Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security

Dota 2 Forum Breach Leaks 2 Million User Accounts (zdnet.com) 34

Reader cloud.pt writes: In another case of serious programmer impairment, the DOTA 2 official forums have been hacked, making available to the perpetrators around 2 million emails, usernames, and MD5 hashed passwords. [...] From the report: The hack was carried out last month on July 10. The copy of the leaked database was provided to breach notification site LeakedSource.com, which allows users to search their usernames and email addresses in a wealth of stolen and hacked data. The hacker took advantage of an SQL injection vulnerability used by the older vBulletin forum software, which powers the community. That allowed them to access the database of limited user data, such as username, email, IP address of the user. The data also includes the user's hashed password -- which uses the MD5 algorithm, which is widely considered insecure by today's standards, alongside the salt, used to scramble the password further. A member of the LeakedSource group told me that 1.54 million of the passwords -- or about 80 percent -- have already been unscrambled using rudimentary and run-of-the-mill cracking tools.
This discussion has been archived. No new comments can be posted.

Dota 2 Forum Breach Leaks 2 Million User Accounts

Comments Filter:
  • My Bad!

  • It stands for Defense of the Ancients. Come on editors, save me from having to Google acronyms!
    • https://en.wikipedia.org/wiki/... [wikipedia.org]

      Dota 2 is a free-to-play multiplayer online battle arena (MOBA) video game developed and published by Valve Corporation for Microsoft Windows, OS X, and Linux. The game is the stand-alone sequel to Defense of the Ancients (DotA), which was a mod for Warcraft III: Reign of Chaos and its expansion pack, The Frozen Throne. Dota 2 is played in matches between two teams that consist of five players, who each occupy their own base on the map. Each player controls a powerful charac

  • by Anonymous Coward

    http://www.zdnet.com/article/dota-2-players-targeted-by-forum-hackers-in-new-breach/

    Attention Slashdot staff: The link doesn't show up in Safari on iPhones using iOS 9.3.3 in the default "mobile" mode.

  • took advantage of an SQL injection vulnerability

    I'm glad to see hackers are having to constantly refine their skills and take advantage of the newest exploits in order to bypass security nowadays.

    Seriously, those who run DOTA2 should be shot. There is no excuse whatsoever for this type of hack. Parse your fucking inputs.

    • XKCD - https://xkcd.com/327/ [xkcd.com]
    • by rwven ( 663186 )

      On top of the fact that it was subject to a SQL injection attack, the passwords were hashed with salted MD5. I feel like I'm reading a story from 10 years ago or something...

      • On top of the fact that it was subject to a SQL injection attack, the passwords were hashed with salted MD5. I feel like I'm reading a story from 10 years ago or something...

        It doesn't to me. The last time I pointed out salting + hashing is more of a joke than a solution just a few months ago a number of people right here jumped on me. One actually went as far as posting what they claimed was the hash for their own password to prove a "point"... Life lock style.

        Some portion of operators today in 2016 think one or more of the following:

        1 - 1.2 of 1.54 million people whose passwords were successfully cracked "deserved" what they got for using "weak" passwords.

        2 - Selection of h

    • Actually the original reporting was vague, and so was my submission copy by association (for which I totally understand my subtle quote). It was more of a site administration failure (since the hack was possible through an old version of vBulletin), from not keeping the back-end updated. Also of note is I failed to point out the hack was on the so-called Dev forums (which are still official), where people go and report bugs or imbalances in the game (i.e. it supposedly shouldn't have links to Steam accounts
    • " Parse your fucking inputs."

      3,2,1... What? nothing happened yet?

      So, here I go: use parametrized queries.

  • Blame to the users who use the same account information for multiple systems and forums now days. Users have no real control of the systems they have to log into, but they don't have to be easy targets by using the same passwords and accounts on everything they use. There is no excuse to let yourself be a victim of credential loss because some stupid system admin doesn't fix security issues on their sites.

  • Forums with mods / add on are hard to keep up to date

Order and simplification are the first steps toward mastery of a subject -- the actual enemy is the unknown. -- Thomas Mann

Working...