Hackers have breached the official developers forum of Dota 2, stealing the details of almost 2 million users including usernames, emails, user identifiers, passwords and IP addresses.

The hackers reportedly exploited a SQLi vulnerability in the forum’s vBulletin software. The hashed passwords used the outdated MD5 algorithm, which was declared ‘cryptographically broken and unsuitable for further use’ by the CMU Software Engineering Institute back in 2009. LeakedSource went on to crack 1.54 million of the scrambled passwords with rudimentary cracking tools. Security Experts commented below.

Thomas Fischer, Threat Researcher & Global Security Advocate at Digital Guardian:

Thomas Fischer“Valve Corporation, just like many successful gaming companies, helps facilitate discussion around its games through online forums. Because these forums are live and potentially owned and deployed by business units that are independent of the IT or security team, they are often left out of security audits. This means that forums often do not have the same layers of protection as the organisation’s core IT infrastructure.

“Herein lies the issue, as we learn and confirm every time an account database breach of this magnitude happens. The problem is exacerbated by the fact that many users of these services have the same passwords and account details across other systems. For example, these side community services are a potential weakness in the account security for the service or product they are connected to.

“This hack serves as a reminder that organisations need to both understand and review the security of all the services they provide and ensure they have an inventory of all those services, even if they sit outside the traditional IT purview.”

Ryan O’Leary, VP Threat Research Centre at WhiteHat Security:

Ryan O’Leary“SQL injection continues to be an easy avenue for hackers to cause harm or steal information from a database. According to our annual statistics report, around six per cent of websites have at least one SQL injection vulnerability. Six per cent may not seem like a large amount, but consider that six out of every 100 websites you use – that’s a staggeringly large amount – have this particularly nasty vulnerability.

“SQL injection is not the most difficult attack to execute. In fact, it’s one of the very first skills you learn when trying to attack a site, because of the prevalence of the flaw and ease of exploitation. Companies need to run a thorough vulnerability assessment and fix these critical, yet easy-to-exploit, vulnerabilities.”

“It seems that not a day goes by without news of a breach and now millions of emails and passwords are being sold like ice cream from a van. We’re never out of danger from a data breach of our personal information and passwords. As users, we need to take precautions against this. If your password for every website is unique, good job, you’re one of the few people that use a different password for each service they log into. It is essential that we as a user community practice stricter personal security to mitigate the impact of data breaches that will, inevitably, occur.”