Cyber Incident Victim: Dota 2 Forum
Date:
Jun 2016
Location:
United States of America
Summary
A hacker exploited an SQL injection vulnerability in an older vBulletin forum platform supporting a popular multiplayer game, compromising nearly two million user accounts. The stolen data included usernames, email addresses, IP addresses, and weakly hashed MD5 passwords with salts, approximately 80% of which were subsequently cracked using basic tools. While the attack leveraged widely known vulnerabilities in the forum software, it was not linked to other contemporaneous breaches. The compromised credentials were added to a breach notification service's database, revealing that over half of affected accounts used Gmail addresses alongside tens of thousands of disposable emails. The game's developer did not publicly comment on the incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In June 2016, attackers compromised the Dota 2 online forum by exploiting an SQL injection vulnerability in its outdated vBulletin software. The breach resulted in the theft of approximately two million user accounts, with the stolen data provided to LeakedSource.com, a breach notification service. Attackers accessed limited user information including usernames, email addresses, IP addresses, and hashed passwords secured with the MD5 algorithm alongside salts. LeakedSource analysts confirmed the vulnerability was widely known among hacker groups, though no evidence linked this incident to contemporaneous breaches. The forum operator, Valve Corporation, did not publicly acknowledge the breach at the time of initial reporting.
The compromised passwords proved highly vulnerable to decryption, with 1.54 million (80%) cracked using standard tools due to MD5's outdated security properties. LeakedSource incorporated the dataset into its searchable breach repository, enabling affected users to verify exposure. Analysis revealed over half of registered accounts used Gmail addresses, while tens of thousands relied on disposable email services. No evidence indicated compromise of Valve's game servers or financial systems, as the breach remained confined to forum credentials. Valve did not respond to media inquiries regarding remediation efforts or user notifications prior to the article's publication on July 10, 2016. The incident exposed risks associated with third-party forum software maintenance and widespread password reuse patterns among affected users.