Millions Of Steam Game Keys Stolen After Hacker Breaches Gaming Site

An anonymous reader writes:A little over nine million keys used to redeem and activate games on the Steam platform were stolen by a hacker who breached a gaming news site last month. The site, DLH.net, provides news, reviews, cheat codes, and forums, was breached on July 31 by an unnamed hacker, whose name isn't known but was also responsible for the Dota 2 forum breach. The site also allows users to share redeemable game keys through its forums, which along with the main site has around 3.3 million unique registered users, according to breach notification site LeakedSource.com, which obtained a copy of the database. A known vulnerability found in older vBulletin forum software, which powers the site's community, allowed the hacker to access the databases. The data stolen from the forum includes full names, usernames, scrambled passwords, email addresses, dates of birth, join dates, avatars, Steam usernames, and user activity data. Facebook access tokens were stolen for those who signed in with their social account.

Sooooo

if they know the keys were stolen, can't they invalidate them????

Re:Sooooo

[OverlordQ]

Becuase they'd have to reissue them to the original owner

Re:Sooooo

Can they not just reissue them to the website and then the website reissues them to the members?

Re:Sooooo

it is a third party key trading site; valve won't give a shit, the game companies won't give a shit.

if they did, it would be because somewhere in some fine print in some agreement you 'agreed to', transferring keys to someone else or gifting/giving outside of the steam platform is against some rule and the keys will just be invalidated, that is, if the original accounts they were assigned to aren't outright terminated.

Re:Sooooo

[pushing-robot]

Chances are most of them were already used by the intended recipient.

If I got a key from a gray market service like this I'd certainly waste no time redeeming it.

Re:Sooooo

[sexconker]

These are keys that people are reselling/trading. Publishers, developers, and Steam don't like that.

Many of these keys are likely stolen or farmed in the first place, or included as part of a "Humble Bundle" which expressly "forbids" you from reselling/trading individual keys.

Re:Sooooo

[xlsior]

if they know the keys were stolen, can't they invalidate them????

Just because they got stolen, doesn't necessary mean that someone else didn't already own them. Invalidating them may also burn the original purchaser when they try to activate them down the road.

(For example, I myself have a few dozen steam keys that I haven't activated yet, most of which I received as part of past Humble Bundles, and some through kickstarter)

Re:Sooooo

Only if the original owner requests that the keys be reissued.

Simply mark them as Invalid / stolen in the database. If the original purchaser wants to request a replacement key, issue them one.

Re:Sooooo

[rtb61]

Doesn't really affect the original owner as it is not just a key but a key tied to a user and password. They can try stealing and selling user accounts and that would cause Steam massive problems as they would be penalised in many countries for affecting the accounts of customers. Just because you haven't used a purchased key, does not mean that key is not already tied to your account and your specific hardware.

Just a warning to everyone, lots of little databases are a hassle and cost more to administer but when one it broken and tiny bit of information is stolen. Big databases with everything in it, including the kitchen sink, cheaper to administer but when it gets broken into you lose everything. Just another typical event in the war between idiot bean counters who know nothing and intelligent risk assessing network admins.

Steam down ATM

[bignetbuy]

Related or no? I'm unable to access any Steam functions other than games at the moment. No discussions. No store. No community page. Can access other sites fine though.

Re:Steam down ATM

The US government need everybody to remain interested in Microsoft "for games" which is actually the bait.

Everyone is starting to get the picture now, in no small way. The NSA dipshits who think their lives rely on their ability to be ninjas online go ahead and backstab the USA population for what they perceive to be their personal gains.

Reality? All spies just kill yourselves you have nothing to gain or lose. Real Farts Matter.

Re:Steam down ATM

[D00MSlayer]

So we can blame Steam functionality issues on the NSA?

Re:Steam down ATM

Only if you line your house with tin foil and keep all your nail clippings in jars

Re:Steam down ATM

Only posers you jars, to block the necessaary frequencies you need leaded crystal.

Millions of free Steam codes on a review site

No incentive for favorable reviews there.. no siree bob. /sarcasm

Re:Millions of free Steam codes on a review site

[Sowelu]

If you read the article, they were stolen from forums where users commonly traded them (eg I have a key for this game that I bought on sale but haven't used, I want a copy of that game, who wants to trade)

Bound to happen

[WolfgangVL]

An online community the size of steam is a big target. DLH.net and Steam both should have known better.

The keys though, they are already tied to the account that paid for them right? Are they useful for anything?

I've been expecting something like this for a while. Now expect big changes in the steam API.

Re:Bound to happen

[Nemyst]

Redeemable keys used for sharing have not been redeemed and can therefore be used by anybody without any action of whoever actually purchased/obtained the key.

Re:Bound to happen

[tsotha]

I don't see Valve has any reason to change anything. If Walmart sells you a boxed game and someone steals it out of your car, is this Walmart's problem?

Re:Bound to happen

[WolfgangVL]

The data stolen from the forum includes full names, usernames, scrambled passwords, email addresses, dates of birth, join dates, avatars, Steam usernames, and user activity data. Facebook access tokens were stolen for those who signed in with their social account.

If it was made easier to steal from your car because Walmarts webAPI connected to the cars insecure messaging system and enabled the thief to steal the keys from your ignition, grab a copy of your drivers license, find your date of birth, dealership username, and daily driving activity, I think its safe to assume some changes are coming.

Re:Bound to happen

[tsotha]

I don't understand how the quote is relevant. The only thing related to the Steam API is user names, and they don't have the Steam passwords. What changes to the API should Valve be making?

Re:Bound to happen

[WolfgangVL]

Start with sharing less data? I know that's kind of the point of the API to begin with, but leaking is leaking, even if its just usernames. Maybe they will decide, like you say, nothing to do with Steam/Valve..... or maybe they obfuscate the usernames in some way? I don't really know, its not my show. At a minimum would I expect some kind of periodic security re-qualification for connected public facing sites.

If it was my show, I'd be looking very carefully at ANY data that leaves my control via ANY interface..... especially data directly related to my customers and clients that can find its way into some other database. Its not my show though, I'm just another armchair heckler watching it burn.

Re:Bound to happen

[tsotha]

Again, what Steam data was involved in this breach?

Re:Bound to happen

[spacepimp]

Exactly which part of Steam Information was involved here? Are you aware this is a forum on an unrelated gaming website which was hacked. Your comment is simplistic enough that it would have the federal government be liable if people were writing their social security number on their bumper sticker.

Re:Bound to happen

[WolfgangVL]

I guess I'm eating crow on this one. Article read as steam usernames and user activity data. Comma makes all the difference.

So its another case of users sharing PI with a 3rd party site who loses it. Reading is fundamental.

Re:Bound to happen

Hey retard: this was a vBulletin vulnerability, not Steam or their API.

wow

[eyenot]

See, I just *knew* that deactivating my facebook this week would pay off almost immediately.

Sigh. Another Vulnerable PHP Service

[dgatwood]

I've pretty much concluded that all the PHP-based bulletin boards are a security nightmare. Even the ones that are small enough to audit tend to be filled with old-style mysql_query calls and other horrors of the past.

The best thing about PHP 7, in my view, is that they're finally killing the old MySQL API. They should have done that years ago. Now, you'll be able to tell which software is reasonably up-to-date based on whether it supports PHP 7 or not. Incidentally, vBulletin's website says that it still doesn't. That's probably not a good sign. :-)

Sharing keys? So many questions

[Sumus+Semper+Una]

Ok, apparently I don't have enough friends who also use Steam to know about this. I myself have a Steam account and was under the impression that a key is a one-time use code to activate a game in your account. If that's true, why in the world would you want to share a Steam game key? And even if you did share one, isn't there a finite amount of time until whoever you shared it with activates it and it's no longer useful to anyone else? Why would there be millions of unredeemed Steam game keys lying around in a FORUM database?!

Anyone at all have information that can shed some light on a few more of the technical details? Because TFA is pretty much a verbatim copy of the summary.

bolted

[bugs2squash]

Now they have been hacked, perhaps they will look to security all around and quit making me use their own copy of the web browser to pay for games. Yes I'm sure there is another way and it may well be chrome under the hood but I don't care. I want to use the web browser I trust by default before I enter my paypal credentials.

Re:bolted

To clarify they for you, in this case it is DLH.net that was hacked via a PHP bulletin board issue, not Steam. To the best of my knowledge, DLH did not put out a browser. Steam on the other hand, appears to use a fork of Chromium/WebKit for their browser, so they didn't really develop one, either, they just took an existing one and bolted it in.

For what it's worth, Steam doesn't trust browsers very much, either. The only way you can redeem a game code is through their client. Probably to prevent a hacker from devising an automated attack against it.

Re:Sharing keys? So many questions

[pushing-robot]

People sometimes get free or discounted keys and want to sell or trade them for games they actually want.

No one said there were millions of *unredeemed* keys stolen, just millions of keys. It's likely 99% of people who got keys through DLH used them immediately and the codes are meaningless now.

Re:Sharing keys? So many questions

[Sumus+Semper+Una]

Ok, that makes WAY more sense. Thanks!

Re:FBI YOU DIDN'T LINK THE GOV SITE -- wtf?

dagnabbit Black Bart!!!

They done up'd and lied.

Re:This was NSA (Lizard Squad) [FUCK YOU FBI TOO]

[D00MSlayer]

Wait.. so they'd be pussies if they didn't succumb to the NSA spyware networks? The logic isn't apparent.

Re:FBI YOU DIDN'T LINK THE GOV SITE -- wtf?

wow AC. Do you really think a spy agency would just lie like that?

oh wait..

Re:Everybody's gettin' fat except Mama Cass

[sims+2]

I remember /. was breached twice several years ago. I haven't been here in several years so if there have been any since then I haven't heard.

Thank goodness

[PopeRatzo]

Now I can deny having actually played GTA V for 368 hours. "It was the guy who hacked my account, honey!"

Re:Thank goodness

[Captain+Splendid]

Now I can deny having actually played GTA V for 368 hours.

Pfff, punk! Call me when you have 6K hours on a game!

Re:Thank goodness

Europa Universalis IV ?

What exactly does that mean?

[TheRealMindChild]

Facebook access tokens were stolen for those who signed in with their social account.

What exactly does that mean?

Re:What exactly does that mean?

[ADRA]

Oauth tokens. Potentially giving access to all shared data given to the site from fb (emails, maybe given name, contacts?). Of course this is a non-issue if FB invalidates the application token granted to the specified web site.

Meh ...

[jodokast98]

Most of the keys were for so-so games, nothing really AAA and got to have. Nothing of Value was lost. It's a good thing I used my spam email and spam facebook acount for things like this.

Re:It's OK, Steam keys are mostly useless

[sexconker]

Uh, this isn't true in my experience with the various Sword of the Stars bundles in my experience.

Re:Sharing keys? So many questions

Well, look at this months Humble Bundle

For $6 I can get the following 6 games:
Lovers in a Dangerous Spacetime, Octodad, Super Time Force Ultra, Leathal League, The Beginners Guide, and Galak-Z

Awesome, I've been wanting to check out Lovers in a Dangerous Spacetime (especially for co-op!), and I can get the usually $10 game for $6 along with a few other games I haven't heard of to try out someday.

Oh, but I already own Octodad. The steam activation code for it is worthless to me since I already have that game in my library.

Perhaps you don't own Octodad yet, and it seems a bit silly to pay full price for.
Perhaps I put up just that one game code for sale, at say $0.50 or even $1.
At that price you might just decide it is worth buying. I'd assume someone out there would, even if that one isn't your thing.

That is why such sites exist. In fact I could put up the codes for all of the other 5 games I had no original interest in. If I could get just $1 for each, that brings my expense for the one game I wanted down from $6 to $1. $1 for a $10 game is still a great deal for me.

Re:Sigh. Another Vulnerable PHP Service

[Rexdude]

Even if they did update it, it still won't matter unless every single vBulletin forum admin out there also decides to update as well. There are hundreds of forums running obsolete versions of it.

DLH Response

http://www.dlh.net/en/news/51803/zdnet-article-wrong!-dlhnet-was-not-hacked.html

Re:DLH Response

[spacepimp]

This is a wrong information.

Re:Everybody's gettin' fat except Mama Cass

I remember /. was breached twice several years ago. I haven't been here in several years so if there have been any since then I haven't heard.

https://slashdot.org/~sims+2

Lying cunt.

    by sims 2 on Thursday August 04, 2016 @05:49PM (#52647511) Attached to: Researchers Discover How To Fool Tesla's Autopilot System
    by sims 2 on Friday August 05, 2016 @11:45AM (#52651149) Attached to: Google's Open YOLO Project Will Remove the Need For Passwords On
    by sims 2 on Friday August 05, 2016 @12:08PM (#52651287) Attached to: Robocalling Scourge May Not Be Unstoppable After All
by sims 2 on Friday August 05, 2016 @03:24PM (#52652685) Attache by sims 2 on Friday August 05, 2016 @05:19PM (#52653281) Attached to: Robocalling Scourge May Not Be Unstoppable After All d to: Google's Open YOLO Project Will Remove the Need For Passwords On
    by sims 2 on Friday August 05, 2016 @04:02PM (#52652905) Attached to: Kids killed by carmaker's pennyshaving, again
    by sims 2 on Friday August 05, 2016 @05:19PM (#52653281) Attached to: Robocalling Scourge May Not Be Unstoppable After All
    by sims 2 on Friday August 05, 2016 @08:11PM (#52653901) Attached to: Man Says Tesla Autopilot Saved His Life By Driving Him To the Hospital
    by sims 2 on Friday August 05, 2016 @08:48PM (#52653977) Attached to: This Company Has Built a Profile On Every American Adult
by sims 2 on Friday August 05, 2016 @09:43PM (#52654113) Attached to: Robocalling Scourge May Not Be Unstoppable After All
by sims 2 on Wednesday August 17, 2016 @03:03PM (#52721023) Attached to: Intel's New Silicon Photonics Module For Data Centers Beams Info at
by sims 2 on Wednesday August 17, 2016 @06:23PM (#52722133) Attached to: AT&T Is Boosting Data Plans, Dropping Overage Fees
by sims 2 on Wednesday August 17, 2016 @08:08PM (#52722689) Attached to: AT&T Is Boosting Data Plans, Dropping Overage Fees
    by sims 2 on Wednesday August 17, 2016 @11:04PM (#52723301) Attached to: My main computer runs the following operating system:
by sims 2 on Thursday August 18, 2016 @04:28PM (#52728225) Attached to: Millions Of Steam Game Keys Stolen After Hacker Breaches Gaming

A simple search of my historic fed employee database tells me you are CIA

have a nice day.

Re:Sigh. Another Vulnerable PHP Service

[dgatwood]

The thing is, lack of upgrades usually indicates a design problem. For services like this, the software should be distributed using git so that local changes can be merged sanely. Instead, most of these bulletin boards involve moving aside the existing installation, extracting a tarball, and running some sort of installer script that does who-knows-what. So upgrading can be nightmarish for sites that involve any sort of customization.

Also, this sort of software should be designed in such a way that it never makes backwards-incompatible changes to data structures, at least for a reasonable period of time (say a year or two). It should be possible to clone your installation to a new directory, apply the patches to the new version, start it up, and let it add additional database fields, etc. as needed, but the new version should be tolerant of partial data created by the old version (and should upgrade it on the fly), and should create data in such a way that the old version can still read it. This ensures that you can test the migration to a new version without having to set up a full clone of your entire infrastructure, with the ability to roll back if it breaks something.

And ideally, a built-in upgrade scheme should be designed into the software. For example, it could have a script that clones itself into a directory beside the original and does a "git pull" in that subdirectory. After you fix any conflicts, it should let you access the new version by symlinking the new version into a subdirectory in the original version's tree. When you're satisfied, it should provide a one-button command that atomically deploys the new version by swapping out the symlink that currently points to the old version with a symlink that points to the new version.

Oh, and it should check for updates automatically and email the admin every time there's an update. And it should allow you to auto-upgrade (with automatic email notification if the upgrade fails because of git conflicts) if you configure it to do so. And it should also have an intermediate mode that always keeps the latest version ready to preview but doesn't enable the upgrade, for folks who want to verify the updates manually, but still want to be ready to quickly install security updates when they find out about an exploit.

With such a design, these systems would stay up-to-date much more consistently.

Re:Sigh. Another Vulnerable PHP Service

[Rexdude]

Given that vBulletin/phpBB have been around since the early 2000s, I'm guessing there's a lot of legacy code, wouldn't be surprised if they're still running CVS or Subversion without independent repositories like git has. They were not well designed with upgrades in mind. Newer forum software like Discourse are better that way, but again are only optimized for touch screens. Giant amounts of whitespace, infinite scroll and other features annoying and wasteful of screen estate for desktop users.

Re:It's OK, Steam keys are mostly useless

Clearly I'm not the only person in the world with this problem, e.g.:
https://games.slashdot.org/com...

A 10 second Google search of Steam forums will net you about 7,000 other complaints:
Steam key won't activate site:forums.steampowered.com

Re:This was NSA (Lizard Squad) [FUCK YOU FBI TOO]

[D00MSlayer]

I like how I get down-scored for pointing out a trolls' false logic. Keep it classy, mods.