A hacker has breached the official Dota 2 Dev forum and made off with the entire forum database, which contains email addresses, usernames, IP addresses, and salted password hashes of 1,923,972 users.
LeakedSource managed to get ahold of the stolen database, and says that the hack happened on July 10th, 2016.
Their analysis revealed that the overwhelming majority of users signed up with their Gmail address, but also that many users used disposable email addresses.
Unfortunately, even though the passwords were hashed and salted, Valve Corporation – the creator of the Defense of the Ancients 2 game and of the breached forum – chose to use the vulnerable MD5 algorithm for the hashing.
LeakedSource says they’ve already managed “convert over 80% of [the hashed and salted passwords] to their plaintext values.”
The breach was confirmed by a forum administrator, who said that a vulnerability in the forum software (vBulletin) was exploited to dump the database, and that it has been patched.
“We have reset the passwords for all forum user accounts,” he informed the users. “If you would like to log in to make a forum post, you’ll need to choose a new password. If you used your forum password for other online services, we recommend you change those passwords as well.”
He also made sure to note that the database relates only to the Dota 2 Dev forums, and that it doesn’t contain any Steam credentials, payment information or any other private information related to the users’ Steam account.