Slashdot Mirror

← Back to Stories (view on slashdot.org)

Millions Of Steam Game Keys Stolen After Hacker Breaches Gaming Site (zdnet.com)

Posted by msmash on from the security-woes dept.

An anonymous reader writes:A little over nine million keys used to redeem and activate games on the Steam platform were stolen by a hacker who breached a gaming news site last month. The site, DLH.net, provides news, reviews, cheat codes, and forums, was breached on July 31 by an unnamed hacker, whose name isn't known but was also responsible for the Dota 2 forum breach. The site also allows users to share redeemable game keys through its forums, which along with the main site has around 3.3 million unique registered users, according to breach notification site LeakedSource.com, which obtained a copy of the database. A known vulnerability found in older vBulletin forum software, which powers the site's community, allowed the hacker to access the databases. The data stolen from the forum includes full names, usernames, scrambled passwords, email addresses, dates of birth, join dates, avatars, Steam usernames, and user activity data. Facebook access tokens were stolen for those who signed in with their social account.

6 of 68 comments (clear)

  1. Sooooo by Anonymous Coward · · Score: 4, Insightful

    if they know the keys were stolen, can't they invalidate them????

  2. Steam down ATM by bignetbuy · · Score: 3, Interesting

    Related or no? I'm unable to access any Steam functions other than games at the moment. No discussions. No store. No community page. Can access other sites fine though.

  3. Sigh. Another Vulnerable PHP Service by dgatwood · · Score: 4, Informative

    I've pretty much concluded that all the PHP-based bulletin boards are a security nightmare. Even the ones that are small enough to audit tend to be filled with old-style mysql_query calls and other horrors of the past.

    The best thing about PHP 7, in my view, is that they're finally killing the old MySQL API. They should have done that years ago. Now, you'll be able to tell which software is reasonably up-to-date based on whether it supports PHP 7 or not. Incidentally, vBulletin's website says that it still doesn't. That's probably not a good sign. :-)

    --

    Check out my sci-fi/humor trilogy at PatriotsBooks.

  4. Re:Sharing keys? So many questions by pushing-robot · · Score: 3, Informative

    People sometimes get free or discounted keys and want to sell or trade them for games they actually want.

    No one said there were millions of *unredeemed* keys stolen, just millions of keys. It's likely 99% of people who got keys through DLH used them immediately and the codes are meaningless now.

    --
    How can I believe you when you tell me what I don't want to hear?
  5. Re:Bound to happen by Nemyst · · Score: 4, Interesting

    Redeemable keys used for sharing have not been redeemed and can therefore be used by anybody without any action of whoever actually purchased/obtained the key.

  6. Re:What exactly does that mean? by ADRA · · Score: 3, Interesting

    Oauth tokens. Potentially giving access to all shared data given to the site from fb (emails, maybe given name, contacts?). Of course this is a non-issue if FB invalidates the application token granted to the specified web site.

    --
    Bye!