Grand Auto Theft: 3m DIRT 3 Keys Nicked

By Alec Meer on September 6th, 2011 at 8:41 pm.

Wotta dirty business, eh?

News that an eyebrow-raising 3 million Steam activation codes for natty racing title DIRT 3 had been leaked online broke earlier today, and now has an official oh-dear air to it as a result of confirmation from AMD that, yes, the codes were intended for vouchers that shipped with their Radeon graphics cards and yes, a database file containing them was purloined by bad eggs. I’m sure no-one at AMD or DIRT 3 publisher Codemasters is terribly calm right now, but at least it doesn’t appear to be the case that either of their sites or servers were directly hacked.

AMD reckons that “These activation keys were hosted on a third party fulfillment agency website, www.AMD4u.com, and did not reside on AMD’s website. Neither the AMD nor Codemasters servers were involved.” All three groups, plus Steam, are apparently teaming up for some kind of Oh Jesus Christ We Need To Stop This operation, and in the meantime AMD warn that people with valid vouchers might be in for “a short delay.”

Three million! Cripes. That’s the kind of sales figure many games would kill for. And now out there for free. However, I am quite sure it’s going to prove possible to deactivate the codes in question and, no doubt, ban the accounts of anyone who used them. Oh, second decade of the 21st century: you are a strange animal.

, , , .

66 Comments »

  1. Premium User Badge

    Malkara says:

    So, when do us subscribers get our keys?

    • thepavementview says:

      Ha, but seriously… to everyone freaking out about the potential collateral damage to their Steam account: I don’t think you have much to worry about. Steam isn’t going to ban thousands of accounts and lose thousands upon thousands of sales over this. Right now, they’re wagging their collective finger at the people who got away with it, and removing the game from the accounts of those who e-mailed Steam support while simultaneously shitting themselves in fear. Honestly, I don’t condone the mass pirating, but it pretty much is AMD and Codemasters’ fault for making the files so easily accessible.

    • hihellobyeoh says:

      WOW no one here knows how the actual users obtain their LEGIT codes ( i mean the people like me who bought a card).

      1. buy card
      2.register card on xfx.com
      3.make sure you register the card with the code you recieved on the back of the do not disturb door hanger
      4.get the steam activation code back from XFX ( or AMD if thats what it was i don’t remember it has been months since i did this)
      5. activate and download your game via steam

      so easy answer: any codes not given out to registered card owners get banned

      EDIT: sorry i clicked the first reply button i saw LOL

    • glazier1333 says:

      This really sucks, I bought a card from amd ( which is my personal favorite anyway ) and still can’t get dirt 3 to run. These jerks screwed the ligit buyers. My card will be obsolete and I’ll never get to play the game :(

  2. Theory says:

    1) Invalidate keys
    2) Generate new keys
    3) There is no step 3

    • Premium User Badge

      Martel says:

      That seems to be the easiest, maybe require the video card’s serial number or something instead of the code. The problem they have is that the list includes all the valid keys, which has to be hard to sift through without just invalidating them all and using a different method to grant the game. The promo has been out for awhile, there are a lot of people with legitimate copies out there that will be pretty pissed off to lose the game, and will cause an internet meltdown if they start closing Steam accounts over it.

    • Theory says:

      In which case I take my comment back. What a mess!

    • xian says:

      uh, just delete those registered since the keys were stolen (and ban their account I’d guess)?!
      The amount of legitimate users affected should be minimal.

    • westyfield says:

      But there will still be legitimate users affected. The only way I can see to do this is to deactivate all the codes, then re-send new ones to everyone who purchased said cards. They’d have to go through the retailers though, which would be tricky.

    • Daniela Armanda Soledad Aguirre says:

      hey xian, why better you don’t deactivate your account? there’s a lot of inocent people and even they know these serial are stoled, they don’t deserve valve banning their accounts and loosing these games that they worked hard to have their games registered “as should be”, it’s a lot of money we’re talking about!

      unfeeling box!!!

    • Premium User Badge

      Joshua says:

      @Xian

      As these keys were part of a legitamite give away (Before they were compromised), there’s also people who legitamitely got the keys (before they were compromised). Banning them would be grossly unfair.

    • loveduckie says:

      In all honesty, this is quite a simple job to fix I would imagine.

      You simply have to write a basic program that can divide all those key entries (with a bit of handy string manipulation) and then call a function within STEAM or their database to identify whether or not the key has been used.

      It’s more the issue with dealing with users that go to try and validate their copy and then it turns out that they’re key got redeemed from the leaked list.

      Also, it’s highly unlikely that STEAM will start banning accounts. No doubt alot of the people who redeemed those codes were paying customers with games on their accounts that were paid for legitimately. If anything, considering they have the leaked list, they will simply remove the game from the account in question.

      But then again, there were a few people that had keys from that list and redeemed it legitimately through a voucher as opposed to the text file on the internet. So, I have no clue how this is ultimately going to pan out.

  3. Ira Aduro says:

    This could be a problem if say someone puts a steam key up for sale, you buy it, and *BAM* invalid key or worse your account is flagged.

    • johnpeat says:

      Frankly if you buy ‘Steam keys’ from anywhere other than reputable sites, you DESERVE that…

      It’s easy tho – they disable all the codes , games will become unplayable for everyone (legit or otherwise) and then they send out new codes via the original mechanism (to legal customers) which they enter and ‘VIOLA!”

    • Ira Aduro says:

      Well say someone wins a free copy of a game (that uses steam) and they already own said game. They are often given a steam key which they could turn around and sell. I wouldn’t say you deserve sad times for buying a steam key from someone.

  4. Premium User Badge

    HermitUK says:

    As someone commented over on the EG topic:

    “the “hack” was simply going to http://amd4u.com/dirt3promo/sql/ which gave you access to 3 SQL files filled with keys.”

    The files in question now taken down, naturally. If this is indeed how the codes were compromised, it doesn’t really qualify as hacking. It qualifies as a company failing miserably to protect £90 million worth of codes. Methinks AMD won’t be using that particular third party again in a hurry.

    • Ira Aduro says:

      W O W

      my mind reels at this oversight.

    • Premium User Badge

      lasikbear says:

      Well I guess you could still call it an SQL injection.

    • Bilbo says:

      face meets desk

    • Sleepymatt says:

      Sounds like a SQLboy error…

    • westyfield says:

      Hehe, nice one Sleepymatt. :)

    • noclip says:

      This is *NOT* SQL injection, this is plaintext SQLite files being placed in a publicly accessible web server directory ready for download by anyone who happened to append “/sql” to the URL in their browser’s address bar. This kind of thing would have been an embarrassment in 2001, in 2011 it’s unbelievable.

    • Shortwave says:

      The reason my mind didn’t even doubt it was legit was for the reason that the address was so simple and basic and, I dunno.. O.o I was told it was just a promotional thing but I didn’t take the time to see how many codes there actually was to conclude the bullshitism. I just scrolled down a bit and picked one as quick as I could cause I thought they’d run out quick and it was just a “small” thing. It wasn’t till’ someone with half a brain pointed out to me that it seems fishy that I thought about it…

      Why would there be something like that stored there?
      I don’t quit understand and I own an SMF forum and know some basics about web design and databases.
      I still don’t get it. Still, shame on me..

    • Starky says:

      If this is the case, the person who took the keys might have a very real case for arguing that they were posted by the company in a public place, it was not theft at all.

      In fact I’m pretty damn sure by most countries laws this would fail to constitute as theft, it’s the equivalent of throwing money out of a window into the street and they trying to claim those who picked it up were thieves.

    • Zerim says:

      Actually, it was more like amd4u.com/dirt3promo/keys/keys1.txt through keys8.txt.

      As in, going to amd4u.com/dirt3promo/keys/ showed all 8 of the text files containing all of the codes.

    • Tei says:

      This is a noob error.

      Browsers can eventually see all files put on the web. So if you have a file you don’t want people to access directly and download, you can put this place outside of the visible directory, and your web application can still access then, but not the general public.

      So if you have secrets.sqlite

      You have this:
      /var/www/application.php
      /var/data/secrets.sqlite

      The noobish programmers did this:
      /var/www/application.php
      /var/www/sql/secrets.sqlite

      This is a big no-no. It takes another error somewhere, a minor one, for people to figure out secrets.sqlite exist and download it. It don’t even need to be a software error, sometimes hardware suffer glitches, that could result on a message error like “I can’t open /var/www/sql/secrets.sqlite, because is in read only mode device”, and BANG, the crackers or any curious know about your file and have access to it.

      If game companies don’t want to suffere this type of error, the solution is easy: hire people with experience. Experience matters.

    • StenL says:

      They weren’t even SQL files, they were quite literally 8 text documents.

  5. deanb says:

    Somewhat hoping they won’t be banning accounts with these keys since I’m one of them. Given the amount of sites that do key giveaways I didn’t bat an eyelid when I was linked a list of 1000 Dirt 3 keys (It does seem the number grows in the telling of the tale, I’ve heard ranges from 250,000 to 1.2million to as high as 3 million. Which the 3 million seems way off since as you pointed out that’s sales figures most games would die for. Seems odd to just give that many away)

    Messaged Steam Support yesterday once I heard the keys weren’t meant to be given away, seems some people are seeing the game disappear from their library but up to now all I have is a “We are investigating this issue further. As soon as we have more information, we will update your ticket.” response. They’re free to remove the game from my library but they can sod off if they think they can ban folks accounts over AMD’s gaf.

    • mjig says:

      This happened with Metro 2033 a while back, and King’s Bounty was given away for free accidentally, and Crasher, all on Steam. Nobody got banned. In the case of Crasher, the games were removed, but Metro 2033 and King’s Bounty weren’t, since it was impossible to tell. who got the keys legit.

      They have no way of being able to know whether or not you obtained your key through this method, so your account is safe.

    • Andy_1305 says:

      The list I found had 656119 keys in it

    • Premium User Badge

      Malkara says:

      They weren’t “giving away” 3 million. They were allocated 3 million keys. They probably expected to hand out a tiny fraction of those.

    • Outright Villainy says:

      Yup, it’s happened to me before with Metro 2033 too, someone said they’d trade it for some tf2 items. The next day it was gone, so I felt like a chump!

    • deadeye536 says:

      keys8.txt when it was accessible had keys 1,750,001-2,000,000, so 2 million sounds like a likely number to me, but maybe the SQL file had its own set of unique keys, in which case, 3 million keys could be accurate.

      Now that I realize it, they had the keys in two different publicly accessible locations, /sql/ and /keys/. No one who has used these keys deserve to have their Steam accounts banned. Hopefully, the third party provider kept a log of all legitimate keys used so Valve can quickly and swiftly remove the unauthorized keys from user’s steam accounts.

  6. db1331 says:

    I got two keys with my video card I purchased recently. I used one for myself (only to find that I suck balls at racing sims) and still have the other. I couldn’t even get a cheap game in trade for it before, no doubt it will be impossible now. I’ll just gift it to someone on my friends list.

    • Premium User Badge

      liquidsoap89 says:

      Or to me! Because we go way back. Remember that time Jason burped and his glass of milk fell off the table? CLASSIC!

    • phobic says:

      Luckily for you it’s not a racing ‘sim’ ;)

  7. skurmedel says:

    Kinda like storing the combination to the bank vault under the doormat.

    (reply faily :()

  8. jonfitt says:

    Zoinks!
    Seems like they’re going to have to cancel all the keys and then provide a way for all the legitimate recipients to get a new one. It turns a nice give-away into a palava for everyone involved.

  9. Zyrocz says:

    Isn’t Dirt 3 a Games for Windows title? Wouldn’t they need a seperate code to activate it in GfW?

  10. Shortwave says:

    I’m going to be honest, I thought it was legit because I didn’t think keys would be stored in such plain view… I was linked just saying they do free give-aways and I’ve heard of them already doing that before…

    I also contacted steam support to explain the situation.
    The game is not installed.

    • Bilbo says:

      Sounds like an entirely honest mistake. I’m sure Steam will do right by you.

    • Shortwave says:

      Yea’ I got the same reply as everyone else.

    • Premium User Badge

      Malkara says:

      What reply is that?

    • Shortwave says:

      “Hello,

      Thank you for contacting Steam Support.

      We are investigating this issue further. We will let you know as soon as we have more information.. “

    • qwiggalo says:

      Same here my first reaction was this isn’t legit, and then my second was, but the link is so obvious. Then after activated a key I read more about it and was like “Oh dear.”

  11. Amy Lee says:

    I was directed to the site. Now I found out about this. My reaction? FUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU-. The same story as Dean B. I hope they only delete the game. Would be better then banning accounts.

  12. The_Great_Skratsby says:

    Strange thing for me was that I did a Steam game trade with a chap last week who bought an AMD card, which had a legitimate key – sent me the scan of the voucher and everything, which worked perfectly.

    If action is taken I sure as hell hope legitimately registered keys (via email, then Steam) aren’t grouped into the same pile as those nicked.

    Otherwise hooboy I’ll be fuming to have my account I’ve had since beta suspended. Makes me irk thinking about it.

  13. joostijus says:

    I am going to be honest: one of my friends on msn gave me this list of codes in a hurry and told me to be very quick with using one of those codes because then i would have dirt 3 for free. I did what he said and yes i got dirt 3 working. Now a few hours later i have discovered what this really means and i am affraid of being banned. I dont dare to contact steam because then they know that i have one of those illigal copies.
    I don’t know what to do now, the best would be to see dirt 3 just dissapear from my game list, just like what happened to some other people. I wish this would have never happened.
    Can someone tell me what to do?!

    • pepper says:

      They already know you have one of the comprimised keys. It probably takes them seconds to compare all the registered dirt 3 game keys with the list of keys released on the web.

      It’s unlikely you will be banned for this.

  14. Thants says:

    It sounds bad and all, but does it actually matter? I mean, it’s not like anyone who wanted to pirate it couldn’t have just done so already.

    • Premium User Badge

      Carra says:

      Yes it matters, imagine this: I buy a new PC and get the game with my graphics card. I register it on steam but get a “key already in use”.

  15. Premium User Badge

    Carra says:

    What a mess. I’m thinking how they can clean it up…

    -Immediately block all new Dirt 3 activations
    -If there is already a lot of damage done: ban all registrations since the hack was done
    -Show a message to the user when someone activates with one of these numbers
    -Ask them to send their key + gpu number and then send them a new key

    Bah, the hassle. Imagine a service desk having to handle hundreds of thousands of telephones: the costs are massive.

  16. Squirm says:

    I was sent a key by a person on steam who told me the key was a friend gift code he didn’t want.

    Do i deserve to get my 8 year old $3000 steam account instantly banned like you people are so happy to suggest being the top solution?

    Think a little bit please.

    • Shortwave says:

      More or less in the same boat as you.
      I feel like a chump but what can yea’ do?
      Annoyed with said person who linked it to me and failed to tell me it wasn’t legit..
      BUT.. I feel like an idiot.

    • Premium User Badge

      morganic says:

      Yep, I’m in the same boat. I have asked steam to remove the game from my account but I feel like an idiot. The person tried telling me it was legit after the fact but I looked and found it in the files online. I won’t be talking to that person again.

    • Premium User Badge

      Martel says:

      Morganic, that is all the keys, so all the legitimately redeemed keys and the unredeemed keys are in there together.

      Doesn’t mean you weren’t scammed (I bought one and am in the same boat as others) but it also doesn’t mean that person did anything malicious to you.

      Just came across this as well
      https://twitter.com/#!/Steam_Support/status/111206115672465408

  17. mkclin says:

    Top quality goods that you will like,welcome to http://bit.ly/qkDqbZ ,there can help you to play the game so easy

  18. lijenstina says:

    Those keys just drifted away. Damn you, Pendulum effect.

  19. Squirm says:

    Steam support released comments saying no bans etc.

    Not like dirt 3 was a particularly good game anyway.
    I stuck the key in, but wont even be downloading it lol.

  20. Vinraith says:

    Valve isn’t going to ban anyone, they’re much too PR-savvy to risk damaging the fragile illusions of permanence and ownership surrounding their service over something this minor.

  21. Tei says:

    My master plan:

    Register all 3 million keys in Steam. And ask for a refund.
    Thats like 180m dollars. Woot.

    Thats one thing humans do better. A machine would give you 180 millions in a refund, and don’t mind once, if is programmed to refund for games given some set conditions. But a human will probably raise a eyebrow at the number of zeroes. Then laugh. Then fall to the ground unconscious. Then maybe ask his boss for instructions. Then call the police.

  22. Shortwave says:

    I’m wondering when anyone official will comment on this, heh.

  23. My Name Is says:

    Wow, those are expensive text files. No SQL, no salting, this was a high quality operation.

    What I want to know is how long it took from when the web marketer uploaded the last text file till someone visited the directory for the promo?

    There were no robot tags to keep search spiders out either, so if anyone gets accused of hacking then lets go ahead and throw Google into the fire too.

  24. eddparsons says:

    I just bought a new graphics card which came with one of these keys – tried to register it Tuesday night and was informed they were having a problem and to either scan or take a picture of the card and send it to them. Did that, got a new key back today, now activated on Steam. Voila. Now just got to find enough disk space for it. 11GB!