- ‘Star Trek’s Jonathan Frakes calls out your lies with this new meme Saturday 3:46 PM
- #JusticeForLucca trends after video shows police slam Black teen’s head into pavement Saturday 3:11 PM
- The internet is shocked to learn that Goombas do, in fact, have arms Saturday 2:02 PM
- PayPal, GoFundMe cut off armed militia that detains migrants at border Saturday 1:16 PM
- Barnwood theft may be on the rise because of ‘Fixer Upper’—and fans aren’t having it Saturday 12:23 PM
- Literary Twitter calls out Dzanc Books for Islamophobic, racist novel Saturday 11:40 AM
- How to watch Crawford vs. Khan online Saturday 10:00 AM
- Beyoncé has 2 more projects coming to Netflix after ‘Homecoming’ Saturday 9:53 AM
- How to watch Danny Garcia vs. Adrian Granados for free Saturday 9:00 AM
- The ‘Feeling Cute Challenge’ turns ugly after correctional officers abuse it Saturday 7:30 AM
- How to watch ‘How High 2’ for free Saturday 7:00 AM
- Swipe This! My ex-BFF keeps sliding into my DMs, but I don’t want to be friends Saturday 6:30 AM
- Watch ‘I Am Somebody’s Child: The Regina Louise Story’ for free Saturday 6:00 AM
- How to watch Barcelona vs. Real Sociedad for free Saturday 6:00 AM
- How to stream UFC Fight Night 149 for free Saturday 5:30 AM
Years-old security flaw leads to Dota 2 forum hack that exposed 1.5M passwords
Valve’s Dota2.com used a security feature that has been broken for more than a decade.
The stolen data includes email addresses, IP addresses, usernames, and passwords. The passwords are hashed—effectively a password scrambler meant to keep the data safe—using the MD5 algorithm, a long-antiquated and weak function that reportedly allowed LeakedSource “to convert over 80 percent” of the passwords to their true plain text values, a format anyone can read.
That amounts to over 1.5 million passwords stolen outright.
The weakness of MD5 isn’t new. In 2012, LinkedIn was hacked and 6.46 million passwords were exposed due to the weak MD5 algorithm. The software’s author said then—over four years ago—that the scrambler is “no longer considered safe.“
Worse yet, security expert Bruce Schneir said in 2005 and 2004 that “MD5 is broken” because a large number of passwords can be computed and decrypted by an attacker at rapid speed. That’s over a decade go.
Why was Valve, the publisher of Dota 2 and the company behind the breached forum, relying on it for security in 2016?
The company has yet to respond to questions about its security.
The theft came in the lead up to The International 2016, the game’s global championship, which boasts over $20 million in prize money, a record-breaking amount.
Originally breached on July 10 using an SQL injection vulnerability on vBulletin forum software, ZDNet reports, the hacked database ended up on LeakedSource.com, a site meant to chronicle breaches and give easy access to users searching for their own stolen credentials.
You can search LeakedSource.com to see if your credentials have been stolen. Users should immediately change their passwords if they may be impacted, especially if they share passwords across multiple sites. If you used your Dota2.com password anywhere else, change those, too.
Patrick Howell O'Neill is a notable cybersecurity reporter whose work has focused on the dark net, national security, and law enforcement. A former senior writer at the Daily Dot, O'Neill joined CyberScoop in October 2016. I am a cybersecurity journalist at CyberScoop. I cover the security industry, national security and law enforcement.