Battlefield Heroes hacked in LulzSec swansong

EA's free-to-play Battlefield Heroes was taken offline over the weekend after hacker group LulzSec released user data from the beta as part of one final datablast before disbanding. While the passwords from the 548,774 Battlefield Heroes beta accounts were encrypted, they aren't entirely secure.

"Our investigation is ongoing, however it appears screen names and encrypted passwords associated with an early beta version of Heroes have been compromised," reads a short statement on the Battlefield Heroes site. "To the best of our knowledge, it appears that no personal data was compromised – no emails, account history, credit card numbers or payment methods."

However, all's not quite as rosy as EA makes out. While the passwords were encrypted with MD5, they are 'unsalted' and so not necessarily safe. Many of the MD5 hashes have already been 'solved,' so ne'er-do-wells might still be able to easily find your password.

You can use Dazzlepod's handy tool to check if your account was one of those compromised in the LulzSec hack. If you're on the list, you'd best get changing your password on any sites which shared the same password.

The Battlefield Heroes beta data is part of LulzSec's final release, which also included technical data from AT&T, e-mails of a number of private investigators, user accounts for a NATO bookshop, and user details for several gaming forums. With this, the group is calling it quits.

"Our planned 50 day cruise has expired, and we must now sail into the distance, leaving behind - we hope - inspiration, fear, denial, happiness, approval, disapproval, mockery, embarrassment, thoughtfulness, jealousy, hate, even love," says the group's farewell statement. "If anything, we hope we had a microscopic impact on someone, somewhere. Anywhere."

Over the past fifty days, LulzSec has targetted numerous parties, including Bethesda, Minecraft, EVE Online, and League of Legends, as well as the CIA, PBS, Sony Pictures, and the US Senate. Some were hacked into and had data copied, while others were simply knocked offline. The group professes support for the AntiSec movement, which calls for security exploits to be kept secret rather than publicised, arguing that sharing them does more harm than good.

Last week, a suspected LulzSec member was arrested in England. The group has denied that the man was their "leader" or even a member at all. Other hackers have claimed to discovered the identities of LulzSec users; this too is denied.

Shacknews has contacted EA for comment and will update as we learn more.