Someone hacked the forums devoted to e-sports wunderkind Dota 2, and in doing so they have stolen the general locations, emails, passwords, and other personal information about nearly 2 million people active on the forums.
The data breach occurred on July 10, and LeakedSource revealed the extent of the hack on August 9. (The same day the Dota 2 International 2016 competition’s main event began.) “This data set contains 1,923,972 records,” LeakedSource writes on its blog. “Each record contains an email address, ip address, username, user identifier, and one password.”
Most hacks only contain some of that information. But forums often collect users’ IP addresses — usually so they can ban trolls who keep creating accounts — in addition to other data. Those IP addresses can be used to figure out someone’s general location, and if the email address used to create the account contains that person’s name, this means the hackers could target specific users in person.
This makes forums good targets, and the Dota 2 forum in particular would have been attractive because of its sheer number of users. The game has become increasingly popular in recent years, at least partly because the prize pool for its international competition keeps growing, thus driving more people to the forums.
The good news is that the Dota 2 forum took steps to secure user passwords. It doesn’t have weird password requirements — I was able to create an account with the horrible password of “asdf” — which means it’s one of the companies that makes getting hacked easy.
The bad news is that even though the forum took steps to secure user passwords, LeakedSource was able to convert roughly 80 percent of the “secure” passwords into easily-read plain text. That’s well over 1 million people whose passwords have been compromised. It’s usually a bad idea to frequently change passwords, but anyone who used their Dota 2 forum password on another website should go to those other sites and reset their passwords there.
LeakedSource says that there “a lot of disposable emails” on the list of top email domains affected by the hack. That’s good news for some forum members — it means that their primary email address probably isn’t at risk as a result of the hack. The million-plus members who signed up with Gmail, on the other hand, better hope that their forum passwords don’t match up with their email logins.
All told, this is a prime example of people doing many things right (trying to secure passwords, using disposable email addresses, not imposing bizarre password requirements on people) and still creating problems. That’s a simple result of the treasure trove of valuable information hoarded by most forums. As long as they’re attracting lots of people — having nearly 2 million members meets that bar — and combining emails, logins, and IP addresses, these message boards will attract the attention of someone who wants to steal that data.