Millions Of Steam Game Keys Stolen After Hacker Breaches Gaming Site

An anonymous reader writes:A little over nine million keys used to redeem and activate games on the Steam platform were stolen by a hacker who breached a gaming news site last month. The site, DLH.net, provides news, reviews, cheat codes, and forums, was breached on July 31 by an unnamed hacker, whose name isn't known but was also responsible for the Dota 2 forum breach. The site also allows users to share redeemable game keys through its forums, which along with the main site has around 3.3 million unique registered users, according to breach notification site LeakedSource.com, which obtained a copy of the database. A known vulnerability found in older vBulletin forum software, which powers the site's community, allowed the hacker to access the databases. The data stolen from the forum includes full names, usernames, scrambled passwords, email addresses, dates of birth, join dates, avatars, Steam usernames, and user activity data. Facebook access tokens were stolen for those who signed in with their social account.

Sooooo

if they know the keys were stolen, can't they invalidate them????

Re:Sooooo

[OverlordQ]

Becuase they'd have to reissue them to the original owner

Re:Sooooo

[pushing-robot]

Chances are most of them were already used by the intended recipient.

If I got a key from a gray market service like this I'd certainly waste no time redeeming it.

Re:Sooooo

[sexconker]

These are keys that people are reselling/trading. Publishers, developers, and Steam don't like that.

Many of these keys are likely stolen or farmed in the first place, or included as part of a "Humble Bundle" which expressly "forbids" you from reselling/trading individual keys.

Re:Sooooo

[xlsior]

if they know the keys were stolen, can't they invalidate them????

Just because they got stolen, doesn't necessary mean that someone else didn't already own them. Invalidating them may also burn the original purchaser when they try to activate them down the road.

(For example, I myself have a few dozen steam keys that I haven't activated yet, most of which I received as part of past Humble Bundles, and some through kickstarter)

Re:Sooooo

[rtb61]

Doesn't really affect the original owner as it is not just a key but a key tied to a user and password. They can try stealing and selling user accounts and that would cause Steam massive problems as they would be penalised in many countries for affecting the accounts of customers. Just because you haven't used a purchased key, does not mean that key is not already tied to your account and your specific hardware.

Just a warning to everyone, lots of little databases are a hassle and cost more to administer but when one it broken and tiny bit of information is stolen. Big databases with everything in it, including the kitchen sink, cheaper to administer but when it gets broken into you lose everything. Just another typical event in the war between idiot bean counters who know nothing and intelligent risk assessing network admins.

Steam down ATM

[bignetbuy]

Related or no? I'm unable to access any Steam functions other than games at the moment. No discussions. No store. No community page. Can access other sites fine though.

Re:Steam down ATM

[D00MSlayer]

So we can blame Steam functionality issues on the NSA?

Millions of free Steam codes on a review site

No incentive for favorable reviews there.. no siree bob. /sarcasm

Re:Millions of free Steam codes on a review site

[Sowelu]

If you read the article, they were stolen from forums where users commonly traded them (eg I have a key for this game that I bought on sale but haven't used, I want a copy of that game, who wants to trade)

Bound to happen

[WolfgangVL]

An online community the size of steam is a big target. DLH.net and Steam both should have known better.

The keys though, they are already tied to the account that paid for them right? Are they useful for anything?

I've been expecting something like this for a while. Now expect big changes in the steam API.

Re:Bound to happen

[Nemyst]

Redeemable keys used for sharing have not been redeemed and can therefore be used by anybody without any action of whoever actually purchased/obtained the key.

Re:Bound to happen

[tsotha]

I don't see Valve has any reason to change anything. If Walmart sells you a boxed game and someone steals it out of your car, is this Walmart's problem?

Re:Bound to happen

[WolfgangVL]

The data stolen from the forum includes full names, usernames, scrambled passwords, email addresses, dates of birth, join dates, avatars, Steam usernames, and user activity data. Facebook access tokens were stolen for those who signed in with their social account.

If it was made easier to steal from your car because Walmarts webAPI connected to the cars insecure messaging system and enabled the thief to steal the keys from your ignition, grab a copy of your drivers license, find your date of birth, dealership username, and daily driving activity, I think its safe to assume some changes are coming.

Re:Bound to happen

[tsotha]

I don't understand how the quote is relevant. The only thing related to the Steam API is user names, and they don't have the Steam passwords. What changes to the API should Valve be making?

Re:Bound to happen

[WolfgangVL]

Start with sharing less data? I know that's kind of the point of the API to begin with, but leaking is leaking, even if its just usernames. Maybe they will decide, like you say, nothing to do with Steam/Valve..... or maybe they obfuscate the usernames in some way? I don't really know, its not my show. At a minimum would I expect some kind of periodic security re-qualification for connected public facing sites.

If it was my show, I'd be looking very carefully at ANY data that leaves my control via ANY interface..... especially data directly related to my customers and clients that can find its way into some other database. Its not my show though, I'm just another armchair heckler watching it burn.

Re:Bound to happen

[tsotha]

Again, what Steam data was involved in this breach?

Re:Bound to happen

[spacepimp]

Exactly which part of Steam Information was involved here? Are you aware this is a forum on an unrelated gaming website which was hacked. Your comment is simplistic enough that it would have the federal government be liable if people were writing their social security number on their bumper sticker.

Re:Bound to happen

[WolfgangVL]

I guess I'm eating crow on this one. Article read as steam usernames and user activity data. Comma makes all the difference.

So its another case of users sharing PI with a 3rd party site who loses it. Reading is fundamental.

wow

[eyenot]

See, I just *knew* that deactivating my facebook this week would pay off almost immediately.

Sigh. Another Vulnerable PHP Service

[dgatwood]

I've pretty much concluded that all the PHP-based bulletin boards are a security nightmare. Even the ones that are small enough to audit tend to be filled with old-style mysql_query calls and other horrors of the past.

The best thing about PHP 7, in my view, is that they're finally killing the old MySQL API. They should have done that years ago. Now, you'll be able to tell which software is reasonably up-to-date based on whether it supports PHP 7 or not. Incidentally, vBulletin's website says that it still doesn't. That's probably not a good sign. :-)

Sharing keys? So many questions

[Sumus+Semper+Una]

Ok, apparently I don't have enough friends who also use Steam to know about this. I myself have a Steam account and was under the impression that a key is a one-time use code to activate a game in your account. If that's true, why in the world would you want to share a Steam game key? And even if you did share one, isn't there a finite amount of time until whoever you shared it with activates it and it's no longer useful to anyone else? Why would there be millions of unredeemed Steam game keys lying around in a FORUM database?!

Anyone at all have information that can shed some light on a few more of the technical details? Because TFA is pretty much a verbatim copy of the summary.

Re:Sharing keys? So many questions

[pushing-robot]

People sometimes get free or discounted keys and want to sell or trade them for games they actually want.

No one said there were millions of *unredeemed* keys stolen, just millions of keys. It's likely 99% of people who got keys through DLH used them immediately and the codes are meaningless now.

Re:Sharing keys? So many questions

[Sumus+Semper+Una]

Ok, that makes WAY more sense. Thanks!

Re:Everybody's gettin' fat except Mama Cass

[sims+2]

I remember /. was breached twice several years ago. I haven't been here in several years so if there have been any since then I haven't heard.

Re:bolted

To clarify they for you, in this case it is DLH.net that was hacked via a PHP bulletin board issue, not Steam. To the best of my knowledge, DLH did not put out a browser. Steam on the other hand, appears to use a fork of Chromium/WebKit for their browser, so they didn't really develop one, either, they just took an existing one and bolted it in.

For what it's worth, Steam doesn't trust browsers very much, either. The only way you can redeem a game code is through their client. Probably to prevent a hacker from devising an automated attack against it.

Thank goodness

[PopeRatzo]

Now I can deny having actually played GTA V for 368 hours. "It was the guy who hacked my account, honey!"

Re:Thank goodness

[Captain+Splendid]

Now I can deny having actually played GTA V for 368 hours.

Pfff, punk! Call me when you have 6K hours on a game!

What exactly does that mean?

[TheRealMindChild]

Facebook access tokens were stolen for those who signed in with their social account.

What exactly does that mean?

Re:What exactly does that mean?

[ADRA]

Oauth tokens. Potentially giving access to all shared data given to the site from fb (emails, maybe given name, contacts?). Of course this is a non-issue if FB invalidates the application token granted to the specified web site.

Meh ...

[jodokast98]

Most of the keys were for so-so games, nothing really AAA and got to have. Nothing of Value was lost. It's a good thing I used my spam email and spam facebook acount for things like this.

Re:It's OK, Steam keys are mostly useless

[sexconker]

Uh, this isn't true in my experience with the various Sword of the Stars bundles in my experience.

Re:Sigh. Another Vulnerable PHP Service

[Rexdude]

Even if they did update it, it still won't matter unless every single vBulletin forum admin out there also decides to update as well. There are hundreds of forums running obsolete versions of it.

Re:DLH Response

[spacepimp]

This is a wrong information.

Re:Sigh. Another Vulnerable PHP Service

[dgatwood]

The thing is, lack of upgrades usually indicates a design problem. For services like this, the software should be distributed using git so that local changes can be merged sanely. Instead, most of these bulletin boards involve moving aside the existing installation, extracting a tarball, and running some sort of installer script that does who-knows-what. So upgrading can be nightmarish for sites that involve any sort of customization.

Also, this sort of software should be designed in such a way that it never makes backwards-incompatible changes to data structures, at least for a reasonable period of time (say a year or two). It should be possible to clone your installation to a new directory, apply the patches to the new version, start it up, and let it add additional database fields, etc. as needed, but the new version should be tolerant of partial data created by the old version (and should upgrade it on the fly), and should create data in such a way that the old version can still read it. This ensures that you can test the migration to a new version without having to set up a full clone of your entire infrastructure, with the ability to roll back if it breaks something.

And ideally, a built-in upgrade scheme should be designed into the software. For example, it could have a script that clones itself into a directory beside the original and does a "git pull" in that subdirectory. After you fix any conflicts, it should let you access the new version by symlinking the new version into a subdirectory in the original version's tree. When you're satisfied, it should provide a one-button command that atomically deploys the new version by swapping out the symlink that currently points to the old version with a symlink that points to the new version.

Oh, and it should check for updates automatically and email the admin every time there's an update. And it should allow you to auto-upgrade (with automatic email notification if the upgrade fails because of git conflicts) if you configure it to do so. And it should also have an intermediate mode that always keeps the latest version ready to preview but doesn't enable the upgrade, for folks who want to verify the updates manually, but still want to be ready to quickly install security updates when they find out about an exploit.

With such a design, these systems would stay up-to-date much more consistently.

Re:Sigh. Another Vulnerable PHP Service

[Rexdude]

Given that vBulletin/phpBB have been around since the early 2000s, I'm guessing there's a lot of legacy code, wouldn't be surprised if they're still running CVS or Subversion without independent repositories like git has. They were not well designed with upgrades in mind. Newer forum software like Discourse are better that way, but again are only optimized for touch screens. Giant amounts of whitespace, infinite scroll and other features annoying and wasteful of screen estate for desktop users.

Re:This was NSA (Lizard Squad) [FUCK YOU FBI TOO]

[D00MSlayer]

I like how I get down-scored for pointing out a trolls' false logic. Keep it classy, mods.