Millions Of Steam Game Keys Stolen After Hacker Breaches Gaming Site

An anonymous reader writes:A little over nine million keys used to redeem and activate games on the Steam platform were stolen by a hacker who breached a gaming news site last month. The site, DLH.net, provides news, reviews, cheat codes, and forums, was breached on July 31 by an unnamed hacker, whose name isn't known but was also responsible for the Dota 2 forum breach. The site also allows users to share redeemable game keys through its forums, which along with the main site has around 3.3 million unique registered users, according to breach notification site LeakedSource.com, which obtained a copy of the database. A known vulnerability found in older vBulletin forum software, which powers the site's community, allowed the hacker to access the databases. The data stolen from the forum includes full names, usernames, scrambled passwords, email addresses, dates of birth, join dates, avatars, Steam usernames, and user activity data. Facebook access tokens were stolen for those who signed in with their social account.

Sooooo

if they know the keys were stolen, can't they invalidate them????

Sigh. Another Vulnerable PHP Service

[dgatwood]

I've pretty much concluded that all the PHP-based bulletin boards are a security nightmare. Even the ones that are small enough to audit tend to be filled with old-style mysql_query calls and other horrors of the past.

The best thing about PHP 7, in my view, is that they're finally killing the old MySQL API. They should have done that years ago. Now, you'll be able to tell which software is reasonably up-to-date based on whether it supports PHP 7 or not. Incidentally, vBulletin's website says that it still doesn't. That's probably not a good sign. :-)

Re:Bound to happen

[Nemyst]

Redeemable keys used for sharing have not been redeemed and can therefore be used by anybody without any action of whoever actually purchased/obtained the key.