From 2 weeks ago:
And yesterday:
This user said that Humble told him his account has been hacked, though.
Other users are finding that if they created gift links for games but hadn't yet used or given them away, those gift links are showing as used and were presumably stolen somehow. The used URLs are for game/bundle purchases going as far back as 2014. If you haven't generated gift URLs for games (they are either still packed up with 'redeem on steam' or 'give to a friend' options) then those games should not be stolen.
As far as what's been reported so far, unused keys have apparently not been used. Some of the users who have had gift URLs stolen have two-factor authentication enabled on their Humble accounts, but we really don't know what's going on (user accounts hacked, some kind of Humble database/security flaw, brute forcing URLs...).
Some perspective from madjoki at CAG:
If you've been sitting on Humble gift URLs, check those URLs and see if they're showing as redeemed or not. If they've been used, contact Humble support with a list of all the games/gifts that you find to be compromised.
And regardless, you may want to update passwords and enable two-factor authentication if you have a smartphone.
I checked all 100+ of my gift links, even the most recent ones from the latest HBM, and they were all used. I highly doubt my account was hacked (I did change my password to be safe), as no one redeemed any of my unredeemed Steam keys (or turned into gift links to steal that way), the only thing taken were ones I turned into gift links.
Edit: Finally got a real reply back today 9/22 - All of my compromised links were revoked from whoever redeemed them and returned to my library. Seems whoever did it had the foresight to be extra helpful and just redeem them all with the same email address.
And yesterday:
Just a warning to you all, today I was trying to redeem one of my gift links, when I noticed it was used I thought maybe I had used it and forgot, but I was fairly certain I hadent. I decided to check another, same thing, next thing you know, I checked all my links going back to 2014, and all have been "used". It was now clear that I got hacked, and 114 giftlinks have been stolen.
This user said that Humble told him his account has been hacked, though.
Other users are finding that if they created gift links for games but hadn't yet used or given them away, those gift links are showing as used and were presumably stolen somehow. The used URLs are for game/bundle purchases going as far back as 2014. If you haven't generated gift URLs for games (they are either still packed up with 'redeem on steam' or 'give to a friend' options) then those games should not be stolen.
As far as what's been reported so far, unused keys have apparently not been used. Some of the users who have had gift URLs stolen have two-factor authentication enabled on their Humble accounts, but we really don't know what's going on (user accounts hacked, some kind of Humble database/security flaw, brute forcing URLs...).
Some perspective from madjoki at CAG:
16 characters long with 26 + 26 + 10 characters used in codes
that's 47 672 401 706 823 533 450 263 330 816 possibilities
for comparison there's only 37 778 931 862 957 161 709 568 steam keys.
so each guessed humble link is equal to 1 300 000 guessed Steam keys.
humble bundle embeds links that bypass two factor.
That's for generating gift links, which attacker did not do as those keys we're safe.
Yes, it's possible that humble's algorithm is predictable, but at least links seem pretty random.
If you've been sitting on Humble gift URLs, check those URLs and see if they're showing as redeemed or not. If they've been used, contact Humble support with a list of all the games/gifts that you find to be compromised.
And regardless, you may want to update passwords and enable two-factor authentication if you have a smartphone.