Rainbow Six Siege hacked as players get billions of credits and random bans

Original Article ↗ Hacker News Discussion ↗

Nature of the Siege Hack

  • Ban feed messages were hijacked and filled with song lyrics and memes (e.g., Shaggy, Michael Jackson), so some onlookers initially thought bans were fake; others point out actual bans and unbans did occur.
  • Attackers granted everyone massive amounts of in-game currency and all skins, including developer-only ones, completely breaking progression, scarcity, and the in-game economy.
  • Commenters note this is a “nightmare scenario” for live-service games: rollbacks can fix currency, but random bans and compromised ban integrity destroy player trust.

Multiple Attacker Groups & MongoBleed

  • A summarized X/Twitter thread claims four different groups:
    • One abusing a Siege service (bans, inventories, mass gifting).
    • One exploiting an exposed MongoDB via the MongoBleed bug to pivot into internal Git and exfiltrate decades of Ubisoft source code and SDKs.
    • A third claiming to have user data and extorting Ubisoft (validity unclear).
    • A fourth saying the second group already had code access and is using MongoBleed as cover.
  • Several commenters tie this to the recently disclosed MongoBleed issue and exposed Ubisoft hosts on Shodan; others say Postgres dumps were also circulating.
  • A former Ubisoft engineer is skeptical that a breach of “player” infrastructure would easily lead to source code, citing strict network segmentation and Perforce use, but this is contrasted with the MongoBleed claims; the exact path remains unclear.

Security, Liability, and Response

  • Some sympathy is expressed for on-call devs having holidays ruined; much less for Ubisoft management, given its reputation for aggressive monetization and anti-consumer practices.
  • Others argue this is precisely why game backend security must be treated as critical infrastructure, and that ignoring vendor guidance on MongoBleed (e.g., exposed DBs, delayed patching) would be inexcusable.
  • There’s speculation that attackers face serious prison time if identified, given the scale and clear financial impact.

Economy, Valuation, and Monetization

  • The quoted “$339 trillion” value of gifted cosmetics is mocked as a meaningless multiplication of unit price by impossible volume, compared to global GDP.
  • Some expect that such inflated figures may still appear in legal or insurance claims.
  • A few players note that similar GTA V hacks once made those games more fun by eliminating grind and pay-to-win, highlighting the tension between monetization and enjoyable design.

Broader Gaming & Esports / Anti-Cheat Tangents

  • Several lament Ubisoft’s shift toward esports balance and microtransactions, claiming Siege and other franchises have become “soulless” or worsened over time; XDefiant’s shutdown is cited as emblematic of chasing item-shop revenue.
  • There’s a broader side-discussion about FPS fatigue vs. a “golden age” of indie games, and whether AAA budgets actually yield better games or just safer, over-marketed ones.
  • Another long subthread debates kernel-level anti-cheat:
    • One side sees it as essentially “anti-Linux” and a security liability that can be weaponized.
    • The other argues kernel anti-cheat is currently the only effective way to resist sophisticated cheats on Windows, while Linux’s openness makes low-level cheating easier; they note that this incident is server-side and unrelated to client anti-cheat.