Dota 2 Forum Breach Leaks 2 Million User Accounts (zdnet.com)

← Back to Stories (view on slashdot.org)

Dota 2 Forum Breach Leaks 2 Million User Accounts (zdnet.com)

Posted by msmash on Wednesday August 10, 2016 @02:06AM from the security-woes dept.

Reader cloud.pt writes: In another case of serious programmer impairment, the DOTA 2 official forums have been hacked, making available to the perpetrators around 2 million emails, usernames, and MD5 hashed passwords. [...] From the report: The hack was carried out last month on July 10. The copy of the leaked database was provided to breach notification site LeakedSource.com, which allows users to search their usernames and email addresses in a wealth of stolen and hacked data. The hacker took advantage of an SQL injection vulnerability used by the older vBulletin forum software, which powers the community. That allowed them to access the database of limited user data, such as username, email, IP address of the user. The data also includes the user's hashed password -- which uses the MD5 algorithm, which is widely considered insecure by today's standards, alongside the salt, used to scramble the password further. A member of the LeakedSource group told me that 1.54 million of the passwords -- or about 80 percent -- have already been unscrambled using rudimentary and run-of-the-mill cracking tools.

20 of 34 comments (clear)

Min score:

Reason:

Sort:

OOPS! by mandark1967 · 2016-08-10 02:09 · Score: 1

My Bad!

--
Sig Follows: "Suppose you were an idiot. And suppose you were a member of Congress. But I repeat myself." -- Mark Twain
For those who don't know what DOTA stands for: by DatbeDank · 2016-08-10 02:16 · Score: 2

It stands for Defense of the Ancients. Come on editors, save me from having to Google acronyms!
1. Re:For those who don't know what DOTA stands for: by Bearhouse · 2016-08-10 02:55 · Score: 2
  
  https://en.wikipedia.org/wiki/...
  Dota 2 is a free-to-play multiplayer online battle arena (MOBA) video game developed and published by Valve Corporation for Microsoft Windows, OS X, and Linux. The game is the stand-alone sequel to Defense of the Ancients (DotA), which was a mod for Warcraft III: Reign of Chaos and its expansion pack, The Frozen Throne. Dota 2 is played in matches between two teams that consist of five players, who each occupy their own base on the map. Each player controls a powerful character, known as a "hero", that feature unique abilities and different styles of play. During a match, a player collects experience points, gold, and items for their hero in order to fight heroes of the opposing team, while attempting to push through their defenses. A team wins by being the first to destroy a large structure located in the opposing team's base, called the "Ancient".
2. Re:For those who don't know what DOTA stands for: by Nunya666 · 2016-08-10 03:06 · Score: 2
  
  All the acronyms on this site, and THAT one you have to Google?
  Based on your comment, it appears that you are a gamer, all 3 of your friends are gamers, and you can't imagine that anyone on a News for Nerds site is not also a gamer.
  
  You might want to get out of your mom's basement more often.
3. Re:For those who don't know what DOTA stands for: by lgw · 2016-08-10 03:24 · Score: 1
  
  You might want to get out of your mom's basement more often.
  I tried that one, but the Day Star burned me!
  
  --
  Socialism: a lie told by totalitarians and believed by fools.
4. Re:For those who don't know what DOTA stands for: by spire3661 · 2016-08-10 03:29 · Score: 1
  
  DOTA is absolutely massive. This is like requesting that people type out National Basketball Association instead of NBA. You should know what DOTA is by now.
  
  --
  Good-bye
5. Re:For those who don't know what DOTA stands for: by Fly+Swatter · 2016-08-10 06:05 · Score: 1
  
  Acronyms have dumbed down our culture greatly. It was once Kentucky Fried Chicken and now it's just KFC.
  In KFC's case it was more a marketing ploy to hide the word 'fried'. At the time, fried food of any type had a lot of bad press.
6. Re:For those who don't know what DOTA stands for: by rainmouse · 2016-08-10 06:19 · Score: 1
  
  Technically an Initialism, though I would love to hear people saying KFC as a word.
  http://dictionary.cambridge.org/dictionary/english/acronym
Link for mobile users by Anonymous Coward · 2016-08-10 02:19 · Score: 1

http://www.zdnet.com/article/dota-2-players-targeted-by-forum-hackers-in-new-breach/
Attention Slashdot staff: The link doesn't show up in Safari on iPhones using iOS 9.3.3 in the default "mobile" mode.
Modern hacking by Dunbal · 2016-08-10 02:32 · Score: 1

took advantage of an SQL injection vulnerability
I'm glad to see hackers are having to constantly refine their skills and take advantage of the newest exploits in order to bypass security nowadays.
Seriously, those who run DOTA2 should be shot. There is no excuse whatsoever for this type of hack. Parse your fucking inputs.

--
Seven puppies were harmed during the making of this post.
1. Re:Modern hacking by Big+Hairy+Ian · 2016-08-10 02:44 · Score: 2
  
  XKCD - https://xkcd.com/327/
  
  --
  Build a Man a Fire, and He'll Be Warm for a Day. Set a Man on Fire, and He'll Be Warm for the Rest of His Life.
2. Re:Modern hacking by rwven · 2016-08-10 03:07 · Score: 1
  
  On top of the fact that it was subject to a SQL injection attack, the passwords were hashed with salted MD5. I feel like I'm reading a story from 10 years ago or something...
3. Re:Modern hacking by cloud.pt · 2016-08-10 03:07 · Score: 1
  
  Actually the original reporting was vague, and so was my submission copy by association (for which I totally understand my subtle quote). It was more of a site administration failure (since the hack was possible through an old version of vBulletin), from not keeping the back-end updated. Also of note is I failed to point out the hack was on the so-called Dev forums (which are still official), where people go and report bugs or imbalances in the game (i.e. it supposedly shouldn't have links to Steam accounts, but that depends on individual user credential patterns or lack thereof). In any case it's sad to see that either a 2013 version of vBulletin was this flawed, or that someone in 2013 picked a version of vBulletin without issues such as SQL injection or usage of MD5+salt fixed.
4. Re:Modern hacking by WaffleMonster · 2016-08-10 04:29 · Score: 1
  
  On top of the fact that it was subject to a SQL injection attack, the passwords were hashed with salted MD5. I feel like I'm reading a story from 10 years ago or something...
  It doesn't to me. The last time I pointed out salting + hashing is more of a joke than a solution just a few months ago a number of people right here jumped on me. One actually went as far as posting what they claimed was the hash for their own password to prove a "point"... Life lock style.
  Some portion of operators today in 2016 think one or more of the following:
  1 - 1.2 of 1.54 million people whose passwords were successfully cracked "deserved" what they got for using "weak" passwords.
  2 - Selection of hash algorithm (MD5) matters. Perhaps something more "secure" like SHA2 would have prevented this.
  3 - Had only they used scrypt or similar amplification schemes this would have materially changed the equation.
  The only effective way I'm aware of protect stored passwords is to employ a segregated secure low complexity authenticator that does nothing except check credentials.
Who uses the same userid and password now days? by krelvin · 2016-08-10 03:30 · Score: 1

Blame to the users who use the same account information for multiple systems and forums now days. Users have no real control of the systems they have to log into, but they don't have to be easy targets by using the same passwords and accounts on everything they use. There is no excuse to let yourself be a victim of credential loss because some stupid system admin doesn't fix security issues on their sites.
Re:Programmer should be banned for life by mattventura · 2016-08-10 04:19 · Score: 1

More like anyone who uses vBulletin in 2016 needs to be banned from making websites. As someone who has had to deal with a large-ish VB, it's really not pretty under the hood, with or without the SQL injections.
Forums with mods / add on are hard to update by Joe_Dragon · 2016-08-10 04:30 · Score: 1

Forums with mods / add on are hard to keep up to date
Re:Why replace links? by cloud.pt · 2016-08-10 05:18 · Score: 1

Actually, I submitted the article with the ZDNet link as the post eventually ended up with. I swear for the love of god I didn't even make the connection to slashdot ownership, but now that I think of it, it might have enhanced my odds (And yay! Got my first one on the front page. GO ME!)
Re:Why replace links? by cloud.pt · 2016-08-10 05:20 · Score: 1

But the the "DOTA 2 official forums have been hacked" hyperlink was not an edited I originally made :D. It does make the quote more dynamic, and I repeat: it is my original source link.
Parse your fucking inputs. by ls671 · 2016-08-10 20:54 · Score: 1

" Parse your fucking inputs."
3,2,1... What? nothing happened yet?
So, here I go: use parametrized queries.

--
Everything I write is lies, read between the lines.