Millions Of Steam Game Keys Stolen After Hacker Breaches Gaming Site

An anonymous reader writes:A little over nine million keys used to redeem and activate games on the Steam platform were stolen by a hacker who breached a gaming news site last month. The site, DLH.net, provides news, reviews, cheat codes, and forums, was breached on July 31 by an unnamed hacker, whose name isn't known but was also responsible for the Dota 2 forum breach. The site also allows users to share redeemable game keys through its forums, which along with the main site has around 3.3 million unique registered users, according to breach notification site LeakedSource.com, which obtained a copy of the database. A known vulnerability found in older vBulletin forum software, which powers the site's community, allowed the hacker to access the databases. The data stolen from the forum includes full names, usernames, scrambled passwords, email addresses, dates of birth, join dates, avatars, Steam usernames, and user activity data. Facebook access tokens were stolen for those who signed in with their social account.

Sooooo

if they know the keys were stolen, can't they invalidate them????

Re:Sooooo

[OverlordQ]

Becuase they'd have to reissue them to the original owner

Re:Sooooo

[sexconker]

These are keys that people are reselling/trading. Publishers, developers, and Steam don't like that.

Many of these keys are likely stolen or farmed in the first place, or included as part of a "Humble Bundle" which expressly "forbids" you from reselling/trading individual keys.

Re:Sooooo

[xlsior]

if they know the keys were stolen, can't they invalidate them????

Just because they got stolen, doesn't necessary mean that someone else didn't already own them. Invalidating them may also burn the original purchaser when they try to activate them down the road.

(For example, I myself have a few dozen steam keys that I haven't activated yet, most of which I received as part of past Humble Bundles, and some through kickstarter)

Steam down ATM

[bignetbuy]

Related or no? I'm unable to access any Steam functions other than games at the moment. No discussions. No store. No community page. Can access other sites fine though.

Bound to happen

[WolfgangVL]

An online community the size of steam is a big target. DLH.net and Steam both should have known better.

The keys though, they are already tied to the account that paid for them right? Are they useful for anything?

I've been expecting something like this for a while. Now expect big changes in the steam API.

Re:Bound to happen

[Nemyst]

Redeemable keys used for sharing have not been redeemed and can therefore be used by anybody without any action of whoever actually purchased/obtained the key.

Re:Bound to happen

[tsotha]

I don't see Valve has any reason to change anything. If Walmart sells you a boxed game and someone steals it out of your car, is this Walmart's problem?

Re:Bound to happen

[WolfgangVL]

The data stolen from the forum includes full names, usernames, scrambled passwords, email addresses, dates of birth, join dates, avatars, Steam usernames, and user activity data. Facebook access tokens were stolen for those who signed in with their social account.

If it was made easier to steal from your car because Walmarts webAPI connected to the cars insecure messaging system and enabled the thief to steal the keys from your ignition, grab a copy of your drivers license, find your date of birth, dealership username, and daily driving activity, I think its safe to assume some changes are coming.

Sigh. Another Vulnerable PHP Service

[dgatwood]

I've pretty much concluded that all the PHP-based bulletin boards are a security nightmare. Even the ones that are small enough to audit tend to be filled with old-style mysql_query calls and other horrors of the past.

The best thing about PHP 7, in my view, is that they're finally killing the old MySQL API. They should have done that years ago. Now, you'll be able to tell which software is reasonably up-to-date based on whether it supports PHP 7 or not. Incidentally, vBulletin's website says that it still doesn't. That's probably not a good sign. :-)

Re:Sharing keys? So many questions

[pushing-robot]

People sometimes get free or discounted keys and want to sell or trade them for games they actually want.

No one said there were millions of *unredeemed* keys stolen, just millions of keys. It's likely 99% of people who got keys through DLH used them immediately and the codes are meaningless now.

Re:bolted

To clarify they for you, in this case it is DLH.net that was hacked via a PHP bulletin board issue, not Steam. To the best of my knowledge, DLH did not put out a browser. Steam on the other hand, appears to use a fork of Chromium/WebKit for their browser, so they didn't really develop one, either, they just took an existing one and bolted it in.

For what it's worth, Steam doesn't trust browsers very much, either. The only way you can redeem a game code is through their client. Probably to prevent a hacker from devising an automated attack against it.

Thank goodness

[PopeRatzo]

Now I can deny having actually played GTA V for 368 hours. "It was the guy who hacked my account, honey!"

Re:What exactly does that mean?

[ADRA]

Oauth tokens. Potentially giving access to all shared data given to the site from fb (emails, maybe given name, contacts?). Of course this is a non-issue if FB invalidates the application token granted to the specified web site.

Re:Millions of free Steam codes on a review site

[Sowelu]

If you read the article, they were stolen from forums where users commonly traded them (eg I have a key for this game that I bought on sale but haven't used, I want a copy of that game, who wants to trade)