Hackers have caused absolute chaos in Ubisoft’s Rainbow Six Siege after breaching the company’s systems.
Instead of leaking stolen data from the game online, they’ve turned the company’s internal systems against it to ban and unban players, manipulate in-game message feeds and most surprisingly, give all players 2 billion in Rainbow Six Siege credits. While a 2 billion credit windfall for a single player is valued at roughly 13.3 million, reports suggest the total value of currency distributed across the entire player base has reached a staggering 339 trillion.
To make matters worse, security researchers are reporting that this breach is directly related to a recently disclosed MongoDB vulnerability. Dubbed MongoBleed, the flaw allows unauthenticated attackers to remotely leak the memory of exposed MongoDB instances. Attackers even used their access to the game’s management services to hijack a ban ticker that Ubisoft says had actually been disabled, using it to mock the company’s leadership directly.
Here’s everything you need to know about the recent Rainbow Six Siege hack along with the MongoBleed flaw and why this tactical, team-based first person shooter likely won’t be the last victim.
The Siege under siege
First launched back in 2015, Rainbow Six Siege is a tactical, first-person shooter and live-service game that pits two teams against each other. It had over 80,000 active monthly players at the beginning of the year thanks to the launch of a new expansion but this number has fallen to around 40,000 in the latter half of this year.
On December 27th, reports that the game was breached by hackers first began circulating online. While normally this would result in player data being stolen and then sold online, something completely different happened as a result of this breach.
The hackers behind the Rainbow Six Siege breach took the following actions after gaining access to Ubisoft’s systems:
- Banned and unbanned thousands of people randomly, including high-profile streamer accounts.
- Took over the ban feed to broadcast custom messages mocking Ubisoft leadership, even though the ban ticker feature had actually been disabled in a past update.
- Gave everyone 2 billion in premium R6 credits and Renown. While the value of these credits for a single player is estimated at over 13 million, some reports suggest the total value of currency distributed reached a staggering 339 trillion.
- Gave everyone every skin in the game, including ultra-rare Glaciers and even developer-only cosmetics.
According to BleepingComputer, Ubisoft confirmed that the incident took place early in the morning on December 27th and said its teams were working to resolve an issue currently affecting the game. From there, the company then shut down the game and its in-game marketplace to prevent further damage to the player-driven economy.
If you’re a Ubisoft player that spent some of those 2 billion credits that magically appeared in your Rainbow Six Siege account, there’s good news and bad news. While you won’t be punished for spending them, Ubisoft is currently rolling back all transactions that occurred after 11:00 AM UTC on December 27th.
So how did the hackers behind this breach manage to pull it off? Well, at least according to some reports, the new MongoBleed flaw is to blame.
Leaking memory without passwords
Although they haven’t been verified by Ubisoft yet, the security research group VX-Underground is claiming with medium to high confidence that hackers used a recently disclosed MongoDB flaw to breach the company’s systems.
The vulnerability (tracked as CVE-2025-14847 and dubbed MongoBleed) allows unauthenticated attackers to remotely leak the memory of exposed MongoDB instances. By sending malformed, compressed network packets to the server’s zlib decompression logic, attackers can trick the database into “bleeding” fragments of its internal heap memory. This can expose sensitive data like plain-text database passwords, session tokens, and administrative authentication keys.
As reported by The Hacker News, MongoBleed has a high-severity CVSS score of 8.7 and impacts a broad range of database versions:
- MongoDB 8.2.0 through 8.2.2
- MongoDB 8.0.0 through 8.0.16
- MongoDB 7.0.0 through 7.0.27
- MongoDB 6.0.0 through 6.0.26
- MongoDB 5.0.0 through 5.0.31
- MongoDB 4.4.0 through 4.4.29
- All legacy versions including MongoDB Server v4.2, v4.0, and v3.6
While the flaw has been patched in versions 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, and 4.4.30, many organizations have not yet upgraded to a fixed release.
What makes the investigation so complex is that multiple unrelated groups of cybercriminals appear to have targeted Ubisoft simultaneously.
According to VX-Underground, a first group compromised live game services to manipulate inventories and bans, while a second group allegedly used MongoBleed to pivot into Ubisoft’s internal Git repositories. This second group reportedly stole source code for various projects dating from the 1990s to the present day. Meanwhile, a third group is reportedly attempting to extort Ubisoft over stolen user data, while a fourth group claims the source code was already compromised long before the current chaos began.
Rainbow Six Siege won’t be the last victim
While Rainbow Six Siege could potentially be the first public victim of MongoBleed, the sheer scale of MongoDB’s global footprint shows that it likely won’t be the last. As of this year, over 60,000 organizations across nearly every industry rely on this open-source tool for their backend infrastructure.
With 200,000 instances estimated to currently be exposed online, the potential for widespread exploitation of MongoBleed is quite high. Since this exploit isn’t too complicated and requires no authentication, other companies could suffer a similar fate to what happened with Rainbow Six Siege if they don’t patch their systems immediately.
From credential harvesting to undetected data theft, MongoBleed attacks could have wide reaching implications for organizations and their users across a wide variety of industries.
Hopefully companies take immediate steps to remedy this situation because if they don’t you’ll be reading (and I’ll be writing) about a lot more MongoBleed-powered attacks next year.
Follow Tom’s Guide on Google News and add us as a preferred source to get our up-to-date news, analysis, and reviews in your feeds.
