Hacker News new | ask | show | jobs
by Scaevolus 168 days ago
https://x.com/vxunderground/status/2005008887234048091

Here's the word on the internet streets:

- THE FIRST GROUP of individuals exploited a Rainbow 6 Siege service allowing them ban players, modify inventory, etc. These individuals did not touch user data (unsure if they even could). They gifted roughly $339,960,000,000,000 worth of in-game currency to players. Ubisoft will perform a roll back to undo the damages. They're probably annoyed. I cannot go into full details at this time how it was achieved.

- A SECOND GROUP of individuals, unrelated to the FIRST GROUP of individuals, exploited a MongoDB instance from Ubisoft, using MongoBleed, which allowed them (in some capacity) to pivot to an internal Git repository. They exfiltrated a large portion of Ubisoft's internal source code. They assert it is data from the 90's - present, including software development kits, multiplayer services, etc. I have medium to high confidence this true. I've confirmed this with multiple parties.

- A THIRD GROUP of individuals claim to have compromised Ubisoft and exfiltrated user data by exploiting MongoDB via MongoBleed. This group is trying to extort Ubisoft. They have a name for their extortion group and are active on Telegram. However, I have been unable to determine the validity of their claims.

- A FOURTH GROUP of individuals assert the SECOND group of individuals are LYING and state the SECOND GROUP has had access to the Ubisoft internal source code for awhile. However, they state the SECOND GROUP is trying to hide behind the FIRST GROUP to masquerade as them and give them a reason to leak the source code in totality. The FIRST GROUP and FOURTH GROUP is frustrated by this

Will the SECOND GROUP leak the source code? Is the SECOND GROUP telling the truth? Did the SECOND GROUP lie and have access to Ubisoft code this whole time? Was it MongoBleed? Will the FIRST GROUP get pinned for this? Who is this mysterious THIRD GROUP? Is this group related to any of the other groups?
9 comments
dijit 167 days ago
I used to work for Ubisoft, though not on Siege- I have met and had detailed conversations with their lead architect though; truthfully I remember little of those conversations.

Regarding the second group and access to source code; this is unlikely for a combination of four reasons.

1) The internal Ubisoft network is split between “player stuff” (ONBE) and developer stuff.

2) The ONBE network is deny by default, no movement is possible unless its explicitly requested ahead of time, by developers, in a formal request that must be limited in scope.

3) ONBE to “developer network” connections are almost never granted. We had one exception to this on the Division, and it was only because we could prove that getting code execution on the host that made connections would require a long chain of exploits. Of course that machine did not have complete access to all of the git repos.

4) Not a lot of stuff really uses git internally. Operations staff and web developers prefer git strongly; so they use Git. But nearly every project uses Perforce. Good look getting a flow granted from ONBE to a perforce server. That will never happen.

Siege, like The Division, worked against Ubisoft internal IT policies to make the product even possible. (IT was punishingly rigid) but some contracts were unviolatable.

The last I heard, Siege had headed to AWS and had free dominion in their tenant, but it would need Ubiservices (also in AWS) and those would route through ONBE.

I’m not sure if much changed, since a member of the board is former Microsoft and has mandated a switch to Azure from the top… But I am certain that these policies would likely be the last to go.

link
jacquesm 167 days ago
I wonder how many times former Microsoft people demanding switches to MS infrastructure are still actually working for Microsoft.
link
dijit 167 days ago
I mean, I worked for Nokia in 2011..

.. you don't have to tell me.

link
jacquesm 167 days ago
Yes, that was a particularly dirty episode. I wrote about it when it happened.

https://jacquesmattheij.com/microsoft-just-bought-nokia-for-...

I think I got one prediction wrong but the rest stuck.

link
azalemeth 168 days ago
Nothing highlights how pointless e-sports items are more than a real dollar value for a player base of all of them. The entire global GDP is as an order of magnitude roughly $100 trillion. So this $340 trillion figure is 3.4 times planetary total economic output - meaning the theoretical value of Rainbow Six cosmetics exceeds what the entire human civilisation produces in a year. Multiple times over. You'd be valuing pixelated gun attachments higher than annual agricultural output across all nations, all manufacturing, all services, everything.

I bet it appears unchallenged at some point in a court (or insurance) document though.

link
RHSeeger 168 days ago
While I understand what you're saying, it's pretty clear what is meant is "$X worth at the price they currently sell for". When there's a story about an object in space made of gold worth 100s of trillians of dollars, nobody believes it would really sell for that much if we captured it and mined all the gold; because the value of gold would plummet based purely on it's existence.

But I agree with you that it would be put into a court document as "it cost us this much" for the full amount, vs the amount they were likely to ever be able to sell (and can't, now that everyone got it for free, so the value is $0)

link
chii 168 days ago
and yet, most people use this same measure for market capitalization of companies.
link
smallnamespace 168 days ago
The market cap is unambiguous, a more correct estimate of "how much to buy all the shares?" is situational and would just distract from getting the point across.
link
Aurornis 167 days ago
Not really. If a company were to manufacture a substantially large number of shares out of nothing (no additional investment money or other value entering the company) then the market cap would not go up. It would stay the same and per-share value would go down.

The market is mostly reasonable about who can and will sell their shares. If a big mover does sell a lot of their shares at once, the price will fall. Most big holders will slowly sell off shares for this reason.

In the other direction, it’s also understood that the cost to acquire all shares of a company is more than the market cap of a company. This is why you see acquisition prices being significantly higher than the last funding round valuation, or public shares popping on announcement of an acquisition attempt.

link
andersa 168 days ago
You could achieve a similar sum by adding balances out of thin air to random bank accounts, which is comparable to what happened here.
link
nkrisc 167 days ago
The valuation is based on them hypothetically selling the same quantities that the hackers gave away at their retail prices, which of course no one believes they would ever actually sell that much.
link
pjc50 168 days ago
This has the air of a parody spy caper where the various people who have broken in keep tripping over each other.

The source leak is really interesting, though. We don't often get to see game source, and it often has surprises in.

link
RHSeeger 168 days ago
> Will the SECOND GROUP leak the source code? Is the SECOND GROUP telling the truth? Did the SECOND GROUP lie and have access to Ubisoft code this whole time? Was it MongoBleed? Will the FIRST GROUP get pinned for this? Who is this mysterious THIRD GROUP? Is this group related to any of the other groups?

This read to me like the end of a soap opera. Tune in tomorrow to find out!

link
Group_B 168 days ago
Can’t help but laugh a bit. Not a great day for Ubisoft. Hopefully this didn’t ruin the holidays for too many employees. That would absolutely suck to get a call in for this.
link
adzm 168 days ago
> Will the SECOND GROUP leak the source code? Is the SECOND GROUP telling the truth? Did the SECOND GROUP lie and have access to Ubisoft code this whole time? Was it MongoBleed? Will the FIRST GROUP get pinned for this? Who is this mysterious THIRD GROUP? Is this group related to any of the other groups?

Find out in the next episode of... Tales from Cyberspace!

link
bombcar 168 days ago
At least it's webscale.
link
fainpul 167 days ago
> Players across PC and console are being urged by the community to stay offline, as reports continue to surface of accounts receiving billions of in game credits, rare and developer only skins, and experiencing random bans.

Regardless if this is true or not, and how it works exactly, I find it an interesting scenario.

For players: should I go online to maybe get gifted tons of ingame valuables while risking a ban? It turns playing into a gamble.

If I take on the hackers' view, I would find it exciting to dish out rewards and punishment at random on a large scale.

link
The_President 167 days ago
The attackers better hope they fully hid their tracks - this is a bold hack, and such an level of overt cybercriminality with financial damages will result in a decade in prison if caught.
link
sznio 167 days ago
Four attackers present in a system at the same time?

How?

link
sureglymop 167 days ago
Misconfigured database that was publicly accessible, vulnerability/exploit dropped around the same time.
link