Dota 2 Forum Hack Leaks Nearly 2 Million Passwords

As Dota 2's The International -- a massively viewed eSports tournament pitting top players of the multiplayer online battle arena game Dota 2 against one another -- takes place this week, the festivities have been soured by news of nefarious players at work.

Yesterday (Aug. 9), data-breach notification site LeakedSource revealed that an attacker had stolen account information pertaining to nearly 2 million users of the game's official message board.

Credit: Roman Kosolapov / Shutterstock.com

(Image credit: Roman Kosolapov / Shutterstock.com)

The  stolen information included 1,923,972 records, each of which consisted of "an email address, IP address, username, user identifier and one password," according to Leaked Source. To find out if your account was part of the breach, you can use the Leaked Source database search tool. If your account is listed, you can request it be purged from the Leaked Source database.

MORE: Here Are the Best PC Game Controllers

The Dota 2 forum passwords were stored not as plaintext, but as "hashes" of random-seeming letters and numbers that had been generated from each password using the MD5 one-way encryption algorithm. The hashes had been "salted" with a bit of extra data tossed in before encryption to further complicate password cracking.

LeakedSource said that effort wasn't enough, as it had purportedly matched "over 80 [percent] of them to their plaintext values."

MD5 is a relatively out-of-date and easy-to-crack hashing algorithm. Salting adds complexity, but the MD5 algorithm is simple enough so that a dedicated computer can whip through billions of combinations per second to find a match for each hash.

A ZDNet report said the attack on the Dota 2 forums was done using a SQL injection, though it didn't cite a source. If that's indeed what happened, it doesn't speak well of those who were in charge of the Dota 2 forums.

SQL injections are an old and relatively simple method for attacking a website. They can be done by "injecting" text into the database calls in a dynamically generated Web page's URL. If you see a "?" followed by a string of characters and equal signs in a Web address, that's a database call. Poorly configured websites will reveal confidential data with a properly configured text string placed right in a Web browser's address bar.

For the 95 percent of us who aren't PC gamers, Dota 2 is a very popular online battling game, and an authorized sequel to an unauthorized modification of World of Warcraft called Defense of the Ancients. Those kids walking the mall wearing black t-shirts will know all about it.

Data breaches such as the Dota 2 one are commonplace these days, and serve as a reminder to use best practices for passwords. For example, never recycle passwords across multiple accounts, because any user who used the same email address and password for his or her Dota 2 forum account as for an online bank account is probably in a frenzied panic at the moment.