Dota 2 forum breach leaks 2 million user accounts

The unnamed hacker took usernames, email addresses, and passwords.
Written by Zack Whittaker, Contributor

(Image: ZDNet/file photo)

A hacker has taken off with almost two million accounts associated with the forum for popular online multiplayer game, Dota 2.

The hack was carried out last month on July 10. The copy of the leaked database was provided to breach notification site LeakedSource.com, which allows users to search their usernames and email addresses in a wealth of stolen and hacked data.

The hacker took advantage of an SQL injection vulnerability used by the older vBulletin forum software, which powers the community.

That allowed them to access the database of limited user data, such as username, email, IP address of the user.

The data also includes the user's hashed password -- which uses the MD5 algorithm, which is widely considered insecure by today's standards, alongside the salt, used to scramble the password further. A member of the LeakedSource group told me that 1.54 million of the passwords -- or about 80 percent -- have already been unscrambled using rudimentary and run-of-the-mill cracking tools.

But it's not thought that the hack is related to similar breaches around the same time, given that the vulnerabilities used to attack the forum software are widely known among underground hacker groups.

LeakedSource added the breached data into its database, which lets possible victims of the breach search their data.

In a blog post analyzing the data, the breach notification group said that more than half of all users joined with a Gmail email account.

A number of the accounts -- many tens of thousands -- are disposable emails, the group said.

Valve, which develops the game, did not respond to a request for comment prior to publication.

Editorial standards