Dota 2 Forum members credentials exposed in a hack, almost 2 million members affected

Dota is one of the most popular games in the world, with monthly unique players reaching 12 million. Given the large number of users, it goes without telling the game’s official developer forum has a huge number of subscribers. Unfortunately, if you are one of the forum members, consider changing your login credentials. A new report by LeakedSource indicates a hacker breached the forum exposing 1,923,972 accounts.

Dota 2 Forum members credentials exposed in a hack, almost 2 million members affectedLeakedSource reports receiving the copy of the leaked database from an anonymous source. The Dota 2 forum accounts exposed in the July 10, 2016, breach contain the IP address, username, passwords and user identifier. The hacker exploited a vulnerability in the vBulletin forum software running the site through an SQL injection. How many times will forum developers be told to update the vBulletin forum software?

The older versions of the vBulletin software have an SQL injection vulnerability, which is not news considering the number of forum breaches we have had connected to the software. The vulnerability allows hackers to inject SQL statements easily thereby executing commands in the entry box. In the case of the Dota 2 forum hack the SQL injection commanded the software to store the forum database content in a downloadable file. SQL, in case you do not know, is a programming language that controls and manages databases. It is common in database management systems.

It is a little careless for a forum in 2016 to have passwords hashed and salted using the MD5 algorithm. It is by now common knowledge that the MD5 algorithm is a weak encryption system. By the time LeakedSource reported the breach, it claimed to have converted 80% of the passwords from hash and salt to plain text. About four years ago the developer of the MD% algorithm acknowledged that it is no longer secure.

About 56 emails domains were used by members of the official Dota 2 forum. Gmail was, unsurprisingly, the most popular with 1,086,139 using Gmail IDs to register in the forum. Other domains include Yahoo, Hotmail, MSN, Outlook, Ymail and much more. Intriguingly, the list of emails also included temporary or disposable emails. Such users likely only formed such email accounts specifically for that forum.

Dota 2 developers, Valve, acknowledged the hack in a discussion thread in the forum. They have since initiated a forceful change of password for all users. “The database breach relates to Dota 2 Dev forum at dev.dota2.com only. The breach did not expose any Steam credentials, payment credentials or other confidential information of the users,” Valve said.

To check if your Dota 2 Dev forum credentials were breached visit LeakedSource and input your email address.