Hard on the heels of the Clash of Kings hack, an attacker has reportedly hit the popular online multiplayer game Dota 2, managing to compromise almost two million accounts.
The heist was carried out on a Dota 2 member forum on July 10, with the perps making off with user names, emails and IP addresses. The hit has just come to light thanks to a copy of the leaked database showing up on breach notification site LeakedSource.com.
The data also includes hashed passwords that use the outdated MD5 algorithm—but a member of the LeakedSource group told ZDnet that 1.54 million of the passwords—or about 80%—have already been unscrambled using “rudimentary and run-of-the-mill cracking tools.”
According to security researchers, the hacker took advantage of an SQL injection vulnerability used by the older vBulletin forum software, which was also the attack vector for the recent offensive against Clash of Kings.
“The Dota breach is believed to have been caused by an outdated version of vBulletin, which is an online forum software that was also exploited in the recent attack on the official Clash of Kings forum,” said Amol Sarwate, director of vulnerability labs at Qualys, via email. “Incidents such as the recent Dota forum data breach can easily be avoided by practicing basic security hygiene, like keeping software up-to-date and patching as soon as possible.”
He added, “A simple security audit involving inventory gathering and vulnerability assessment will tell you what needs to be patched and which systems are out-of-date or end of life. By addressing such software, organizations can quickly achieve a very acceptable security posture.”
In the Clash of Kings incident, which also happened in July, a hacker penetrated the official forum of the extremely popular mobile game, making off with almost 1.6 million accounts.
Game developer and Dota 2 owner Valve has not made a public statement about the data breach.
“Unfortunately, this yet again demonstrates that 'good enough' is not good enough when it comes to security," said Jacob Ginsberg, senior director, Echoworx, in an email. "Data persists, so even if you’ve taken steps to protect that information, hackers may have the tools to negate these defenses six months, one year or three years down the line. If you do the bare minimum now, this won’t do you any good in six months’ time. Simple hashing of passwords isn’t enough—using strong encryption should be a prerequisite for any organization handling account information.”
Photo © robertonencini