August 12, 2016

DotA 2 forums leak 2 million passwords

News Security

On August 9, 2016, LeakedSource revealed that almost 2,000,000 accounts on the official Dota 2 forum were compromised. What does that mean for you?

DotA 2 forums leak 2 million passwords

If you are not into Dota 2, it won’t affect you at all. But, given the stats, you’ve probably played it at least once or twice. Dota 2 is one of the most popular online multiplayer games, with more than 13,000,000 unique players per month and about 600,000 per day. For many, Dota 2 became synonymous with MOBA, aka Multiplayer Online Battle Arena, and Dota is probably the first thing that comes to mind when someone mentions online gaming.

With so many players all over the world, it’s not surprising that Dota 2 has a huge fan community. Fans don’t just play the game, they also spend a lot of time talking about it and watching the championships. By the way, the main annual Dota 2 event, The International, is happening right now and has just reached semifinals stage. When we say Dota 2 is big, we mean really big: The prize pool for this year’s The International is more than $20,000,000.

DotA 2 forums leak 2 million passwords

Passwords? Get over here!

Where there is money, there are cybercriminals. And so the Dota 2 official forum was hacked. It happened on July 10, 2016, and resulted in the leakage of a database with almost 2 million records containing user names and IDs, e-mails, IP addresses, and — you guessed it — passwords.

The hack happened silently — nobody noticed it at the time, and the community didn’t learn about until August 9, the second day of The International.

Valve, the owner and creator of Dota 2, claims that the stolen database contains only forum accounts and that no Steam accounts were compromised. But Valve is still to blame for the incident: As the Inquirer notes, the passwords were stored using MD5 hashing with salt, and MD5 is now widely considered outdated. Case in point: LeakedSource was able to convert over 80 per cent of the hacked passwords to their plaintext values.

The hack is bad on its own, but it could have even worse consequences. Users tend to reuse logins and passwords. Remember when Mark Zuckerberg’s Twitter account was hijacked using the password that was leaked in the LinkedIn hack? The same thing is bound to happen (or has already happened) here. Some of the user names and passwords on the forum probably match the user names and passwords for their Steam accounts. So we would not be surprised to see a spike in Steam account hijacking.

What if they get me?

We hope that nothing bad has happened to your accounts, but here are a few tips to ensure they continue to stay safe and sound.

1. If you are a Dota 2 forum user, change your password there. Remember to make it strong enough.

2. Check to see if LeakedSource has information about your account. If so, you’ll probably want to delete it.

3. If you have used the same password anywhere else, change all of your passwords. And learn how to handle them properly — we have a blog post about that for you.

4. To further protect your Steam account, enable two-factor authentication using Steam Guard.

5. After you have completed those four critical steps, it’s a good idea to get educated about other threats in the world of computer games. We — wait for it — have a post about that as well.