Slashdot Mirror

← Back to Stories (view on slashdot.org)

Dota 2 Forum Breach Leaks 2 Million User Accounts (zdnet.com)

Posted by msmash on from the security-woes dept.

Reader cloud.pt writes: In another case of serious programmer impairment, the DOTA 2 official forums have been hacked, making available to the perpetrators around 2 million emails, usernames, and MD5 hashed passwords. [...] From the report: The hack was carried out last month on July 10. The copy of the leaked database was provided to breach notification site LeakedSource.com, which allows users to search their usernames and email addresses in a wealth of stolen and hacked data. The hacker took advantage of an SQL injection vulnerability used by the older vBulletin forum software, which powers the community. That allowed them to access the database of limited user data, such as username, email, IP address of the user. The data also includes the user's hashed password -- which uses the MD5 algorithm, which is widely considered insecure by today's standards, alongside the salt, used to scramble the password further. A member of the LeakedSource group told me that 1.54 million of the passwords -- or about 80 percent -- have already been unscrambled using rudimentary and run-of-the-mill cracking tools.

34 comments

  1. OOPS! by mandark1967 · · Score: 1

    My Bad!

    --
    Sig Follows: "Suppose you were an idiot. And suppose you were a member of Congress. But I repeat myself." -- Mark Twain
  2. For those who don't know what DOTA stands for: by DatbeDank · · Score: 2

    It stands for Defense of the Ancients. Come on editors, save me from having to Google acronyms!

    1. Re:For those who don't know what DOTA stands for: by Anonymous Coward · · Score: 0

      All the acronyms on this site, and THAT one you have to Google?

    2. Re:For those who don't know what DOTA stands for: by Anonymous Coward · · Score: 0

      It's the name of a game.
      I doubt even most of the players know what it stands for.
      It's completely irrelevant to understanding the rest of the story.

    3. Re:For those who don't know what DOTA stands for: by Anonymous Coward · · Score: 0

      Acronyms have dumbed down our culture greatly. It was once Kentucky Fried Chicken and now it's just KFC.

    4. Re:For those who don't know what DOTA stands for: by Bearhouse · · Score: 2

      https://en.wikipedia.org/wiki/...

      Dota 2 is a free-to-play multiplayer online battle arena (MOBA) video game developed and published by Valve Corporation for Microsoft Windows, OS X, and Linux. The game is the stand-alone sequel to Defense of the Ancients (DotA), which was a mod for Warcraft III: Reign of Chaos and its expansion pack, The Frozen Throne. Dota 2 is played in matches between two teams that consist of five players, who each occupy their own base on the map. Each player controls a powerful character, known as a "hero", that feature unique abilities and different styles of play. During a match, a player collects experience points, gold, and items for their hero in order to fight heroes of the opposing team, while attempting to push through their defenses. A team wins by being the first to destroy a large structure located in the opposing team's base, called the "Ancient".

    5. Re:For those who don't know what DOTA stands for: by Nunya666 · · Score: 2

      All the acronyms on this site, and THAT one you have to Google?

      Based on your comment, it appears that you are a gamer, all 3 of your friends are gamers, and you can't imagine that anyone on a News for Nerds site is not also a gamer.

      You might want to get out of your mom's basement more often.

    6. Re:For those who don't know what DOTA stands for: by lgw · · Score: 1

      You might want to get out of your mom's basement more often.

      I tried that one, but the Day Star burned me!

      --
      Socialism: a lie told by totalitarians and believed by fools.
    7. Re:For those who don't know what DOTA stands for: by spire3661 · · Score: 1

      DOTA is absolutely massive. This is like requesting that people type out National Basketball Association instead of NBA. You should know what DOTA is by now.

      --
      Good-bye
    8. Re:For those who don't know what DOTA stands for: by Anonymous Coward · · Score: 0

      This game has actually been making headlines recently for its record breaking prize pool for its latest tournament. You don't have to be a gamer to have heard of this game: http://www.geekwire.com/2016/valve-ceo-gabe-newell-kicks-off-huge-dota-2-esports-championship-prize-pool-20m

    9. Re:For those who don't know what DOTA stands for: by Fly+Swatter · · Score: 1

      Acronyms have dumbed down our culture greatly. It was once Kentucky Fried Chicken and now it's just KFC.

      In KFC's case it was more a marketing ploy to hide the word 'fried'. At the time, fried food of any type had a lot of bad press.

    10. Re:For those who don't know what DOTA stands for: by rainmouse · · Score: 1
      Technically an Initialism, though I would love to hear people saying KFC as a word.

      http://dictionary.cambridge.org/dictionary/english/acronym

  3. Link for mobile users by Anonymous Coward · · Score: 1

    http://www.zdnet.com/article/dota-2-players-targeted-by-forum-hackers-in-new-breach/

    Attention Slashdot staff: The link doesn't show up in Safari on iPhones using iOS 9.3.3 in the default "mobile" mode.

  4. Modern hacking by Dunbal · · Score: 1

    took advantage of an SQL injection vulnerability

    I'm glad to see hackers are having to constantly refine their skills and take advantage of the newest exploits in order to bypass security nowadays.

    Seriously, those who run DOTA2 should be shot. There is no excuse whatsoever for this type of hack. Parse your fucking inputs.

    --
    Seven puppies were harmed during the making of this post.
    1. Re:Modern hacking by Big+Hairy+Ian · · Score: 2

      XKCD - https://xkcd.com/327/

      --

      Build a Man a Fire, and He'll Be Warm for a Day. Set a Man on Fire, and He'll Be Warm for the Rest of His Life.

    2. Re:Modern hacking by rwven · · Score: 1

      On top of the fact that it was subject to a SQL injection attack, the passwords were hashed with salted MD5. I feel like I'm reading a story from 10 years ago or something...

    3. Re:Modern hacking by cloud.pt · · Score: 1

      Actually the original reporting was vague, and so was my submission copy by association (for which I totally understand my subtle quote). It was more of a site administration failure (since the hack was possible through an old version of vBulletin), from not keeping the back-end updated. Also of note is I failed to point out the hack was on the so-called Dev forums (which are still official), where people go and report bugs or imbalances in the game (i.e. it supposedly shouldn't have links to Steam accounts, but that depends on individual user credential patterns or lack thereof). In any case it's sad to see that either a 2013 version of vBulletin was this flawed, or that someone in 2013 picked a version of vBulletin without issues such as SQL injection or usage of MD5+salt fixed.

    4. Re:Modern hacking by Anonymous Coward · · Score: 0

      Yep, just another Windows vulnerability. At some point Microsoft needs to be held financially accountable for their crappy code.

    5. Re:Modern hacking by WaffleMonster · · Score: 1

      On top of the fact that it was subject to a SQL injection attack, the passwords were hashed with salted MD5. I feel like I'm reading a story from 10 years ago or something...

      It doesn't to me. The last time I pointed out salting + hashing is more of a joke than a solution just a few months ago a number of people right here jumped on me. One actually went as far as posting what they claimed was the hash for their own password to prove a "point"... Life lock style.

      Some portion of operators today in 2016 think one or more of the following:

      1 - 1.2 of 1.54 million people whose passwords were successfully cracked "deserved" what they got for using "weak" passwords.

      2 - Selection of hash algorithm (MD5) matters. Perhaps something more "secure" like SHA2 would have prevented this.

      3 - Had only they used scrypt or similar amplification schemes this would have materially changed the equation.

      The only effective way I'm aware of protect stored passwords is to employ a segregated secure low complexity authenticator that does nothing except check credentials.

    6. Re:Modern hacking by Anonymous Coward · · Score: 0

      "Seriously, those who run DOTA2 should be shot. " I've said this for 'roughly' 4 years.

  5. Can't trust info online by Anonymous Coward · · Score: 0

    Well it's clear you cannot trust your information online. The more exposure the more risk you take. I guess many times it's these sites running on limited resources that you can blame the most. They don't do enough or have enough support to properly prevent this.

  6. Who uses the same userid and password now days? by krelvin · · Score: 1

    Blame to the users who use the same account information for multiple systems and forums now days. Users have no real control of the systems they have to log into, but they don't have to be easy targets by using the same passwords and accounts on everything they use. There is no excuse to let yourself be a victim of credential loss because some stupid system admin doesn't fix security issues on their sites.

    1. Re:Who uses the same userid and password now days? by Anonymous Coward · · Score: 0

      Blame to the users who use the same account information for multiple systems and forums now days. Users have no real control of the systems they have to log into, but they don't have to be easy targets by using the same passwords and accounts on everything they use. There is no excuse to let yourself be a victim of credential loss because some stupid system admin doesn't fix security issues on their sites.

      Blame it on practically every website on the planet now wanting you to create a user account to do anything. My password manager has well north of 100 usernames and passwords in it, and I only started using one because of the sheer number of accounts I have littering the Internet was getting so stupidly huge that I couldn't remember them all, and you better believe there were duplicates in there, I just plain can't remember hundreds of good, strong, and unique passwords.

      Most users aren't going to use a password manager, assuming they even know such a thing exists, so credential reuse is going to continue to be a problem, especially since just about every website nowadays wants you to create an account for posting comments, submitting content, and, in some cases, reading content.

  7. KFC by Anonymous Coward · · Score: 0

    KFC - Korean Fried Chicken

  8. Programmer should be banned for life by Anonymous Coward · · Score: 0

    It's 2016 already. Any programmer who writes code susceptible to SQL injection should be banned from contact with computers for the remainder of their life. Kind of like how child abusers are banned from contact with children.

    1. Re:Programmer should be banned for life by mattventura · · Score: 1

      More like anyone who uses vBulletin in 2016 needs to be banned from making websites. As someone who has had to deal with a large-ish VB, it's really not pretty under the hood, with or without the SQL injections.

  9. Forums with mods / add on are hard to update by Joe_Dragon · · Score: 1

    Forums with mods / add on are hard to keep up to date

  10. Why replace links? by Anonymous Coward · · Score: 0

    This news was submitted by a Slashdot reader, but you replaced the report with a ZDNet link. Why manish? Do you realize you're alienating /. users. Every day... Vice, ZDNet and BetaNews... the same lame news sources by journalists that steal stories from smaller sites.

    https://slashdot.org/submission/6200515/dota-2-dev-forum-breached-nearly-2-million-users-affected

    1. Re:Why replace links? by cloud.pt · · Score: 1

      Actually, I submitted the article with the ZDNet link as the post eventually ended up with. I swear for the love of god I didn't even make the connection to slashdot ownership, but now that I think of it, it might have enhanced my odds (And yay! Got my first one on the front page. GO ME!)

    2. Re:Why replace links? by cloud.pt · · Score: 1

      But the the "DOTA 2 official forums have been hacked" hyperlink was not an edited I originally made :D. It does make the quote more dynamic, and I repeat: it is my original source link.

  11. Sheesh people.. use SHA256 or higher for hashes by Anonymous Coward · · Score: 0

    Even then, it's up to the users to use longer, more random passwords and different ones per site. This video shows just how crazy-powerful password hash cracking has become. 4 CUDA graphics cards is all it takes.

    https://www.youtube.com/watch?v=7U-RbOKanYs

  12. MD5 by Anonymous Coward · · Score: 0

    Why is it always MD5? You really can't trust any Web service...

  13. Parse your fucking inputs. by ls671 · · Score: 1

    " Parse your fucking inputs."

    3,2,1... What? nothing happened yet?

    So, here I go: use parametrized queries.

    --
    Everything I write is lies, read between the lines.