{"id":12767,"date":"2016-08-12T09:00:59","date_gmt":"2016-08-12T13:00:59","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=12767"},"modified":"2019-11-15T06:54:33","modified_gmt":"2019-11-15T11:54:33","slug":"dota-2-hack","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/dota-2-hack\/12767\/","title":{"rendered":"DotA 2 forums leak 2 million passwords"},"content":{"rendered":"

On August 9, 2016, LeakedSource revealed<\/a> that almost 2,000,000 accounts on the official Dota 2 forum<\/a> were compromised. What does that mean for you?<\/p>\n

If you are not into Dota 2, it won\u2019t affect you at all. But, given the stats, you\u2019ve probably played it at least once or twice. Dota 2 is one of the most popular online multiplayer games, with more than 13,000,000<\/a> unique players per month and about 600,000<\/a> per day. For many, Dota 2 became synonymous with MOBA, aka Multiplayer Online Battle Arena, and Dota is probably the first thing that comes to mind when someone mentions online gaming.<\/p>\n

With so many players all over the world, it\u2019s not surprising that Dota 2 has a huge fan community. Fans don\u2019t just play the game, they also spend a lot of time talking about it and watching the championships. By the way, the main annual Dota 2 event, The International, is happening right now and has just reached semifinals stage. When we say Dota 2 is big, we mean really big: The prize pool for this year\u2019s The International is more than $20,000,000.<\/p>\n

\"DotA<\/a><\/p>\n

Passwords? Get over here!<\/a><\/h3>\n

Where there is money, there are cybercriminals. And so the Dota 2 official forum was hacked. It happened on July 10, 2016, and resulted in the leakage of a database with almost 2 million records containing user names and IDs, e-mails, IP addresses, and \u2014 you guessed it \u2014 passwords.<\/p>\n

The hack happened silently \u2014 nobody noticed it at the time, and the community didn\u2019t learn about until August 9, the second day of The International.<\/p>\n

Valve, the owner and creator of Dota 2, claims that the stolen database contains only forum accounts and that no Steam accounts were compromised. But Valve is still to blame for the incident: As the Inquirer notes, the passwords were stored using MD5 hashing with salt, and MD5 is now widely considered outdated. Case in point: LeakedSource was able to convert over 80 per cent of the hacked passwords to their plaintext values.<\/p>\n

The hack is bad on its own, but it could have even worse consequences. Users tend to reuse logins and passwords. Remember when Mark Zuckerberg\u2019s Twitter account was hijacked using the password that was leaked in the LinkedIn hack<\/a>? The same thing is bound to happen (or has already happened) here. Some of the user names and passwords on the forum probably match the user names and passwords for their Steam accounts. So we would not be surprised to see a spike in Steam account hijacking.<\/p>\n

\n

#Steam<\/a> stealers: your account is their target: https:\/\/t.co\/37rshJ1Fay<\/a> #gaming<\/a> #gamesafe<\/a> pic.twitter.com\/hqFzlrJvCa<\/a><\/p>\n

\u2014 Kaspersky (@kaspersky) March 15, 2016<\/a><\/p><\/blockquote>\n