dev.dota2.com
Jul 1, 2016
A breach of the Dota 2 developer community forum (dev.dota2.com), a Valve-operated vBulletin-based community platform for Dota 2 developers and modders. The archive contains two datasets: a cracked credentials file with usernames, email addresses, IP addresses, and plaintext cracked passwords; and a vBulletin database export with usernames, email addresses, IP addresses, MD5-hashed passwords, and plaintext password salts. The vBulletin file contains highly sensitive internal Valve Software employee accounts including IceFrog (the lead Dota 2 developer), Robin Walker, Brandon Reinhart, and numerous other Valve staff with @valvesoftware.com email addresses, as well as prominent Dota 2 community figures such as syndereN and Loda. The archive was distributed via BreachForums.
Data found in this dataset
Source files
Expand any file to inspect its column headers and the LLM's field-mapping reasoning, recorded during ingestion.
Breached_Info.txt0 rows
File structure
Format: CSV·Delimiter: comma·Has header: yes·Quote: "
Notes: This is a README/informational text file, not structured PII data. It contains breach context, attribution information, and distribution instructions rather than delimited records with personal information. No column mapping applicable.
Dev.Dota2.com_cracked_July_2016.txt4 columns1,487,857 rows
File structure
| Source column | Mapped field | Confidence | LLM assessment |
|---|---|---|---|
| 0 | username | high | Values are display names/usernames including Cyrillic characters, special characters, and gamer tags — consistent with vBulletin forum usernames from the Dota 2 dev forum breach |
| 1 | high | Values contain @ symbol and recognizable email domains (gmail.com, hotmail.com, yahoo.com, qq.com, valvesoftware.com, etc.) | |
| 2 | skip | high | Values are IPv4 addresses — registration or last-login IP addresses from the vBulletin database, non-PII structural data for this mapping |
| 3 | password | high | Values appear to be plaintext cracked passwords (e.g., 'jameschoy', 'meme12345', '123456789', 'scorpio') consistent with the cracked credentials file described in the breach context; some entries show $HEX[] encoded values indicating raw binary passwords |
Notes: This is the cracked credentials file from the dev-dota2-2016 breach of the dev.dota2.com vBulletin forum. Format is username:email:ip_address:plaintext_cracked_password. The username field (col 0) contains heavily encoded Cyrillic and CJK characters due to vBulletin character encoding issues. IP addresses in col 2 are likely last-known login or registration IPs. Some passwords in col 3 use $HEX[] encoding for non-ASCII raw bytes. Multiple entries sharing identical IPs and passwords (e.g., 84.108.81.2 / ehlb3c18TW) suggest bot-registered or bulk-created accounts.
Dev.Dota2.com_vb_July_2016.txt4 columns431,481 rows
File structure
Format: CSV·Delimiter: :·Has header: no·Quote: "
| Source column | Mapped field | Confidence | LLM assessment |
|---|---|---|---|
| 0 | username | high | [0] no header; values are forum usernames like 'IceFrog', 'Robin Walker', 'syndereN', 'BrandonReinhart' |
| 1 | high | [1] no header; values contain @ signs, e.g. '[email protected]', '[email protected]' | |
| 3 | password | high | [3] no header; values are 32-character hex strings consistent with MD5 password hashes |
| 4 | password | high | [4] no header; values are plaintext password salts/tokens, e.g. '{lines};E>C{(._9rH?&kI0qa!1znS5Iq[e' |
Notes: No header row; colon-delimited file with 5 columns: [0] username, [1] email, [2] IP address (skipped per exclusion rules), [3] MD5 password hash, [4] plaintext password salt. Column [2] contains internal IP addresses (10.2.3.x range) and is skipped. This appears to be the vBulletin database export portion of the dev-dota2-2016 breach containing Valve employee and community accounts.
Dota2_BF__data__Dev.Dota2.com_cracked_July_2016.txt4 columns1,487,857 rows
File structure
| Source column | Mapped field | Confidence | LLM assessment |
|---|---|---|---|
| 0 | username | high | Values appear to be usernames/account names with various character encodings and special characters |
| 1 | high | Values contain @ symbol and match standard email address format | |
| 2 | skip | high | Values are IP addresses (IPv4 format), non-PII metadata |
| 3 | password | high | Values appear to be plaintext passwords or cracked password hashes |
Notes: Standard username:email:ip:password combo list from vBulletin forum breach. Contains primarily international user accounts with mixed character encodings (Cyrillic, CJK, HTML entities). IP addresses included as session/registration metadata. High sensitivity breach involving Valve Software employee accounts.
Dota2_BF__data__Dev.Dota2.com_vb_July_2016.txt5 columns436,213 rows
File structure
| Source column | Mapped field | Confidence | LLM assessment |
|---|---|---|---|
| 0 | username | high | First field contains usernames/account handles (IceFrog, Coco, gvengel, etc.) |
| 1 | high | Second field contains email addresses with @ symbol | |
| 2 | skip | high | IP addresses in CIDR notation (10.2.3.x format), internal network data |
| 3 | password | high | 32-character hexadecimal strings consistent with MD5 password hashes |
| 4 | skip | high | Plaintext password salts/recovery codes, variable special character strings |
Notes: vBulletin database export format: username:email:ip:md5_password_hash:password_salt. Contains highly sensitive Valve Software employee credentials (@valvesoftware.com) and prominent Dota 2 community figures. Passwords are MD5-hashed, salts are plaintext. High-priority breach involving IceFrog, Robin Walker, Brandon Reinhart and other Valve staff.