Update on the Unity Forum Hack.
On April 30, our public forum website was attacked and successfully compromised due to poorly implemented password routines; our investigations show no theft of passwords in this attack, nor impact to any other Unity service.
However, the attack did result in defacement of the site (which has since been fixed) and subsequent messaging to all of our registered forum users.
We’re actively working to improve the authentication options in our services, and to help protect your data we’ll be rolling out the following in the next few weeks:
2FA will enable you to use one time passwords tied to the Unity Authentication platform. This will also be enforced in forums.
Device Identification will alert and/or prompt you if a new PC or Mobile device tries to connect to a Unity service, with your credentials.
Enable a per organization password reset, rotation and strength policy.
We’re sorry. We know you put your trust in us. We will learn from our mistakes.
Director of Security
Update: May 2
Thanks to all of you for waiting patiently. In Security, we’ve been looking at every question that you’ve submitted and are making our best effort to answer them. Below is a list of the most frequently asked questions, and we hope this addresses a few of your concerns.
Q: What steps are you taking to help prevent this attack from happening again ?
A: As posted in the original blog entry, we’re rolling out three key features for authentication and password management. With these features, each registered user and organization will over time have more control over their security features at Unity. These controls will give us new insights into unauthorized access attempts, helping us better detect and combat such attempts.
Q: Are the forums safe to use now ?
A: There’s no such thing as perfect or complete security, especially for high risk targets like public forums. In this case, we’ve identified the entry point for the unauthorized access and have since closed it. The forums have been restored from backups to the state prior to the incident to remove any data the unauthorized access may have caused to be left behind.
Q: Was my e-mail address exposed ?
A: There was unauthorized access to servers and an unauthorized email blast. This means that email addresses were exposed. However, this does not necessarily mean that any or all of those email addresses were separately collected and stored. This is part of the ongoing investigation.
Q: How did Unity store the passwords on the forum ?
A: No passwords were stored in the forum database.
Q: Is my password at risk ?
A: Our investigations have determined that no passwords were stolen in this incident. No one can ever guarantee the safety of your passwords, thus reasonable measures should always be taken to protect them. For instance, subscribing to user and password compromise notification services, while protecting your accounts with unique passwords in a password manager, can help reduce your exposure considerably. The combination of having a unique password per site, and changing them frequently, also assists in increasing your security.
Q: Is Unity taking any additional actions to help protect my passwords ?
A: Yes. The first phases of “Device Identification” as mentioned in the original blog post has started to rollout. If we detect that your registered account has been brute forced or flagged in a compromised account list (“known hashes”), your account will be prompted to reset the password on next login.
Q: What should I do to protect myself ?
A: While we can’t give advice in individual cases, here are some general recommendations and best practices: