Dota 2 analyst degaz reported that a website was created in China to access private information regarding the practices of professional teams and players. Valve was informed about this method and addressed the vulnerability associated with MOBA API keys.
During my short vacation, I decided to write a brief post about cheats, specifically Chinese cheats. If anyone remembers, in 2017 there was a significant scandal (Rurugate) where Chinese teams LGD and EHOME could access scrims and other private matches using an API key belonging to Perfect World. (Actually, they could do much more, like gain full control over Steam accounts, but that’s not the point. You can read more here). It is highly likely that the same situation has occurred again. Recently, I was shown a website that allowed viewing the exact MMR of players at any rank (down to the single digit), and also to see absolutely all matches, even from closed profiles at low MMR. Furthermore, the site was created by someone previously affiliated with Keen (also known as EHOME).
Consequently, a group of trusted Dota experts, including Boskey, Leamare, sikle, NoraD, Noxville, casual, and a few anonymous individuals, was assembled to investigate. After discussing various technical possibilities, we concluded that another API key leak was the most probable cause. Therefore, we collectively wrote to Valve, outlining the situation and expressing concerns about the potential threat to fair play in esports.
A few days ago, Valve detected the key and completely blocked access to the method. This serves as a good reminder for developers to regularly monitor the status and usage of their API keys. I don’t see any reason to accuse any specific individuals or teams, as there is no direct (or even indirect) evidence of cheat usage, and I strongly dislike pointless witch hunts. However, this whole situation amplifies concerns about the already fragile state of the region. Consider this.
In 2016, Pan “RuRu” Jie, the head of the esports organization LGD Gaming, was accused of utilizing a Dota 2 API key to obtain private practice data from other teams. It was alleged that she had been providing information about professional teams to her own teams since 2013, granting them an unfair advantage.