PSA - uPlay account madness - Customer Service giving away account

[xendrome]

Just so you guys know, there is nothing you can do to protect your uPlay.com account. Yes the service sucks, but some games you can only get through this service. Here's my quick story of what started yesterday

 

At 3:30 ish PM, I received an e-mail from uPlay that my "e-mail, gender and dob" were all changed. Well that's interesting since I never received a "Click here to change your e-mail" link. And I know my e-mail was secure since I am using 2-factor authentication and a very strong password.

 

I contacted Ubisoft support via chat, they confirmed my details and they changed my e-mail address back and generated a reset password e-mail for me. I was able to get back into my account. I quickly noticed all of my profile stuff was changed. Also, I noticed under the support section a ticket was generated by a CS rep at Ubisoft. It basically stated this "Caller says they got locked out of their account, I was able to confirm their identity and changed e-mail and sent password to them".

 

Well, well.. this was dated/timed exactly when I lost my account earlier in the day. Quite odd since I've had the account 3+ years and never changed anything on the profile, but Ubisoft support decided to just give this kid my account.

 

About an hour after I got back into my account, guess what... again, he called in got Ubisoft to reset the account info and give it to him once more.

 

This morning I was able to chat with them again, get back into my account. I changed my username, e-mail and password to something I have never used before or associated with the account. So there was no way he could know this info if he contacted support again.... well, not 30 minutes ago.. another "Your First name/Last name/DOB/E-mail/Gender" has been changed e-mail from Ubisoft.

 

I am guessing at this point he just went into the account and got all the CD-Keys which takes 2 clicks once you are in, as he was yesterday. So I guess it's his account now. I only had 5 games in there, 2 of which I got free with video card purchases. But this is a perfect example of social engineering, even if Uplay had 2 factor authentication, nothing would stop some inept CS reps from just changing account details.

 

I'm done Ubisoft, I will never purchase another game that you have anything to do with, and no matter what any of you do to protect your account, just be aware it can be given away at any time with little or no verification.

[HawkMan]

There is a possibility there is a bug in their system that he's genuinely trying to unlock his own account, but for some reason their system/database has a bug so it constantly gets redirected to your account.

[ensiform]

Similar to the steam issue?

[Gerowen]

1 hour ago, xendrome said:

Just so you guys know, there is nothing you can do to protect your uPlay.com account. Yes the service sucks, but some games you can only get through this service. Here's my quick story of what started yesterday

 

At 3:30 ish PM, I received an e-mail from uPlay that my "e-mail, gender and dob" were all changed. Well that's interesting since I never received a "Click here to change your e-mail" link. And I know my e-mail was secure since I am using 2-factor authentication and a very strong password.

 

I contacted Ubisoft support via chat, they confirmed my details and they changed my e-mail address back and generated a reset password e-mail for me. I was able to get back into my account. I quickly noticed all of my profile stuff was changed. Also, I noticed under the support section a ticket was generated by a CS rep at Ubisoft. It basically stated this "Caller says they got locked out of their account, I was able to confirm their identity and changed e-mail and sent password to them".

 

Well, well.. this was dated/timed exactly when I lost my account earlier in the day. Quite odd since I've had the account 3+ years and never changed anything on the profile, but Ubisoft support decided to just give this kid my account.

 

About an hour after I got back into my account, guess what... again, he called in got Ubisoft to reset the account info and give it to him once more.

 

This morning I was able to chat with them again, get back into my account. I changed my username, e-mail and password to something I have never used before or associated with the account. So there was no way he could know this info if he contacted support again.... well, not 30 minutes ago.. another "Your First name/Last name/DOB/E-mail/Gender" has been changed e-mail from Ubisoft.

 

I am guessing at this point he just went into the account and got all the CD-Keys which takes 2 clicks once you are in, as he was yesterday. So I guess it's his account now. I only had 5 games in there, 2 of which I got free with video card purchases. But this is a perfect example of social engineering, even if Uplay had 2 factor authentication, nothing would stop some inept CS reps from just changing account details.

 

I'm done Ubisoft, I will never purchase another game that you have anything to do with, and no matter what any of you do to protect your account, just be aware it can be given away at any time with little or no verification.

As retarded as the Ubisoft reps sound, it could be some innocent guy who is trying to get into his account and he has a similar e-mail address or something and they keep giving away yours.  I've never messed with uPlay or anything, and I only use Steam because I have a handful of games on there, but I hate digital distribution systems because you're completely at the mercy of the company hosting your content.  I like having physical copies of everything.

[Boo Berry]

Yeah, this is why I don't advertise my birthdate or e-mail address or gaming accounts.

 

Also Uplay seriously needs two-factor authentication support.

[xendrome]

On 12/28/2015 at 4:06 PM, Gerowen said:

As retarded as the Ubisoft reps sound, it could be some innocent guy who is trying to get into his account and he has a similar e-mail address or something and they keep giving away yours.  I've never messed with uPlay or anything, and I only use Steam because I have a handful of games on there, but I hate digital distribution systems because you're completely at the mercy of the company hosting your content.  I like having physical copies of everything.

I thought the same thing, but you'd think once he got in for the 3rd time he would say "Hey these aren't my games"...

[Praetor]

Have you talked with uPlay service, presenting the evidences of a possible theft / social engineering hack? because even if it was a genuine innocent guy trying to get into his account but due to incompetence from the tech support, now he knows your personal data and keys, so it's a security breach. Since that's one the keywords this days, no company wants to be marked with that.

[xendrome]

2 minutes ago, Praetor said:

Have you talked with uPlay service, presenting the evidences of a possible theft / social engineering hack? because even if it was a genuine innocent guy trying to get into his account but due to incompetence from the tech support, now he knows your personal data and keys, so it's a security breach. Since that's one the keywords this days, no company wants to be marked with that.

Yeah at this point I have the account back, and I think they have locked it or put a note on it, they want me to funish a copy of my government issued ID or birth certificate which I have no problem doing, but they want me to upload it via their support ticket system tied to the account. I told them I am uncomfortable doing that because I will upload jpg's of my drivers license and next thing I know they will give my account back to the guy for the 4th time and he will have a picture of my drivers license if he so wants.

 

So I am awaiting their reply.. I'm sure I will wake up in the morning and the account will be back in his hands once he calls their inept support again.

[TAZMINATOR]

Just now, xendrome said:

Yeah at this point I have the account back, and I think they have locked it or put a note on it, they want me to funish a copy of my government issued ID or birth certificate which I have no problem doing, but they want me to upload it via their support ticket system tied to the account. I told them I am uncomfortable doing that because I will upload jpg's of my drivers license and next thing I know they will give my account back to the guy for the 4th time and he will have a picture of my drivers license if he so wants.

 

So I am awaiting their reply.. I'm sure I will wake up in the morning and the account will be back in his hands once he calls their inept support again.

Tell them you prefer to send Driver's License or a copy of photo ID via FAX instead of uploading it to them.  If not, fook them and leave their service... they are crap.

 

If they don't have FAX, then they should give you the mailing address where you could send copies to for verification.

[Praetor]

sounds like a good story for Kotaku.

[GrayW]

Sounds similar to something that happened to me previously on Origin.  I'm convinced to this day that they were providing people with accounts that looked inactive. I hadn't logged in for a few months, then out of the blue I received an email saying that I had changed my password - I didn't get any reset request emails.

They hadn't got around to changing the email address so I noticed instantly and changed the password and the email to something else. They were definitely in the process of personalising the account. Name had changed, my friends had been blocked and deleted and their own friends added.

 

I guess these companies want people to use these accounts, even if this means passing them on to other users. This is of course my opinion but I do wonder how many people experience this. 

[+virtorio MVC]

2 minutes ago, Grayski said:

...

I have had that happen to my Origin account as well. Soon as I got the e-mail I logged in and all my details had been changed to someone in Russia. 

[Top Qat]

21 hours ago, xendrome said:

Yeah at this point I have the account back, and I think they have locked it or put a note on it, they want me to funish a copy of my government issued ID or birth certificate which I have no problem doing, but they want me to upload it via their support ticket system tied to the account. I told them I am uncomfortable doing that because I will upload jpg's of my drivers license and next thing I know they will give my account back to the guy for the 4th time and he will have a picture of my drivers license if he so wants.

 

They are not allowed to keep that kind of personal data. After it is verified it has to be deleted.

This is how the UK Data Protection Act works, not sure about other regions.

[spaceelf]

Nobody actually knows my digital distribution email account anymore.  Except for the Xbox Live one, which is a bit weird to change iirc.

[spaceelf]

Out of curiousity, could this be related to the data breach they had in 2013?  I don't know if everyone changed their passwords after that or not.

[xendrome]

Shaun N. your posts were removed because they were not helpful or on-topic. The same would be done for any other topic.

 

So after a week or so of this Ubisoft finally restore my account to how it was originally, with no further identification verification and made a note on the account so other support people do not reset it again for random people. Also they are changing my CD-keys for all of my games shortly.

 

Obviously they were able to authenticate by IP or something that I was who I was saying I was, since my IP hadn't changed in 6+ months and all of a sudden they see a new IP accessing the account in a different region of the planet.

[compl3x]

Definitely agree that these services should have 2FA. You'd think they'd do it just to save their reps having to screw around and waste time like this.