{"id":9520,"date":"2025-12-28T10:03:45","date_gmt":"2025-12-28T10:03:45","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2025\/12\/28\/ubisoft-rainbow-six-siege-servers-breach-linked-to-mongobleed-vulnerability\/"},"modified":"2025-12-28T10:03:45","modified_gmt":"2025-12-28T10:03:45","slug":"ubisoft-rainbow-six-siege-servers-breach-linked-to-mongobleed-vulnerability","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2025\/12\/28\/ubisoft-rainbow-six-siege-servers-breach-linked-to-mongobleed-vulnerability\/","title":{"rendered":"Ubisoft Rainbow Six Siege Servers Breach linked to MongoBleed Vulnerability"},"content":{"rendered":"<p>    Ubisoft Rainbow Six Siege Servers Breach linked to MongoBleed Vulnerability<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p>The chaos surrounding Ubisoft escalated significantly today as the first group of hackers, previously known for silent exploits, initiated a highly visible and disruptive takeover of <em>Rainbow Six Siege<\/em> servers.<\/p>\n<p>Players worldwide are reporting a massive influx of in-game currency, unwarranted bans, and taunting messages broadcast directly through the game\u2019s administrative feeds.<\/p>\n<p>Starting early this morning, thousands of <em>Rainbow Six Siege<\/em> players logged in to find their accounts inexplicably credited with millions in R6 Credits, Renown, and Alpha Packs. Reports indicate that exclusive skins and items, typically locked behind paywalls or legacy events, were unlocked for random users.<\/p>\n<p>The situation quickly escalated when the attackers weaponized the in-game ban feed, usually reserved for anti-cheat notifications. Numerous high-profile accounts, including official Ubisoft administrators and popular streamers, were hit with temporary or permanent bans.<\/p>\n<figure class=\"wp-block-embed is-type-rich is-provider-twitter wp-block-embed-twitter\">\n<div class=\"wp-block-embed__wrapper\">\n<div class=\"embed-twitter\">\n<blockquote class=\"twitter-tweet\" data-width=\"550\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/s.w.org\/images\/core\/emoji\/17.0.2\/72x72\/203c.png?ssl=1\" alt=\"\u203c\" class=\"wp-smiley\" style=\"height: 1em; max-height: 1em;\"> Ubisoft\u2019s Rainbow Six Siege servers have been hacked. Players report millions of credits added to their accounts and troll messages in the public ban chat. <a href=\"https:\/\/t.co\/ctlsfjtfK8\">pic.twitter.com\/ctlsfjtfK8<\/a><\/p>\n<p>\u2014 International Cyber Digest (@IntCyberDigest) <a href=\"https:\/\/twitter.com\/IntCyberDigest\/status\/2004968894725865655?ref_src=twsrc%5Etfw\">December 27, 2025<\/a>\n<\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script>\n<\/div>\n<\/div>\n<\/figure>\n<p>Screenshots circulating on social media confirm the attackers are using the ban system to communicate. One striking image captures a sequence of bots with specific usernames being banned in order, spelling out a cryptic warning: \u201cWhat else are they hiding from us?\u201d<\/p>\n<figure class=\"wp-block-embed is-type-rich is-provider-twitter wp-block-embed-twitter\">\n<div class=\"wp-block-embed__wrapper\">\n<div class=\"embed-twitter\">\n<blockquote class=\"twitter-tweet\" data-width=\"550\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">BREAKING: Ubisoft Rainbow Six Siege servers have been breached.<\/p>\n<p>Players are reporting massive amounts of R6 Credits, Renown, Alpha Packs, and exclusive items unexpectedly.<\/p>\n<p>Numerous accounts even Ubisoft, including streamers&#8217; and possibly official ones, have received random or\u2026 <a href=\"https:\/\/t.co\/9hGNbBCMAm\">pic.twitter.com\/9hGNbBCMAm<\/a><\/p>\n<p>\u2014 Pirat_Nation <img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/s.w.org\/images\/core\/emoji\/17.0.2\/72x72\/1f534.png?ssl=1\" alt=\"\ud83d\udd34\" class=\"wp-smiley\" style=\"height: 1em; max-height: 1em;\"> (@Pirat_Nation) <a href=\"https:\/\/twitter.com\/Pirat_Nation\/status\/2004901721336590703?ref_src=twsrc%5Etfw\">December 27, 2025<\/a>\n<\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script>\n<\/div>\n<\/div>\n<\/figure>\n<p>Another broadcast signaled a temporary pause to the hostilities, with a user named <em>\u201cWe stopping this for now, have a nice night everyone at Ubisoft!\u201d<\/em> being banned for \u201cToxic Behavior\u201d. This brazen mockery suggests the attackers have high-level administrative control over the game\u2019s live service backend.\u200b<\/p>\n<p>Ubisoft has issued an official statement on today\u2019s breach, but servers have intermittently gone offline for unannounced maintenance and restarts. Security experts and community leaders are advising players to avoid logging into Ubisoft Connect or Rainbow Six Siege until the publisher confirms server integrity, citing potential data corruption or further account tampering.<\/p>\n<figure class=\"wp-block-embed is-type-rich is-provider-twitter wp-block-embed-twitter\">\n<div class=\"wp-block-embed__wrapper\">\n<div class=\"embed-twitter\">\n<blockquote class=\"twitter-tweet\" data-width=\"550\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">We&#8217;re aware of an incident currently affecting Rainbow Six Siege. Our teams are working on a resolution.<\/p>\n<p>We will share further updates once available.<\/p>\n<p>\u2014 Rainbow Six Siege X (@Rainbow6Game) <a href=\"https:\/\/twitter.com\/Rainbow6Game\/status\/2004917731829948808?ref_src=twsrc%5Etfw\">December 27, 2025<\/a>\n<\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script>\n<\/div>\n<\/div>\n<\/figure>\n<p>According to vx-underground, the live-service disruption appears to be the work of the First Group, unrelated to the source code theft reported earlier this week. The incident highlights a fractured landscape of threat actors currently targeting the publisher:<\/p>\n<figure class=\"wp-block-table\">\n<table class=\"has-fixed-layout\">\n<thead>\n<tr>\n<th class=\"has-text-align-left\" data-align=\"left\">Group<\/th>\n<th class=\"has-text-align-left\" data-align=\"left\">Key Actions\/Claims<\/th>\n<th class=\"has-text-align-left\" data-align=\"left\">Confidence\/Status<\/th>\n<th class=\"has-text-align-left\" data-align=\"left\">Relations<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\">First<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Exploited R6 Siege for bans, inventory mods; gifted $339.96T in-game currency. No user data touched.<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">High (Ubisoft-confirmed rollback).<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Frustrated with Second\/Fourth drama.\u200b<\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\">Second<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">\n<a href=\"https:\/\/cybersecuritynews.com\/mongobleed\/\" target=\"_blank\" rel=\"noreferrer noopener\">MongoBleed<\/a> pivot from MongoDB to Git repo; exfiltrated 90s\u2013present source code, SDKs, multiplayer code (~900GB).<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Medium-high (multi-source verified).<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Accused by Fourth of prior access, masquerading.\u200b<\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\">Third<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">MongoBleed user data exfil; Telegram extortion with group name.<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Low (unverified claims).<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Unrelated?<\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\">Fourth<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Denies Second\u2019s novelty; claims long-term Second access, hiding behind First for leak pretext.<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Medium (forum activity).<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Aligned with First vs. Second.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p>While today\u2019s siege is likely due to an API authorization failure, the broader breach involving the Second Group is linked on <a href=\"https:\/\/cybersecuritynews.com\/critical-mongodb-vulnerability\/\" target=\"_blank\" rel=\"noreferrer noopener\">CVE-2025-14847<\/a> (MongoBleed). <\/p>\n<figure class=\"wp-block-embed is-type-rich is-provider-twitter wp-block-embed-twitter\">\n<div class=\"wp-block-embed__wrapper\">\n<div class=\"embed-twitter\">\n<blockquote class=\"twitter-tweet\" data-width=\"550\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Clarification post, previous post about Ubisoft lead to some confusion. That&#8217;s my fault. I&#8217;ll be more verbose. I was trying to compress the information into 1 singular post without it exceeding the word limit.<\/p>\n<p>Here&#8217;s the word on the internet streets:<br \/>\u2013 THE FIRST GROUP of\u2026 <a href=\"https:\/\/t.co\/crsOxCnMWU\">pic.twitter.com\/crsOxCnMWU<\/a><\/p>\n<p>\u2014 vx-underground (@vxunderground) <a href=\"https:\/\/twitter.com\/vxunderground\/status\/2005008887234048091?ref_src=twsrc%5Etfw\">December 27, 2025<\/a>\n<\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script>\n<\/div>\n<\/div>\n<\/figure>\n<p>This flaw enables attackers to read server memory without authentication by sending malformed compressed packets. If the Second Group\u2019s claims of pivoting to internal <a href=\"https:\/\/cybersecuritynews.com\/github-vulnerability-hijack\/\" target=\"_blank\" rel=\"noreferrer noopener\">Git repositories<\/a> are true, Ubisoft faces a catastrophic loss of intellectual property that could fuel cheat development for years to come.<\/p>\n<p>Ubisoft is expected to perform a massive rollback of player data to undo the economic damage, a move that will likely frustrate legitimate progress made by players over the weekend.<\/p>\n<p class=\"has-text-align-center has-background\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 94%,rgb(169,184,195) 100%)\"><strong>Follow us on <a href=\"https:\/\/news.google.com\/publications\/CAAqMggKIixDQklTR3dnTWFoY0tGV041WW1WeWMyVmpkWEpwZEhsdVpYZHpMbU52YlNnQVAB?hl=en-IN&amp;gl=IN&amp;ceid=IN:en\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Google News<\/a>, <a href=\"https:\/\/www.linkedin.com\/company\/cybersecurity-news\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">LinkedIn<\/a>, and <a href=\"https:\/\/x.com\/cyber_press_org\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">X<\/a> for daily cybersecurity updates. <a href=\"https:\/\/cybersecuritynews.com\/contact-us\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Contact us<\/a> to feature your stories.<\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/ubisoft-rainbow-six-siege-servers-breached\/\">Ubisoft Rainbow Six Siege Servers Breach linked to MongoBleed Vulnerability<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Guru Baran<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/ubisoft-rainbow-six-siege-servers-breached\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Ubisoft Rainbow Six Siege Servers Breach linked to MongoBleed Vulnerability The chaos surrounding Ubisoft escalated significantly today as the first group of hackers, previously known for silent exploits, initiated a highly visible and disruptive takeover of Rainbow Six Siege servers. Players worldwide are reporting a massive influx of in-game currency, unwarranted bans, and taunting messages [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1636,129,63],"tags":[130],"class_list":["post-9520","post","type-post","status-publish","format-standard","hentry","category-cyber-attack-news","category-cyber-security","category-cyber-security-news","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/9520"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=9520"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/9520\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=9520"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=9520"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=9520"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}