A recently discovered breach of gaming news site DLH.net has exposed over nine million keys after an unknown hacker compromised the site.
DLH.net is an aggregate site that is comprised of news, reviews, forums and cheats for gamers. The site also allows users to share redeemable game keys through its forums, which along with the main site has around 3.3 million unique registered users, according to breach notification site LeakedSource.com, which obtained a copy of the database. A short review of the database showed that some of the Steam keys were useless as they had already been redeemed. But with the sheer volume of keys, it is likely that there are a few that are valid.
The site was running a vulnerable version of the vBulletin forum software on it’s servers. This allowed the unnamed hacker to access that database of steam keys. The data stolen from the forum includes full names, usernames, scrambled passwords, email addresses, dates of birth, join dates, avatars, Steam usernames, and user activity data. Facebook access tokens were stolen for those who signed in with their social account. It was also revealed by LeakedSource that a huge chunk of the encoded data in the database was using the vastly inferior MD5 hashing algorithm. Some were stored with the stronger SHA-1 algorithm, however. This means that many passwords are very susceptible to cracking. So if you used DLH.net and shared passwords with any other sites, which is a terrible idea for this reason, you should change those passwords as soon as possible.
Several members of DLH.net staff dispute the reports of this hack. Dirk Hassinger denied that the site had been hacked, and disputed the number of members the site has. “We checked our server log files and did not find any unusual activity within the past four weeks,” he said. This dismissal is directly countered by several users on DLH reporting that not only their passwords were changed, but also that their information could be found on LeakedSource. DLH has since pushed a site-wide password reset. It’s still unclear as to why DLH staff refuse to acknowledge the leak of user data by calling it a “rumor”.