Massive Rainbow Six Siege breach gives avid gamers billions of credit score
Identity theft
Ubisoft’s Rainbow Six Siege (R6) suffered a breach that allowed hackers to abuse internal programs to ban and unban avid gamers, manipulate in-game moderation feeds, and grant large portions of in-game currency and cosmetic objects to accounts worldwide.
In response to loads of participant experiences and in-game screenshots shared on-line, the attackers had been in a predicament to:
Ban/unban Rainbow Six Siege avid gamers
Cloak incorrect ban messages on the ban ticker.
Grant all avid gamers approximately 2 billion R6 Credits and Renown
Release every cosmetic item within the game, including developer-simplest skins
R6 Credits are a top class in-game currency supplied for true cash on Ubisoft’s retailer. In step with Ubisoft’s pricing, 15,000 R6 Credits designate $ninety 9.ninety 9, placing the value of 2 billion credit score at roughly $13.33 million value of in-game currency distributed for free.
At 9:10 AM on Saturday, the official Rainbow Six Siege myth on X confirmed the incident, stating that Ubisoft became attentive to a controversy affecting the game and that groups had been working to resolve it.
Rapidly in a while, Ubisoft intentionally shut down Rainbow Six Siege and its in-game Market, stating they had been calm working on the narrate.
“Siege and the Marketplace have been intentionally shut down while the team focuses on resolving the issue,” reads a post on X.
In a final update, Ubisoft clarified that avid gamers would now not be punished for spending the granted credit score, however that it may possibly possibly well be rolling abet all transactions made since 11:00 AM UTC.
The firm also said that Ubisoft failed to generate the messages viewed within the ban ticker and that the ticker had been disabled beforehand.
False ban messages on the Rainbow Six Siege ban ticker Source: @ViTo_DEE91
Ubisoft said it became persevering with to work towards absolutely restoring the game, however the servers remain down as we narrate.
At present, Ubisoft has now not released a proper commentary relating to the incident and has now not replied to emails from BleepingComputer asking for vital ingredients on how the breach came about.
While you fill any recordsdata relating to this incident or any other undisclosed assaults, that possibilities are you’ll possibly contact us confidentially by the employ of Signal at 646-961-3731 or at tricks@bleepingcomputer.com.
Identity theft Rumors of a better breach
Unverified claims disclose that a worthy better breach came about internal Ubisoft’s infrastructure.
In response to security evaluate community VX-Underground, threat actors claimed to fill breached Ubisoft’s servers the employ of a lately disclosed MongoDB vulnerability dubbed “MongoBleed.”
Tracked as CVE-2025-14847, the flaw permits unauthenticated some distance-off attackers to leak the reminiscence of exposed MongoDB cases, exposing credentials and authentication keys. A public PoC exploit has already been released that searches for secrets in exposed MongoDB servers.
VX-Underground experiences that loads of unrelated threat groups may possibly possibly simply fill centered Ubisoft:
One community claims to fill exploited a Rainbow Six Siege carrier to manipulate bans and in-game stock without accessing particular person recordsdata.
A second community allegedly exploited a MongoDB instance the employ of MongoBleed to pivot into Ubisoft’s internal Git repositories, claiming to rob a gigantic archive of internal source code from the 1990s to the camouflage.
A third community claims to fill stolen Ubisoft particular person recordsdata by the employ of MongoBleed and is attempting to extort the firm into paying a ransom.
A fourth community disputes these styles of claims, stating that the second community had net entry to to Ubisoft’s source code for a whereas.
BleepingComputer has now not been in a predicament to independently check any of these claims, including whether MongoBleed became exploited, whether internal source code became accessed, or whether customer recordsdata became stolen.
At present, we simplest know that Ubisoft has confirmed the in-game abuse in Rainbow Six Siege, and there may possibly be now not the kind of thing as a public proof of a better breach.
BleepingComputer will update this tale if Ubisoft gives extra vital ingredients or if we learn extra about these other claims.
Broken IAM is now not gorgeous an IT subject – the affect ripples at some point soon of all of your enterprise.
This brilliant handbook covers why extinct IAM practices fail to withhold with unique demands, examples of what “good” IAM looks love, and a straightforward checklist for constructing a scalable approach.
