With over 12 million monthly unique players, DOTA 2 is one of the most popular titles on the planet. Unsurprisingly, the game’s official developer forum is used by a lot of people. If you’re one of them, you may want to think about changing your login credentials, as a hacker has reportedly made off with the details of almost 2 million members.
Breach notification site LeakedSource recieved a copy of the database from an anonymous source. It reports that the hack took place on July 10, and that each Dota 2 forum member record contains an email address, IP address, username, user identifier, and one password.
ZDNet reports that the hacker was able to access the data thanks to an SQL injection vulnerability used by the older vBulletin forum software.
Passwords on the forum were stored using the MD5 algorithm then salted. MD5 is regarded as an outdated and insecure password scrambler – four years ago, the original developer said it should no longer be considered safe. LeakedSource said that around 80 percent of the passwords have been reverted back to their plaintext values using simple cracking tools.
"We have recently been made aware that a vulnerability in the Dota 2 Dev forum software allowed access to the forum database," wrote the forum admins. "The vulnerability has been patched. The database contains email addresses, forum user names, salted forum password hashes, and forum posts."
"The database relates only to the Dota 2 Dev forums at dev.dota2.com, and does not contain any Steam credentials, payment information or any other private information related to your Steam account."
More than half the affected emails used Gmail accounts, and “a lot” were disposable addresses. You can use the LeakedSource search engine to see if your email or account has been hacked.