If you’re a member of the Dota 2 forum connected to the popular multiplayer online game, now would probably be a good time to change your password for the site and possibly for other online services as well. A new breach notification site called LeakedSource reports that the forum was hacked on July 10, 2016, exposing 1,923,972 records, each containing an email address, an IP address, a username, a user identifier, and a password.
According to the report, the forum’s passwords are stored on Valve Software’s servers using MD5 hashing and a salt, the latter of which is random data injected as an additional input into the password to help “scramble” the information. However, the outdated MD5 isn’t exactly the most secure algorithm for hashing a password, as it’s notably filled with vulnerabilities and can be reversed by a brute-force attack. LeakedSource said it managed to convert over 80 percent of the hashed passwords to their plain text values.
“It’s a fast and memory-conserving algorithm,” stated a response in a Stack Exchange thread a few years ago. “That means an attacker can compute the hash of a large number of passwords per second. Using specialized hardware (like FPGA arrays or ASICs) worth a few thousand dollars you can compute the hashes of all possible 8-character passwords for a given salt in mere hours.”
On the email front, the report reveals a list of 56 email domains that were used to register for the Dota 2 forum. The top 10 include Gmail with 1,086,139 users, followed by Hotmail, Yahoo, Mail.ru, Outlook, Sina, Ymail, Cmail, AOL, and MSN. The report adds that the list also includes quite a few disposable emails, meaning they’re simply temporary and likely used only for this specific forum.
Additional reports point to Valve Software’s use of an older version of the vBulletin software used to run the forum. Evidently, there’s an SQL injection vulnerability in the platform, allowing hackers to inject SQL statements into an entry field to execute a command, such as to dump the forum’s database contents into one large file to download. SQL is a programming language used to manage data in a database management system.
Dota 2 players worried about hackers gaining access to their account credentials can search LeakedSource’s database by heading here. If by chance your information is indeed in the Dota 2 data pool, or in any other leaked database in possession by LeakedSource, you can remove this sensitive info from the site’s copy for free. However, your information will still be in the hands of hackers.
The first report provided by LeakedSource appears to be March 30 of this year, stating that Mate1.com was hacked in October 2015. LeakedSource obtained a copy of the site’s database containing 27,403,958 accounts. Passwords were reportedly stored in plain, visible text, revealing that the site wasn’t using any type of encryption to protect user accounts. The most used password was “123456” followed by “123456789” and “123.” Seriously?
So far Valve Software has not issued a statement regarding LeakedSource’s report of the July Dota 2 forum hack.