Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security Games

Millions Of Steam Game Keys Stolen After Hacker Breaches Gaming Site (zdnet.com) 68

An anonymous reader writes:A little over nine million keys used to redeem and activate games on the Steam platform were stolen by a hacker who breached a gaming news site last month. The site, DLH.net, provides news, reviews, cheat codes, and forums, was breached on July 31 by an unnamed hacker, whose name isn't known but was also responsible for the Dota 2 forum breach. The site also allows users to share redeemable game keys through its forums, which along with the main site has around 3.3 million unique registered users, according to breach notification site LeakedSource.com, which obtained a copy of the database. A known vulnerability found in older vBulletin forum software, which powers the site's community, allowed the hacker to access the databases. The data stolen from the forum includes full names, usernames, scrambled passwords, email addresses, dates of birth, join dates, avatars, Steam usernames, and user activity data. Facebook access tokens were stolen for those who signed in with their social account.
This discussion has been archived. No new comments can be posted.

Millions Of Steam Game Keys Stolen After Hacker Breaches Gaming Site

Comments Filter:
  • Sooooo (Score:4, Insightful)

    by Anonymous Coward on Thursday August 18, 2016 @02:48PM (#52727895)
    if they know the keys were stolen, can't they invalidate them????
    • Becuase they'd have to reissue them to the original owner

    • Chances are most of them were already used by the intended recipient.

      If I got a key from a gray market service like this I'd certainly waste no time redeeming it.

    • These are keys that people are reselling/trading. Publishers, developers, and Steam don't like that.

      Many of these keys are likely stolen or farmed in the first place, or included as part of a "Humble Bundle" which expressly "forbids" you from reselling/trading individual keys.

    • by xlsior ( 524145 )
      if they know the keys were stolen, can't they invalidate them????

      Just because they got stolen, doesn't necessary mean that someone else didn't already own them. Invalidating them may also burn the original purchaser when they try to activate them down the road.

      (For example, I myself have a few dozen steam keys that I haven't activated yet, most of which I received as part of past Humble Bundles, and some through kickstarter)
      • by rtb61 ( 674572 )

        Doesn't really affect the original owner as it is not just a key but a key tied to a user and password. They can try stealing and selling user accounts and that would cause Steam massive problems as they would be penalised in many countries for affecting the accounts of customers. Just because you haven't used a purchased key, does not mean that key is not already tied to your account and your specific hardware.

        Just a warning to everyone, lots of little databases are a hassle and cost more to administer

  • Steam down ATM (Score:4, Interesting)

    by bignetbuy ( 1105123 ) <(moc.8042aera) (ta) (md)> on Thursday August 18, 2016 @02:50PM (#52727901) Journal

    Related or no? I'm unable to access any Steam functions other than games at the moment. No discussions. No store. No community page. Can access other sites fine though.

  • No incentive for favorable reviews there.. no siree bob. /sarcasm

    • by Sowelu ( 713889 )

      If you read the article, they were stolen from forums where users commonly traded them (eg I have a key for this game that I bought on sale but haven't used, I want a copy of that game, who wants to trade)

  • by WolfgangVL ( 3494585 ) on Thursday August 18, 2016 @03:00PM (#52727983)

    An online community the size of steam is a big target. DLH.net and Steam both should have known better.

    The keys though, they are already tied to the account that paid for them right? Are they useful for anything?

    I've been expecting something like this for a while. Now expect big changes in the steam API.

    • Re:Bound to happen (Score:5, Interesting)

      by Nemyst ( 1383049 ) on Thursday August 18, 2016 @03:33PM (#52728279) Homepage
      Redeemable keys used for sharing have not been redeemed and can therefore be used by anybody without any action of whoever actually purchased/obtained the key.
    • by tsotha ( 720379 )
      I don't see Valve has any reason to change anything. If Walmart sells you a boxed game and someone steals it out of your car, is this Walmart's problem?
      • The data stolen from the forum includes full names, usernames, scrambled passwords, email addresses, dates of birth, join dates, avatars, Steam usernames, and user activity data. Facebook access tokens were stolen for those who signed in with their social account.

        If it was made easier to steal from your car because Walmarts webAPI connected to the cars insecure messaging system and enabled the thief to steal the keys from your ignition, grab a copy of your drivers license, find your date of birth, dealership username, and daily driving activity, I think its safe to assume some changes are coming.

        • by tsotha ( 720379 )
          I don't understand how the quote is relevant. The only thing related to the Steam API is user names, and they don't have the Steam passwords. What changes to the API should Valve be making?
          • Start with sharing less data? I know that's kind of the point of the API to begin with, but leaking is leaking, even if its just usernames. Maybe they will decide, like you say, nothing to do with Steam/Valve..... or maybe they obfuscate the usernames in some way? I don't really know, its not my show. At a minimum would I expect some kind of periodic security re-qualification for connected public facing sites.

            If it was my show, I'd be looking very carefully at ANY data that leaves my control via ANY inter

            • by tsotha ( 720379 )
              Again, what Steam data was involved in this breach?
              • I guess I'm eating crow on this one. Article read as steam usernames and user activity data. Comma makes all the difference.

                So its another case of users sharing PI with a 3rd party site who loses it. Reading is fundamental.

            • Exactly which part of Steam Information was involved here? Are you aware this is a forum on an unrelated gaming website which was hacked. Your comment is simplistic enough that it would have the federal government be liable if people were writing their social security number on their bumper sticker.

  • by eyenot ( 102141 )

    See, I just *knew* that deactivating my facebook this week would pay off almost immediately.

  • by dgatwood ( 11270 ) on Thursday August 18, 2016 @03:03PM (#52727999) Homepage Journal

    I've pretty much concluded that all the PHP-based bulletin boards are a security nightmare. Even the ones that are small enough to audit tend to be filled with old-style mysql_query calls and other horrors of the past.

    The best thing about PHP 7, in my view, is that they're finally killing the old MySQL API. They should have done that years ago. Now, you'll be able to tell which software is reasonably up-to-date based on whether it supports PHP 7 or not. Incidentally, vBulletin's website says that it still doesn't. That's probably not a good sign. :-)

    • by Rexdude ( 747457 )

      Even if they did update it, it still won't matter unless every single vBulletin forum admin out there also decides to update as well. There are hundreds of forums running obsolete versions of it.

      • by dgatwood ( 11270 )

        The thing is, lack of upgrades usually indicates a design problem. For services like this, the software should be distributed using git so that local changes can be merged sanely. Instead, most of these bulletin boards involve moving aside the existing installation, extracting a tarball, and running some sort of installer script that does who-knows-what. So upgrading can be nightmarish for sites that involve any sort of customization.

        Also, this sort of software should be designed in such a way that it n

        • by Rexdude ( 747457 )

          Given that vBulletin/phpBB have been around since the early 2000s, I'm guessing there's a lot of legacy code, wouldn't be surprised if they're still running CVS or Subversion without independent repositories like git has. They were not well designed with upgrades in mind. Newer forum software like Discourse [discourse.org] are better that way, but again are only optimized for touch screens. Giant amounts of whitespace, infinite scroll and other features annoying and wasteful of screen estate for desktop users.

  • Ok, apparently I don't have enough friends who also use Steam to know about this. I myself have a Steam account and was under the impression that a key is a one-time use code to activate a game in your account. If that's true, why in the world would you want to share a Steam game key? And even if you did share one, isn't there a finite amount of time until whoever you shared it with activates it and it's no longer useful to anyone else? Why would there be millions of unredeemed Steam game keys lying aro

  • Now they have been hacked, perhaps they will look to security all around and quit making me use their own copy of the web browser to pay for games. Yes I'm sure there is another way and it may well be chrome under the hood but I don't care. I want to use the web browser I trust by default before I enter my paypal credentials.
    • Re: (Score:2, Interesting)

      by Anonymous Coward

      To clarify they for you, in this case it is DLH.net [dlh.net] that was hacked via a PHP bulletin board issue, not Steam. To the best of my knowledge, DLH did not put out a browser. Steam on the other hand, appears to use a fork of Chromium/WebKit for their browser, so they didn't really develop one, either, they just took an existing one and bolted it in.

      For what it's worth, Steam doesn't trust browsers very much, either. The only way you can redeem a game code is through their client. Probably to prevent a hacke

  • by PopeRatzo ( 965947 ) on Thursday August 18, 2016 @03:37PM (#52728309) Journal

    Now I can deny having actually played GTA V for 368 hours. "It was the guy who hacked my account, honey!"

  • Facebook access tokens were stolen for those who signed in with their social account.

    What exactly does that mean?
  • Most of the keys were for so-so games, nothing really AAA and got to have. Nothing of Value was lost. It's a good thing I used my spam email and spam facebook acount for things like this.

"I've finally learned what `upward compatible' means. It means we get to keep all our old mistakes." -- Dennie van Tassel

Working...