Millions Of Steam Game Keys Stolen After Hacker Breaches Gaming Site (zdnet.com) 68
An anonymous reader writes:A little over nine million keys used to redeem and activate games on the Steam platform were stolen by a hacker who breached a gaming news site last month. The site, DLH.net, provides news, reviews, cheat codes, and forums, was breached on July 31 by an unnamed hacker, whose name isn't known but was also responsible for the Dota 2 forum breach. The site also allows users to share redeemable game keys through its forums, which along with the main site has around 3.3 million unique registered users, according to breach notification site LeakedSource.com, which obtained a copy of the database. A known vulnerability found in older vBulletin forum software, which powers the site's community, allowed the hacker to access the databases. The data stolen from the forum includes full names, usernames, scrambled passwords, email addresses, dates of birth, join dates, avatars, Steam usernames, and user activity data. Facebook access tokens were stolen for those who signed in with their social account.
Sooooo (Score:4, Insightful)
Re: (Score:3)
Becuase they'd have to reissue them to the original owner
Re: (Score:2)
Chances are most of them were already used by the intended recipient.
If I got a key from a gray market service like this I'd certainly waste no time redeeming it.
Re: (Score:3)
These are keys that people are reselling/trading. Publishers, developers, and Steam don't like that.
Many of these keys are likely stolen or farmed in the first place, or included as part of a "Humble Bundle" which expressly "forbids" you from reselling/trading individual keys.
Re: (Score:3)
Just because they got stolen, doesn't necessary mean that someone else didn't already own them. Invalidating them may also burn the original purchaser when they try to activate them down the road.
(For example, I myself have a few dozen steam keys that I haven't activated yet, most of which I received as part of past Humble Bundles, and some through kickstarter)
Re: (Score:2)
Doesn't really affect the original owner as it is not just a key but a key tied to a user and password. They can try stealing and selling user accounts and that would cause Steam massive problems as they would be penalised in many countries for affecting the accounts of customers. Just because you haven't used a purchased key, does not mean that key is not already tied to your account and your specific hardware.
Just a warning to everyone, lots of little databases are a hassle and cost more to administer
Steam down ATM (Score:4, Interesting)
Related or no? I'm unable to access any Steam functions other than games at the moment. No discussions. No store. No community page. Can access other sites fine though.
Re: (Score:1)
Millions of free Steam codes on a review site (Score:1)
No incentive for favorable reviews there.. no siree bob. /sarcasm
Re: (Score:3)
If you read the article, they were stolen from forums where users commonly traded them (eg I have a key for this game that I bought on sale but haven't used, I want a copy of that game, who wants to trade)
Re: (Score:1)
Bound to happen (Score:3)
An online community the size of steam is a big target. DLH.net and Steam both should have known better.
The keys though, they are already tied to the account that paid for them right? Are they useful for anything?
I've been expecting something like this for a while. Now expect big changes in the steam API.
Re:Bound to happen (Score:5, Interesting)
Re: (Score:3)
Re: (Score:3)
The data stolen from the forum includes full names, usernames, scrambled passwords, email addresses, dates of birth, join dates, avatars, Steam usernames, and user activity data. Facebook access tokens were stolen for those who signed in with their social account.
If it was made easier to steal from your car because Walmarts webAPI connected to the cars insecure messaging system and enabled the thief to steal the keys from your ignition, grab a copy of your drivers license, find your date of birth, dealership username, and daily driving activity, I think its safe to assume some changes are coming.
Re: (Score:2)
Re: (Score:2)
Start with sharing less data? I know that's kind of the point of the API to begin with, but leaking is leaking, even if its just usernames. Maybe they will decide, like you say, nothing to do with Steam/Valve..... or maybe they obfuscate the usernames in some way? I don't really know, its not my show. At a minimum would I expect some kind of periodic security re-qualification for connected public facing sites.
If it was my show, I'd be looking very carefully at ANY data that leaves my control via ANY inter
Re: (Score:2)
Re: (Score:2)
I guess I'm eating crow on this one. Article read as steam usernames and user activity data. Comma makes all the difference.
So its another case of users sharing PI with a 3rd party site who loses it. Reading is fundamental.
Re: (Score:2)
Exactly which part of Steam Information was involved here? Are you aware this is a forum on an unrelated gaming website which was hacked. Your comment is simplistic enough that it would have the federal government be liable if people were writing their social security number on their bumper sticker.
wow (Score:2)
See, I just *knew* that deactivating my facebook this week would pay off almost immediately.
Sigh. Another Vulnerable PHP Service (Score:5, Informative)
I've pretty much concluded that all the PHP-based bulletin boards are a security nightmare. Even the ones that are small enough to audit tend to be filled with old-style mysql_query calls and other horrors of the past.
The best thing about PHP 7, in my view, is that they're finally killing the old MySQL API. They should have done that years ago. Now, you'll be able to tell which software is reasonably up-to-date based on whether it supports PHP 7 or not. Incidentally, vBulletin's website says that it still doesn't. That's probably not a good sign. :-)
Re: (Score:2)
Even if they did update it, it still won't matter unless every single vBulletin forum admin out there also decides to update as well. There are hundreds of forums running obsolete versions of it.
Re: (Score:2)
The thing is, lack of upgrades usually indicates a design problem. For services like this, the software should be distributed using git so that local changes can be merged sanely. Instead, most of these bulletin boards involve moving aside the existing installation, extracting a tarball, and running some sort of installer script that does who-knows-what. So upgrading can be nightmarish for sites that involve any sort of customization.
Also, this sort of software should be designed in such a way that it n
Re: (Score:2)
Given that vBulletin/phpBB have been around since the early 2000s, I'm guessing there's a lot of legacy code, wouldn't be surprised if they're still running CVS or Subversion without independent repositories like git has. They were not well designed with upgrades in mind. Newer forum software like Discourse [discourse.org] are better that way, but again are only optimized for touch screens. Giant amounts of whitespace, infinite scroll and other features annoying and wasteful of screen estate for desktop users.
Sharing keys? So many questions (Score:1)
Ok, apparently I don't have enough friends who also use Steam to know about this. I myself have a Steam account and was under the impression that a key is a one-time use code to activate a game in your account. If that's true, why in the world would you want to share a Steam game key? And even if you did share one, isn't there a finite amount of time until whoever you shared it with activates it and it's no longer useful to anyone else? Why would there be millions of unredeemed Steam game keys lying aro
Re:Sharing keys? So many questions (Score:4, Informative)
People sometimes get free or discounted keys and want to sell or trade them for games they actually want.
No one said there were millions of *unredeemed* keys stolen, just millions of keys. It's likely 99% of people who got keys through DLH used them immediately and the codes are meaningless now.
Re: (Score:1)
Ok, that makes WAY more sense. Thanks!
Re: (Score:2)
I remember /. was breached twice several years ago. I haven't been here in several years so if there have been any since then I haven't heard.
bolted (Score:1)
Re: (Score:2, Interesting)
To clarify they for you, in this case it is DLH.net [dlh.net] that was hacked via a PHP bulletin board issue, not Steam. To the best of my knowledge, DLH did not put out a browser. Steam on the other hand, appears to use a fork of Chromium/WebKit for their browser, so they didn't really develop one, either, they just took an existing one and bolted it in.
For what it's worth, Steam doesn't trust browsers very much, either. The only way you can redeem a game code is through their client. Probably to prevent a hacke
Thank goodness (Score:3)
Now I can deny having actually played GTA V for 368 hours. "It was the guy who hacked my account, honey!"
Re: (Score:2)
Pfff, punk! Call me when you have 6K hours on a game!
What exactly does that mean? (Score:2)
What exactly does that mean?
Re:What exactly does that mean? (Score:4, Interesting)
Oauth tokens. Potentially giving access to all shared data given to the site from fb (emails, maybe given name, contacts?). Of course this is a non-issue if FB invalidates the application token granted to the specified web site.
Re: (Score:2)
Uh, this isn't true in my experience with the various Sword of the Stars bundles in my experience.
Meh ... (Score:1)
Re: (Score:2)
This is a wrong information.