yep, that’s how Anon is defined. Anonymous random people with the same common drive, naturally finding together because of it, raging and/or doing something about it, and dissolving again.
      It doesn’t define a group. It defines a cultural artifact.

      Cheney’s monkey troupe was a Anon when they decided to attack Afghanistan and Iraq.
      The Pakistani Talibans were Anon, when the attacked the twin towers.
      Codemasters will be Anon, if they try to retaliate.
      I’m probably part of Anon right now for being angry at you. (Don’t think this user name means anything.)

    • Wilson says:

      @BAReFOOt – It must be annoying to have people use the wrong word when talking about crackers, but there’s no point being offended by it, since there’s no offense meant. Just a mistake/lack of interest in the distinction. Because of how the word is popularly used now, it might be an idea for hackers to come up with a different way of describing themselves. I don’t think you can win the battle to reclaim that word.

    • Lobotomist says:

      I know what Anonymous is. Or Anon.
      As I said. Its a dipshit. Nothing.
      A griefer , a bully does something – and for lack of better idea he patches himself anon sticker. Because its cool.
      I bet half of those shits have no morals, or any social knowledge to begin with.
      Its like if any criminal or murderer will call himself anarchist.
      People are so stupid they are not even bothered to have an idea , or a goal anymore. They just do these stuff because they enjoy hurting other people.
      At least the greedy corporation have an idea or goal when they hurt us. Money.
      What hacker dipshit do it for ? Nothing – fun , lulz as they call it.

      God forbid they go and hack something that really maters. Like Oil company , or right wing group.

      I just hope some hacking group will stand up , and retaliate to these bastards that slime their reputation

    • BobsLawnService says:

      And there I was thinking that Anon was a small, closely knit core of malicious hackers hiding behind the chaff of wannabes and amateurs who don’t know better on /b/.

    • Lobotomist says:

      Its basically anyone who claims to be anonymous.
      Their own words. They even said “Whoever hacked Sony was anonymous there for he is part of anonymous group”
      Lets just leave it at that.

      Basically any group of hackers can do something and claim they are anonymous.

      Same as they can next year say : Steam was hacked by humans

    • tanith says:

      Come on! It cannot be that hard to understand what the word “anonymous” means. :/

  10. tanith says:

    Do you actually get an email from CodeM when you changed your password? I think I signed up for it and I even have the mail where they sent me the generated password but I don’t know whether I changed it or not so I have no idea what password I actually used.

  11. razgon says:

    Well, three people thought to be the leaders of Anon are arrested in Spain though

    http://www.nytimes.com/2011/06/11/technology/11hack.html?_r=4

    • Kdansky says:

      There is no such thing as a leader of Anon. Sure, they can be leader of some group of hackers who might even also call themselves Anon, but that’s not the Anon we usually reference.

    • BAReFOOt says:

      @razgon: Dude, what you just said, is like saying any of:
      “Well, three people thought to be the leaders of Goth are arrested in Spain though”
      “Well, three people thought to be the leaders of bodybuilding are arrested in Spain though”
      “Well, three people thought to be the leaders of skating are arrested in Spain though”
      FAIL.

    • razgon says:

      Fail? Why on earth would you start using slang like an 11 year old now?
      Anyways, just thought it was interesting, and honestly, I don’t care if they are leaders of anon or not, I don’t even have an opinion on it, but I thought the article, which claims they were leaders, was relevant to what was being discussed here.

    • Eukatheude says:

      @Barefoot: Well, i’d love to see those people arrested

  12. Zarunil says:

    If there’s anything I’ve learned from all these hackings with user data being stolen, it’s that every time some company wants me to sign up for anything or demand my e-mail address, I’ll make a new e-mail address and password specifically for that purpose and nothing else.

    • Starky says:

      Or you could just have 1 email you use for all your junk accounts and shit you don’t care about, and then another account for all your important stuff.

      Having an email for each one is pointless.

  13. dragonhunter21 says:

    Did I just start paying attention, or did the hackers get riled up by the Sony hack and start hacking into everything that’s not physically disconnected from the internet?

    • Resonance says:

      I think it’s more because of the Sony hack, hacks like this are getting a lot more publicity than they would have done.

  14. whydidyoumakemeregister says:

    Fuck them, I hope hackers got millions of VIP codes for Dirt 3 so Codemasters doesn’t get a dime from when I resell this crappy game. I honestly can’t even force myself to play the Dirt Tour because 90% of my time is spent listening to this assholes tell me how great my skills are (and it’s UNSKIPPABLE). One time I unlocked 3 different diamonds and it took 2 minutes before I could even use my controller again (all the while it was vibrating wildly so I couldn’t just lay it down on the table).

  15. Premium User Badge

    Tagert says:

    I’m waiting for a story blaming Sony for this. Since it was obviously Sony’s fault.

  16. krepno says:

    Maybe a stupid question;
    i got the email saying i should change password but it doesnt contain a link. Following my old accept email, containing the link to http://www.codemasters.com to change my password i come to the *&*&**** facebook page. And it contains facebook stuff but nothing telling me: change password here!
    I even logged in to their forums (link from the facebook page) for the first time and the “change my password link” redirects me to the ***** facebook page again.
    Either i’m stupid or they are…..

    • tanith says:

      What they mean is you should change the password on other sites if you used the same password on one of the codemasters pages. Unfortunately they don’t let you log in or find out what info of yours has been compromised.

  17. bill says:

    I might have to rethink using the same username and password on every site in the light of all these hacks… but it’s such a pain in the butt when every website (or even game now) requires you to create an account.

    Can’t find an acceptable alternative though… i regularly use several different PCs, so simply storing passwords in the browser/software doesn’t work. And if I use different accounts/passwords then I spend half my time trying to enter all those different accounts/passwords into sites as i try to remember which one I used for that particular site – which can’t be any more secure. Grrr.

    PS/ You know how every site has “login with facebook/twitter” options these days? Are there any privacy implications with that? Can the site then access my data? Or will my friends be informed that I like/use that site?
    That might be a solution… except I don’t know if it would work where facebook is blocked.

  18. vash47 says:

    I don’t know the intentions behind this, but they totally deserve it; refusing to respond or even acknowledge all the problems people are having with the PC version, while releasing more DLC and a patch that doesn’t fix anything is outrageous. The game (DiRT 3) is literally unplayable for me since my wheel doesn’t work properly with the game, while it worked perfectly in DiRT 1, DiRT 2 and GRiD, because of some stupid control scheme they decided to use with this one.

  19. Premium User Badge

    FriendlyFire says:

    I’d like to give a heads-up to everyone by saying that the Epic Games forums have been hacked too.
    I’ve received this in my inbox:
    “Dear FriendlyFire,
    Our Epic Games web sites and forums were recently hacked. After some downtime, they’re back up and running now.
    The hackers may have obtained the email addresses and encrypted passwords of forum users. Plaintext passwords weren’t revealed, but it’s possible that those passwords could be obtained by a brute-force attack on the encrypted passwords. Therefore, we have reset all passwords. Your new password at the bottom of this message.
    The Unreal Developer Network (UDN) hasn’t been compromised. Thankfully, none of our web sites ask for, or store, credit card information or other financial data.
    We’re sorry for the inconvenience, and appreciate everyone’s patience as we wrestle our servers back under control.
    Tim Sweeney
    Founder, Epic Games Inc”