Hacker Breaches Gaming Site, Millions Of Steam Game Keys Stolen
More than nine million keys used to redeem and activate games on the Steam, a popular games forum, have apparently been stolen by a hacker.
The site, DLH.net, that provides news, reviews, cheat codes, and boards, was breached on July 31 by an unnamed hacker. While the name of the hacker is not known, it is speculated that it is the same hacker responsible for an earlier compromise of a Dota 2 forum that resulted in the theft of nearly two million user accounts record.
According to breach notification site LeakedSource.com, that received a copy of the stolen database, says the DLH.net site allows users to share redeemable game keys through its forums, which along with the main site has around 3.3 million unique registered users.
A known vulnerability found in older vBulletin discussion board software program, which powers the site’s community, allowed the hacker to gain access to the databases.
The data stolen from the forum includes full names, usernames, jumbled passwords, date of birth, email addresses, join dates, Steam usernames, avatars, and user activity data. For those who signed it with their Facebook account, social account access tokens were stolen for them.
Approximately 84 percent of the passwords that were jumbled with the MD5 algorithm (which is regarded unsafe by today’s standards) have already been decoded using readily available cracking tools, said a member of the LeakedSource group to ZDNet on Tuesday. However, some of them were saved with the robust SHA-1 algorithm.
The breached site and forum data were added by LeakedSource into its database to allow probable victims of the breach to search their data. The database in totality had about 9.1 million Steam keys.
A part of the data was shared by LeakedSource, according to which, a number of the 15-digit alphanumeric game keys were already redeemed and are effectively useless. At some point, several of them seem to be or have been valid even though it is unclear what percentage is still redeemable and active.
Some of the keys matched well-known games, including KnightShift, Final Fantasy IX, Pirates of Black Cove, and other top-rated games.
It is unknown if the codes came from Steam directly. The platform admits in a support page that several products and games that use the platform come with a Steam key, even if they are sold by another retailer.
However, spokesperson Dirk Hassinger refused to accept that the site had been compromised, and also debated the number of members the site has. “We checked our server log files and did not find any unusual activity within the past four weeks,” he said.
Valve, which owns and operates the Steam platform, have too not commented on the hack.