Dota 2 forums fall under hackers' spell, 1.9m accounts teleported out

And 80 per cent of MD5-hashed passwords cracked

The chat forums for Valve’s multiplayer fantasy battle game thing Dota 2 have been hacked, it appears.

The security breach – which apparently happened on 10 July but has only just come to light via Leaked Source – exposed more than 1.9 million account records containing email addresses, IP addresses, usernames and passwords. The message board is powered by vBulletin, which this month issued patches to fix up security weaknesses in the software.

The passwords were salted and hashed albeit with MD5, which is stupidly easy to crack. Leaked Source claims it was able to reverse lookup more than 80 per cent of the hashes, revealing their original plaintext passwords.

The intrusion leaves forum users open to credential stuffing: anyone who has reused their password and email address on another site is likely to have that other site's account compromised, too. There’s also a heightened risk of more convincing phishing emails because now miscreants know your username and email address.

“The data was hashed with an MD5 algorithm, the same coding that was used on the Yahoo customer data that was recently found for sale on the dark web, and Leaked Source claims to have had no trouble in reading the information,” said Trent Telford, chief exec at infosec outfit Covata. “Businesses need to understand that hackers are utilising ever-more sophisticated tools and techniques, and basic encryption barely represents a challenge.

“Instead, they must adopt technology that provides robust encryption, scrambling individual packets of data at source, and incorporating granular access controls and policy management.” ®


Biting the hand that feeds IT © 1998–2017