A pair of files from a 2016 breach of dev.dota2.com, the developer-facing community forum that Valve runs for Dota 2 modders, is circulating again. The interesting part is the cast list: in addition to roughly 1.9 million regular forum users, the dump includes internal Valve employee accounts.
The forum ran on vBulletin, the same software that has shown up in breach after breach over the past decade. Two files made it out. One contains username, email, IP address, and cracked plaintext password. The other is a vBulletin database export carrying username, email, IP, MD5 password hash, and the plaintext salt the hash was paired with. The salt-and-hash combination is weak by modern standards and many of the passwords have already been recovered.
Who is in the staff slice
Names that appear in the developer section read like a roster of early Dota 2: IceFrog, the lead designer; Robin Walker; Brandon Reinhart; and a number of other Valve engineers and contractors. The accounts predate any modern security baseline at the company and the personal email addresses attached to them are, in several cases, accounts that are still in active use elsewhere on the public internet. Anyone working on game-development security or threat intelligence will already know that this archive has been a persistent ingredient in targeted campaigns against game-industry staff for years.
If you used dev.dota2.com
The forum was small enough that most of the audience was technical and was running its own credential discipline by the time the breach happened. Even so, a salted MD5 from 2016 paired with a cracked password from the same file is exactly the input that credential-stuffing tooling is designed to weaponize.