Unity Forum Hack – Update
Andreas Haugsnes writes:
On April 30, our forum software was attacked and successfully compromised due to poorly implemented password routines; our investigations show no theft of passwords in this attack, nor impact to any other Unity service.
However, the attack did result in defacement of the site and subsequent messaging to all of our registered forum users.
We’re actively working to improve the authentication options in our services, and to help protect your data we’ll be rolling out the following in the next few weeks:
2FA will enable you to use one time passwords tied to the Unity Authentication platform. This will also be enforced in forums.
Device Identification will alert and/or prompt you if a new PC or Mobile device tries to connect to a Unity service, with your credentials.
Enable a per organization password reset, rotation and strength policy.
We’re sorry. We know you put your trust in us. We will learn from our mistakes.
Please direct any questions regarding this to our blog post.
While some forum members were appreciative of the forum’s quick response and notification, others were concerned that the attackers had sent out a mass email, and they wanted additional details on the extent of the breach. In response, an administrator emphasized:
A group of individuals gained access to a limited set of data on the forum website. No passwords, payment information, or other Unity properties were compromised.