From 2 weeks ago:

I checked all 100+ of my gift links, even the most recent ones from the latest HBM, and they were all used. I highly doubt my account was hacked (I did change my password to be safe), as no one redeemed any of my unredeemed Steam keys (or turned into gift links to steal that way), the only thing taken were ones I turned into gift links.

Click to expand...

Edit: Finally got a real reply back today 9/22 - All of my compromised links were revoked from whoever redeemed them and returned to my library. Seems whoever did it had the foresight to be extra helpful and just redeem them all with the same email address.

Click to expand...

And yesterday:

Just a warning to you all, today I was trying to redeem one of my gift links, when I noticed it was used I thought maybe I had used it and forgot, but I was fairly certain I hadent. I decided to check another, same thing, next thing you know, I checked all my links going back to 2014, and all have been "used". It was now clear that I got hacked, and 114 giftlinks have been stolen.

Click to expand...

This user said that Humble told him his account has been hacked, though.

Other users are finding that if they created gift links for games but hadn't yet used or given them away, those gift links are showing as used and were presumably stolen somehow. The used URLs are for game/bundle purchases going as far back as 2014. If you haven't generated gift URLs for games (they are either still packed up with 'redeem on steam' or 'give to a friend' options) then those games should not be stolen.

As far as what's been reported so far, unused keys have apparently not been used. Some of the users who have had gift URLs stolen have two-factor authentication enabled on their Humble accounts, but we really don't know what's going on (user accounts hacked, some kind of Humble database/security flaw, brute forcing URLs...).

Some perspective from madjoki at CAG:

16 characters long with 26 + 26 + 10 characters used in codes

that's 47 672 401 706 823 533 450 263 330 816 possibilities

for comparison there's only 37 778 931 862 957 161 709 568 steam keys.

so each guessed humble link is equal to 1 300 000 guessed Steam keys.

Click to expand...

humble bundle embeds links that bypass two factor.

That's for generating gift links, which attacker did not do as those keys we're safe.

Yes, it's possible that humble's algorithm is predictable, but at least links seem pretty random.

Click to expand...

If you've been sitting on Humble gift URLs, check those URLs and see if they're showing as redeemed or not. If they've been used, contact Humble support with a list of all the games/gifts that you find to be compromised.

And regardless, you may want to update passwords and enable two-factor authentication if you have a smartphone.

Are URLs already generated before clicking the gift button?

Toki767 said:

Are URLs already generated before clicking the gift button?

Click to expand...

Shouldn't be. I updated the post to say that if you haven't generated the gift URLs those games should be safe.

inm8num2 said:

Shouldn't be. I updated the post to say that if you haven't generated the gift URLs those games should be safe.

Click to expand...

I was just about to ask, I don't generate gift urls until I'm about to send the link anyway.

a couple of times I have been gifted things through Gaf and they turned out to have already been used. I never mentioned it to the gifter as I assumed it was a mistake. In the future I will as there may have been more to it.

This user said that Humble told him his account has been hacked, though.

Click to expand...

To be exact they said "I'm very sorry to hear that! It sounds like your account may have been accessed without your permission.", but yeah I guess that's what it means


Also to all reading this, check the comments on the threads, multiple people attesting to the same having happened to them.

I have hundreds of keys I need to actually redeem. Hopefully this month.

I actually encountered some suspicious activity related to a HB key about a week and a half ago.

We used HB to distribute keys for our game to Kickstarter backers, and while most people have claimed their HB key by now, there was one person that contacted me about a week and a half ago telling me that their key was showing as already redeemed. Sure enough, I checked the status of their key, and it had already been claimed by a very suspicious looking email address. I don't really care about protecting the integrity of this thief's email address, so I'll just post exactly what it was: hum.bundle.zun@yandex.ru

There's two pretty obvious things that jump out at you when you look at that email address. One is the domain, yandex.ru, the Russian equivalent of Google or Yahoo with email addresses that are equally easy to obtain and abuse. The other is that the name actually references Humble Bundle which suggests to me that it may be one of possibly many accounts created specifically for this task of trying to steal gift keys. Thankfully it was easy for me resolve this issue for this one backer, but if the person or persons responsible for stealing it are having wider success it could be a much more substantial problem for both developers/publishers and consumers, especially with respect to Steam keys and the like that can't easily be reclaimed if they've already been sold off and redeemed.

I've attempted to report this activity to HB, but I'm honestly not quite sure what the proper avenue for it is. The support person that replied to me seemed confused by what I was telling them and not interested in investigating it.

Gorzul said:

To be exact they said "I'm very sorry to hear that! It sounds like your account may have been accessed without your permission.", but yeah I guess that's what it means

Click to expand...

Don't read too much into that. It's clearly a scripted response for everyone with a support request like this. Those are the exact same words used in the initial email reply that I received, and I wasn't even talking about my own account.

I'm almost positive an old gift link of mine was stolen many months ago, so I don't think this is new. Account wasn't hacked cause Humble blows up my email first time a different IP tries to log in. Sounds like they've got an inside mole or contractor stealing and/or leaking shit.

Had a few emails this morning with somebody trying to change my password on my humble account and then not long after that an account creation confirmstion email from the humble store. Seems like humble accounts are being targeted.