While players of Valve Corporation's online battle arena game Dota 2 were busy fighting each other for supremacy, a real-life adversary recently pulled off his own conquest, stealing 1,923,972 account records from the official Dota 2 forum's database.
In an Aug. 9 blog post, data breach notification site LeakedSource.com divulged the hack, which occurred on July 10. Each pilfered record included an email address, IP address, username, user identifier and password. Although passwords were hashed and salted, the encryption was weak, allowing LeakedSource.com to decipher over 80 percent of them.
“Unfortunately, this yet again demonstrates that 'good enough' is not good enough when it comes to security. Data persists, so even if you've taken steps to protect that information, hackers may have the tools to negate these defenses six months, one year or three years down the line," said Jacob Ginsberg, senior director at email encryption software company Echoworx, in comments emailed to SCMagazine.com. "Simple hashing of passwords isn't enough – using strong encryption should be a prerequisite for any organization handling account information."
ZDNet has reported that the attacker leveraged a SQL injection vulnerability in the software that runs the affected forum. Forum software developer vBulletin Solutions stated in an Aug. 9 post that the vulnerability was patched, user account passwords were reset, and no payment information or gaming credentials were stolen.
The vast majority of compromised forum accounts – nearly 1.1 million – were registered via Gmail.