PSA - Ubisoft accounts can be compromised despite 2FA being active.

所有讨论 > Steam 论坛 > Hardware and Operating Systems > 主题详情

xSOSxHawkens 2020 年 8 月 26 日下午 2:26

So... Got an email from Ubisoft that my account was accessed from India two days ago, I am in the states. The login occured without an email lvl 2FA challenge token being generated... And yes, email lvl 2FA was turned on.

I imediately logged in and was challenged by 2FA (that I had setup). It corectly sent the 2FA to my email. I logged in and changed passwords, and added an aditional 2FA layer via cell phone.

I have checked the email account, it uses a different password and has *NOT* be compromised...

At this point I reached out to Ubisoft technical support, as I wanted to know *how* a sucessfull login attempt had happened despite already having 2FA enabled at email lvl.

First, they ignored the content of my msg, and they *DISABLED* all 2FA on my account, replying with a copy/pasta script.

Eventually they told me,

引用自 Ubisoft：
...the original suspicious access you contacted us about happened on one of a few Ubisoft sites that do not leverage 2-step verification and do not allow for changes to the account or provide account information.

So there ya go guys and gals...

Ubisoft still has publicly accesable systems that *lack* 2FA but *will* allow a user to log in with your credentials...

I guess (since we dont know what these sites/areas are) that we all just have to trust Ubi when they say that the areas the hackers can access without 2FA are truely not places where they can see or do anything...

Figured you all should know.

最后由 xSOSxHawkens 编辑于; 2020 年 8 月 26 日下午 2:31

< >

正在显示第 1 - 9 条，共 9 条留言

Bastet 2020 年 8 月 29 日上午 11:11

Thanks for the heads up.

Patrick 8 月 28 日上午 11:27

5 years later and this is still a vulnerability. Had 2 logins on my Ubi account - one from Seychelles and other from Santa Monica while I am in India. Best to remove all payment info from your account

xSOSxHawkens 8 月 30 日下午 9:48

Sad... But not surprised. I have found similar issues with Discord. Both companies simply blow off any attempts to let them know its an issue. :/

Rod 8 月 31 日上午 1:22

I had my account hacked by a group from the Middle East i contacted Ubisoft who denied any hack took place. They had no password brute force lockout this was just prior to the 2fa rollout but Ubi let them try wrong passwords over and over until they brute forced my account.

I had a forum print screen of my account details i found thier foum via google search and asked Ubisoft to rollback my account as they used one time items in my games. Well Ubisoft maintained no one had accessed my account. Thats the level Ubisoft have been at for a loooong time bro.

A total trash company in every way a company can be trash.

Zack Fair Square 11 月 12 日上午 6:35

for real they are a trash company, i have saved my mail when i created my ubisoft account. they tell to connect to my steam link with my new acc when i mentioned the one i lost the password and linking got removed i provided literally every information,the games i owned username and yet they never returned it. i made for the ticket i used it and then they went with log in and with ps4 once i did they go we tried alot ''we didn't find you were the owner about it'' now my new account i literally made last month i have only free games i get like 4 hacking attempts vitnam and mexico it keeps showing steam is the most secure out there from the lot.still unsafe but at least they return your account.

最后由 Zack Fair Square 编辑于; 11 月 12 日上午 6:37

xSOSxHawkens 11 月 12 日上午 6:40

Its a bummer this is still an issue for such a big company : /

xSOSxHawkens 11 月 12 日上午 6:43

Also to any mods, back off!

It might be an old thread, but the content is still relevant and applicable and the post was on topic.

People followed the Number 2 rule in steam forums:

Use search as someone may have already created the topic.

Quit having a moderation double standard where you tell people to use search and then lock topics on valid replies for being "too old and to prevent confusion".

The only confusing thing is the moderation double standard of "do as we say, get locked when you do".

最后由 xSOSxHawkens 编辑于; 11 月 12 日上午 6:43

wing0zero 11 月 12 日上午 7:01

引用自 xSOSxHawkens：
Also to any mods, back off!

Yeah but what about all the confused people, just wondering what on earth is going on here, mankind can't wrap their heads around an old post popping backup, won't somebody think of the children!