AMD Accidentally Leaks 1.7 Million DiRT 3 Keys 187
An anonymous reader writes "The free game with every graphics card deal has finally backfired for AMD and Codemasters. Due to a lack of .htaccess, 1.7 million keys for a free copy of DiRT 3 on Steam have been leaked. No word from AMD or Codemasters yet, but I'm sure Valve will block all the codes on Steam soon. One question that remains: if you used one of the codes, will Steam ban your account? There could be a few very unhappy gamers later today if that happens."
The exact number of keys is in question — reports range from 250,000 to 3 million — but AMD confirmed that a leak did occur.
Re:Steam policy on account bans (Score:2, Insightful)
The leak was full of legitimate keys, and also included the IDs that were sold with the hardware.
The text files were simple rows of Dirt 3 Keys, Hardware IDs, and database identifiers.
If you wanted, it was simple enough to copy a hardware ID instead of a Dirt 3 key, paste that ID into the amd4u promotion, and receive the appropriate Dirt 3 key in your inbox from AMD themselves.
If someone did that, there'd be absolutely no way of distinguishing them from a legitimate customer that owned the product, since the hardware ID acted as the proof of purchase. Of course most people didn't register and just copied the Dirt 3 keys directly, so it's possible for AMD and Valve to see what Dirt 3 keys were activated on Steam without their corresponding hardware IDs being registered on amd4u.com. That's probably revoke about 90% of the illegitimate licences.
The promotion had been running for awhile, so if they just ban all of the keys then some innocent accounts will be hit in the crossfire. At the moment it seems like they are just revoking the licences instead of banning accounts (at least for the users who profess to being tricked into entering the key without knowing where it came from).
Also, the exact number of keys was 2 million, eight text files with 250,000 keys per file.
Re:Steam policy on account bans (Score:3, Insightful)
Why should people have to pay for others mistakes? Why should people have to take those "5 minutes out of their day to scan something", in order to correct a situation they weren't involved with? It's insane to think the customers have to "foot the bill", so to speak, to clean up after AMD's fuck up.
WTF? (Score:5, Insightful)
The reason access to all these keys has been granted is due to a lack of .htaccess on AMD’s site.
What's all this stupid talk about .htacess anyway? Those are the kind of files that should not be below a web server's DocumentRoot in the first place. The reason access to all these keys has been grated is because some moron put them in a live area of the web server where they didn't belong.
Re:Steam policy on account bans (Score:4, Insightful)
I'd be amazed if it's legal for them to block access to content you've legitimately paid for.
It's perfectly legal. You are not buying anything from Steam. You do not own anything that you pay for on Steam. You are paying for a revokable license, at the sole discretion of Valve. If you confuse this with an actual purchase, then that's your problem.
Re:Steam policy on account bans (Score:4, Insightful)
You open a support ticket, show proof of purchase and a picture of the media/CD key or whatever they require, and they reallocate the proper CD key back to your account. No biggie.
No biggie? Legit customers would be treated by default as pirates unless they supplied proof of purchase, and until they did that could risk everything from their account being locked to being perma banned.
A correct and more sensible option would be for AMD to supply Steam with a list of email addresses of users who registered. Probably 90% of those are using the same email address on Steam and can be eliminated. Then you audit the hardware of the remainder through Steam (and it's already capable of this) and see who is running AMD hardware that the promotion applied to eliminate them too. Then you look for the date that the exploit got into the wild (probably obvious from a graph of # registrations per day) and you eliminate all of them before that date. Finally you're probably looking at a small % of legit owners to track down. You might then mailshot every game owner and tell them the game will be disabled in 10 days unless they run it on the proper hardware and then you eliminate people who do that. Finally you mailshot again and warn them to contact customer service with proof of purchase within 30 days or risk a perma ban.
Is it a major screwup by AMD? Yes. But Valve and AMD should make all reasonable efforts to not inconvenience legit users. Only as a last resort should a ban or account freeze should be necessary.