bit-gamer.net

Steam forum and database hacked

Steam forum and database hacked

The Steam forum and database has been compromised, causing concern for hundreds of thousands of gamers.

Valve co-founder Gabe Newell has confirmed that not only were the Steam forums ‘defaced’ but that ‘the intrusion goes beyond the Steam forums.’ Newell released an IM to the Steam forum users to alert them to the risks, and Valve is responsibly requiring people to re-set their Steam forum account password.

We learned that intruders obtained access to a Steam database in addition to the forums,’ added Newell, ‘This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information.

However, ‘we don't have evidence of credit card misuse at this time. Nonetheless you should watch your credit card activity and statements closely.

As well as requiring Steam forum users to re-set their passwords, Valve is also advising that if you use the same password for other sites, you should change those too.

While there’s no knowledge of Steam accounts (which are separate from Steam forum accounts) being compromised, ‘it wouldn't be a bad idea to change that as well, especially if it is the same as your Steam forum account password.

Thoughts or advice on the situation? Tell us via the forum.

78 Comments

Discuss in the forums Reply
iknowgungfu 11th November 2011, 12:44 Quote
Merde! Just went through and changed a load passwords after the PSN scare!
K.I.T.T. 11th November 2011, 12:53 Quote
Oh bother, well, that's slightly tiresome....
fix-the-spade 11th November 2011, 12:54 Quote
Stark contrast to Sony's approach ealier in the year.
Coming straight out and saying it seems much smarter than saying there's nothing wrong, there's nothing wrong, THERE IS NOTHING WRONG!
.
Still, just set new passwords on everything, can't be too careful.
Denis_iii 11th November 2011, 13:07 Quote
can you even change steam accoutn password on steam website? (not steam forum)
TWeaK 11th November 2011, 13:09 Quote
To be fair to Sony, Valve didn't come out right away. The forums were defaced last Sunday, and they shut them down. They only came out with something official last night - before that there were all sorts of rumours, like it just someone attacking the forums only from a cyber cafe.

They key difference between them and Sony, however, is that they hashed the passwords.

Tbh though I do wonder what the cause of it was. I have a feeling they got hold of an employee's forum account, which they then used to alter the forums, and this employee also had access to the database. So, either the employee used the same password for the database or maybe they had access to his/her email and got in through that. Hopefully Valve will be up front and explain what exactly happened once they've fully investigated, but I wouldn't expect them to..

@denis_iii: You can only change your Steam password through the Steam program. Forum accounts are separate to Steam accounts though (you might not even have one), and it's the forum account that they're requiring everyone to reset. They do advise you change the password for your main Steam account though, and on any other account elsewhere that uses the same password.
sakzzz 11th November 2011, 13:13 Quote
Makes me wonder whether ANYTHING is SAFE online !! ?
LeMaltor 11th November 2011, 13:15 Quote
Trying to change my steam password, keeps telling me I cannot do it at the time :S
Denis_iii 11th November 2011, 13:16 Quote
Quote:
Originally Posted by TWeaK
To be fair to Sony, Valve didn't come out right away. The forums were defaced last Sunday, and they shut them down. They only came out with something official last night - before that there were all sorts of rumours, like it just someone attacking the forums only from a cyber cafe.

They key difference between them and Sony, however, is that they hashed the passwords.

Tbh though I do wonder what the cause of it was. I have a feeling they got hold of an employee's forum account, which they then used to alter the forums, and this employee also had access to the database. So, either the employee used the same password for the database or maybe they had access to his/her email and got in through that. Hopefully Valve will be up front and explain what exactly happened once they've fully investigated, but I wouldn't expect them to..

@denis_iii: You can only change your Steam password through the Steam program. Forum accounts are separate to Steam accounts though (you might not even have one), and it's the forum account that they're requiring everyone to reset. They do advise you change the password for your main Steam account though, and on any other account elsewhere that uses the same password.

thanks, am at work so will change my steam password tonight. steam forum account reset to random password with there password reset thang.....i've been meaning to change my pw's for years so will start today across all other sites with non universal password as i stupidly had before.
Mentai 11th November 2011, 13:21 Quote
I thought I might be ok cause I use Steam Guard, meaning the hackers would need to get into my email (different password) to get into my Steam. I emailed Gabe about it, but he said to change my password anyway just to be safe.
TWeaK 11th November 2011, 13:36 Quote
@denis_iii I use Last Pass in conjunction with passwords like this. There's also things like Keepass which allows you to take it with you on a USB stick, but then I use Chrome portable and that way I get all my extensions too.
Krikkit 11th November 2011, 13:46 Quote
I wonder how many nerds have upped their passwords to huge phrases after that xkcd - I certainly made a start on the important stuff!
Th3Maverick 11th November 2011, 13:50 Quote
Quote:
Originally Posted by sakzzz
Makes me wonder whether ANYTHING is SAFE online !! ?
No.
Quote:
Originally Posted by Krikkit
I wonder how many nerds have upped their passwords to huge phrases after that xkcd - I certainly made a start on the important stuff!

I did. Gotta love Robert--pissing off hackers everywhere.
Xir 11th November 2011, 13:50 Quote
at least they encrypted the credit card data...
V3ctor 11th November 2011, 13:53 Quote
Quote:
Originally Posted by Xir
at least they encrypted the credit card data...

Doesn't make it any safe... So... Cancel the credit card is going to be my solution :/ damn...
towelie 11th November 2011, 13:55 Quote
Wow it getting freakin insane to keep any form of passwords these days
Bede 11th November 2011, 14:00 Quote
Quote:
Originally Posted by sakzzz
Makes me wonder whether ANYTHING is SAFE online !! ?

Nothing is safe, ever. Online is safer in some ways, but less secure in many.

@Xir: how long will it take to brute-force crack that do you think? Even if it's a month or two that will still cause a huge problem.
faugusztin 11th November 2011, 14:09 Quote
Quote:
Originally Posted by Bede
@Xir: how long will it take to brute-force crack that do you think? Even if it's a month or two that will still cause a huge problem.

If they used any sensible encryption scheme, then we talk about years of decades (or much, much, much more).

For example AES :
http://www.theregister.co.uk/2011/08/19/aes_crypto_attack/
Quote:
it would still take trillions of years to recover strong AES keys using the biclique technique, which is a variant of what's known as a meet-in-the-middle cryptographic attack. This method works both from the inputs and outputs of AES towards the middle, reusing partial computation results to speed up the brute-force key search. The technique is designed to reduce the time it takes an attacker to recover the key.

DES3 :
http://en.wikipedia.org/wiki/Triple_DES

Pretty much any good encryption algorithm is unbreakable these days, unless you can get the key directly from the source (Steam in this case).
antiHero 11th November 2011, 14:26 Quote
From what I read Steam is using AES 256 encryption. If the guys who hacked steam could crack that we would have bigger problems the stolen credit card info.

Still, its getting a lil crazy lately with all the big companies getting hacked.
mejobloggs 11th November 2011, 14:29 Quote
This is a good reminder to enable Steam Guard. Must do it when I get home
johnnyboy700 11th November 2011, 14:48 Quote
I've got Steam Guard but I still changed everything, is there such a thing as being too paraniod with online security?

I sometimes get the feeling that a lot of these hacks are out to find easy to crack security settings and are just a modern equivilent of smash and grab raids. Basically in and out quick grab what you can, take whats easy to get and move on to the next one.
yassarikhan786 11th November 2011, 14:49 Quote
^^You can never be too paranoid. I'm changing most of my important account passwords.
l3v1ck 11th November 2011, 14:59 Quote
Well I've changed my steam password, even though I've never used their forums.

It'll be interesting to know how much of their data (or our data) they encrypt.
eVoPhantom 11th November 2011, 15:12 Quote
The sensible thing is to change your password, but am I right in assuming they don't appear to have the passwords for our accounts? (as they are hashed and salted?)
Hovis 11th November 2011, 15:43 Quote
This, ladies and gentlemen, is why when systems like Origin pop up and want to nose through your PC, you need to be suspicious. Because everybody gets hacked, and when they do, everything they have to suddenly shared with the world.
Fizzban 11th November 2011, 16:22 Quote
Damn. I'm not happy at the thought people have got my name and billing address. Thankfully the linked Paypal account uses a very different password. In the past I've already had someone try to claim working tax credits in my name, twice. Thank you government for losing my information -.-

I better pootle off and change my Steam password then.

Edit: Changed my Paypal password as well.
PingCrosby 11th November 2011, 17:12 Quote
Well, you all seem a pretty decent bunch of chaps so I don't mind telling you all that I changed my American Express Gold Account password to 'Damn, I fell for that one'.

P.S.

Don't tell anyone o.k.
Teh Noob Slayer 11th November 2011, 17:16 Quote
When buying things off steam, there is also an option to 'store your details' to make your next purchase quicker. UNTICK that checkbox. It is a pain in the *** to enter your details each time you make a purchase but it's probably the safer option, you should then have less of an issue.
baztow 11th November 2011, 17:21 Quote
Should people that use Paypal to buy things off steam be concerned? Since Steam doesn't have our credit card details?
Blazza181 11th November 2011, 17:41 Quote
Aw s**t. Now I have to change most of my passwords.

m'eh.
Stickeh 11th November 2011, 17:42 Quote
Quote:
Originally Posted by Teh Noob Slayer
When buying things off steam, there is also an option to 'store your details' to make your next purchase quicker. UNTICK that checkbox. It is a pain in the *** to enter your details each time you make a purchase but it's probably the safer option, you should then have less of an issue.

and i would probably spend less money too....
Bazz 11th November 2011, 17:45 Quote
Steam will not let me change my password, its says 'Steam is unavailable to change passwords at this time'

lol
tad2008 11th November 2011, 17:52 Quote
I never let any company store my credit/debit card details and as I am more active these days on more sites needing better passwords I plan to use KeePass to store them for me so I then only have one master password to remember that way the rest of my passwords can be made up of anything as I will not have to remember them.

For those that might want a better idea of password security take a look over at Steve Gibson's site:
https://www.grc.com/haystack.htm
and
https://www.grc.com/passwords.htm

I use the Ultra High Security Password Generator for my Wifi Keys
RedFlames 11th November 2011, 18:02 Quote
password generators like that, however secure they may be, always remind me of this:

http://imgs.xkcd.com/comics/password_strength.png
sharpethunder 11th November 2011, 18:28 Quote
i have a change my pasword just in case and my cedit cards as well got my new 1 today
Denis_iii 11th November 2011, 19:15 Quote
debit cards to?....why would steam record the card numbers though? can you add your credit/debit card details to steam as with paypal?
Lenderz 11th November 2011, 19:16 Quote
Its not that big a deal really, with Steamguard on someone cannot access your steam account without also having access to your Email (and I use google two factor auth with their smartphone app for that so they'd need my phone physically as well as my password, and the unlock code for my phone), and the credit card details are encrypted at 256 bit AES which is very very hard to break, even if they have the Salt. You're talking potentially thousands of years of CPU time to break it.

Plus Valve doesn't store your cards security numbers on the back of your cards (CVV code), additionally they'd have to bypass Visa/Mastercard security as well, plus your banks fraud protection.

Really Valves security and response in regards to this has been second to none, and things couldn't be much more secure. Steamguard, and the encrypted details mean that theres very little to worry about, I've requested new cards from my bank just as a precaution/best practice but other than that theres nothing really much to worry about. Unlike when Sony kept credit card information with user information in plain text.

- edit: Yes Denis_iii you can chose for steam to remember your details, or not. Again :best practice:.

- PS I do a lot of work in IT security, nothing is 100% secure, but Valves precautionary measures have been :best practice: and you cannot ask for more really.
Er-El 11th November 2011, 19:31 Quote
I just had to request a new debit card after having lost my current one... perfect timing.
knuck 11th November 2011, 19:44 Quote
I don't even care. The odds of me being affected by this are so slim, I'm not even worried.

I wasn't scared of driving under bridges. One "fell" on me and I'm not dead.


You guys, I'm invincible. Nothing can harm me. Nothing bad can happen to me

Okay, my debit card was cloned TWICE BUT nothing bad happened. Invincible
kzinti1 11th November 2011, 19:54 Quote
Quote:
Originally Posted by sakzzz
Makes me wonder whether ANYTHING is SAFE online !! ?

no
yassarikhan786 11th November 2011, 20:12 Quote
Password changed successfully for me.
rollo 11th November 2011, 21:29 Quote
I'd be surprised if many people even have a steam forum account, as you don't get one by default I've had steam since day1 and still have no forum account
Waynio 11th November 2011, 21:40 Quote
It's a crapper :(.
Quote:
Originally Posted by rollo
I'd be surprised if many people even have a steam forum account, as you don't get one by default I've had steam since day1 and still have no forum account

I'm on the steam forum but not so sure why, mostly people complaining about games being console porrts etc .
leslie 11th November 2011, 22:29 Quote
Quote:
Originally Posted by Blazza181
Aw s**t. Now I have to change most of my passwords.

m'eh.

Why?
This is such a BS myth.

Unless I they know of your other accounts, your password is only going to get them into Steam. I could tell you the password to my email but what good would that do if you don't know my email address.
DragunovHUN 11th November 2011, 23:42 Quote
Quote:
Originally Posted by TWeaK
@denis_iii I use Last Pass

And what if Last Pass gets hacked? :P
Quote:
Originally Posted by leslie
Why?
This is such a BS myth.

Unless I they know of your other accounts, your password is only going to get them into Steam. I could tell you the password to my email but what good would that do if you don't know my email address.

Uhh, your email address is stored in your steam account. If you happen to use the same password for both your email and steam, then they can get into your email and if they can get into your email then they can find out about EVERYTHING you ever registered to.
Jezcentral 12th November 2011, 02:34 Quote
Anyone who uses their email password for any other site is asking for trouble.
erratum1 12th November 2011, 03:25 Quote
Damn, and I thoght 'Dave123:456789' would be alright.........these hackers are good.
fluxtatic 12th November 2011, 05:54 Quote
Quote:
Originally Posted by leslie
Quote:
Originally Posted by Blazza181
Aw s**t. Now I have to change most of my passwords.

m'eh.

Why?
This is such a BS myth.

Unless I they know of your other accounts, your password is only going to get them into Steam. I could tell you the password to my email but what good would that do if you don't know my email address.

Trouble is that hackers now have automated tools to take a given set of credentials and hit all the big sites - Yahoo, Gmail, Facebook, etc. If you're talking forum passwords, whatever, no one cares - use the same one on all of them so it doesn't clutter up KeePass/LastPass/1Password, etc. On anything important, don't reuse passwords across any of them, ever. Preferably not even variations (I used to use variations on two passwords for everything) - using a variation of something you're already using somewhere else give a brute-force attack a head start - why give them 6 out of the 10 chars of the p/w?

After my Yahoo account got hacked a couple years ago (almost my own fault - 6 lower-case letters, a known word, etc.) I got KeePass and let that generate passwords of 80-150 bits of entropy. The p/w protecting that isn't as strong, but someone would need access to the .kdbx file itself, so I'm not too worried. That I have on my main drive, backed up to another HDD, and on the flash drive I keep with me, so I won't lose it and be totally hosed (unless my house burns down and I run out without pants on, but then I've got bigger problems anyway.)

What gets me about this is Steam got hacked on 11/6. I hadn't been on Steam since I dumped my old bank and opened an account with a credit union, so Steam still had the now-inactive card. On 11/5, they had an awesome sale on Tropico 3, so I put in the new card, told Steam to store it to keep it easy...FUUUUUU. Changed p/w and deleted card number last night...think I won't let it store the card - that made it way too easy to blow money with almost no effort. Given the backlog I've got that I haven't even downloaded yet, probably better all around that way.
fluxtatic 12th November 2011, 06:03 Quote
Quote:
Originally Posted by Lenderz

Plus Valve doesn't store your cards security numbers on the back of your cards (CVV code), additionally they'd have to bypass Visa/Mastercard security as well, plus your banks fraud protection.

Where I work, we don't even take CVVs on cards - the system doesn't even have a place to put them in. Aside from that, on our own company credit cards, at least one gets stolen an average of once a month, without necessarily having a CVV (a lot of the places we use them don't take CVVs, either.)

As to security, I have a lovely little tale. This was on a debit card, so maybe not quite the same, but still a little disconcerting - One day I needed cash, so I hit an ATM. My wife had done the same earlier without me knowing, and so the ATM would only give me a lesser amount. After talking to her, it made sense and I didn't think much of it. However, next time I hit an ATM, told me no can do 'as a precaution'. I didn't get the phone # it showed, figuring I could just call customer service if I needed to. Next day, just to see, I tried the card at the grocery store, worked fine. Next time at ATM, no go. Pissed, I grabbed the receipt with the phone #. It was one of those irritating automated confirmations - 'this transaction for this amount at this location' The three transactions it wanted me to verify were the store, where it worked, and two failed attempts at ATMs. What security have you given me if you provide a thief the ability to still use my card until he tries to get cash, then tell him who to call to say yes the transactions are legit, so turn the spigot back on? Granted, a thief would need the PIN, but that was very close to what finally broke it for me and I closed that account shortly thereafter
BlackMage23 12th November 2011, 09:26 Quote
I do wonder what the point is in having a strong password if the database is just gona get compromised.
leslie 12th November 2011, 09:33 Quote
Quote:
Originally Posted by DragunovHUN

Uhh, your email address is stored in your steam account. If you happen to use the same password for both your email and steam, then they can get into your email and if they can get into your email then they can find out about EVERYTHING you ever registered to.

Of course it matters there because both are tied together, point is, you don't need a different password for everything.

Quote:
Originally Posted by fluxtatic
Trouble is that hackers now have automated tools to take a given set of credentials and hit all the big sites - Yahoo, Gmail, Facebook, etc.
Good luck.
You still need an account to attach it to, don't tie all your stuff together and it's not a problem.

Quote:
Originally Posted by BlackMage23
I do wonder what the point is in having a strong password if the database is just gona get compromised.
Exactly!
Why hack 5000 accounts, when you can hack one and get all 5000.
This or a rouge employee is the most common scenario for this sort of thing.

They don't really give a darn about your Facebook or Gmail account, they want your credit card.
XXAOSICXX 12th November 2011, 09:49 Quote
Quote:
Originally Posted by leslie

This or a rouge employee is the most common scenario for this sort of thing.

What difference does the colour of the employee make? :p
PabloFunky 12th November 2011, 09:54 Quote
I guess if you can find the rouge one, you know hes the culprit.(embarresd look)

We keep being told how safe the net is, but if big companies security can be compromised it makes you wonder.

I dont bother with online accounts and buying over the net. I have been told how wonderful and safe it all is, but seems its me thats laughing at my friends now.

I purchase my steam games at the shop and then put them on, so no card details etc etc.

Maybe if my steam gets hacked they can play some of my games and get some acheviments for me.
leslie 12th November 2011, 10:21 Quote
Quote:
Originally Posted by PabloFunky
I guess if you can find the rouge one, you know hes the culprit.(embarresd look)

We keep being told how safe the net is, but if big companies security can be compromised it makes you wonder.

I dont bother with online accounts and buying over the net. I have been told how wonderful and safe it all is, but seems its me thats laughing at my friends now.

I purchase my steam games at the shop and then put them on, so no card details etc etc.

Maybe if my steam gets hacked they can play some of my games and get some acheviments for me.

Buy through steam using Pay Pal, that leaves only a single point of failure as opposed to your card being everywhere.

When my card was stolen, it was an employee who took the card number from a sales invoice. No hacking needed and it didn't matter if it was at a local store or over the internet, it was still a person who chose to take it.

When I worked at the dot com, all phone orders ended up in the same system. We used to get people all the time saying they didn't trust the internet and wanted to order over the phone. We just entered it in through the backend into the same server.

Is that being caught rouge handed...:)
Rogue, rouge... My fingers are dyslexic, deal with it. :p
TWeaK 12th November 2011, 10:53 Quote
Quote:
Originally Posted by DragunovHUN
And what if Last Pass gets hacked? :P

If LastPass gets hacked, then I might be a bit screwed but given that they're in the security business I'd hope they'd be more likely and quicker than even Valve to notify us and help get passwords changed. At the very least with LastPass I have an easy list of which passwords I need to change :P
Apoptosis 12th November 2011, 14:09 Quote
I am so glad right now I've never bought anything from Steam. Nor do I intend to in the future - games are still much cheaper retail-bought. The first time I ever used Steam was yesterday when Skyrim neccessitated its installing. And it couldn't have been much more cumbersome: Steam wouldn't let me install the game until 2 AM on Friday, though I got the game in the mail on Wednesday; before installing, Steam forced me to download Skyrim's first-day patch for an hour at a speed one-eighth of my normal download speed; and now I have to start Steam every time I want to start the game. It has proved to be one of the most intrusive and unneccessary pieces of software ever to take up space on my hard-drive, and I am sure to uninstall it as soon as I'm done playing Skyrim.
[WP@]WOLVERINE 12th November 2011, 18:05 Quote
im using a virtual credit card to buy stuff on steam its a virtual card that the bank issues for use 1 time only and with a specified amout. So once iv bought a game it makes that card invalid for any more transactions. This is by far the best way to buy stuff over the net because its 100% safe
XXAOSICXX 12th November 2011, 22:43 Quote
Quote:
Originally Posted by leslie
Quote:
Originally Posted by PabloFunky
I guess if you can find the rouge one, you know hes the culprit.(embarresd look)

We keep being told how safe the net is, but if big companies security can be compromised it makes you wonder.

I dont bother with online accounts and buying over the net. I have been told how wonderful and safe it all is, but seems its me thats laughing at my friends now.

I purchase my steam games at the shop and then put them on, so no card details etc etc.

Maybe if my steam gets hacked they can play some of my games and get some acheviments for me.

Buy through steam using Pay Pal, that leaves only a single point of failure as opposed to your card being everywhere.

When my card was stolen, it was an employee who took the card number from a sales invoice. No hacking needed and it didn't matter if it was at a local store or over the internet, it was still a person who chose to take it.

When I worked at the dot com, all phone orders ended up in the same system. We used to get people all the time saying they didn't trust the internet and wanted to order over the phone. We just entered it in through the backend into the same server.

Is that being caught rouge handed...:)
Rogue, rouge... My fingers are dyslexic, deal with it. :p

xD
SpAceman 13th November 2011, 08:05 Quote
Thank Gabe for Steam Guard. If I get an email from someone trying to get into my account I will change my password.
NethLyn 13th November 2011, 09:05 Quote
Quote:
Originally Posted by DragunovHUN
Uhh, your email address is stored in your steam account. If you happen to use the same password for both your email and steam, then they can get into your email and if they can get into your email then they can find out about EVERYTHING you ever registered to.

Once I enabled https all the time on my Hotmail accounts (typical MS, good idea but you have to dig into the options to find it) and changed my password, I relaxed about this, the hackers have no more info than is already out there from when I had a credit card app go missing in the post. Then again my account was hijacked last year so it's happened already, maybe that's why I'm more relaxed about it.
runadumb 13th November 2011, 14:41 Quote
Quote:
Originally Posted by SpAceman
Thank Gabe for Steam Guard. If I get an email from someone trying to get into my account I will change my password.

The problem with steam guard is it never sends me the email so I disabled it. No idea what the problem is the email address is correct and its not in my spam filters.

How come online banks never get hacked? DO they have some kind of superduper unhackable software? Is it insanely expensive? Or are some services just too flippant about security?

I have nearly 200 games on steam. Getting hacked would (obviously) be a real problem. My steam forum account didn't have the same password or name as my steam account but its a password I use for lots of things. Mostly low concern things, like this site.
Anneon 13th November 2011, 15:18 Quote
Had my wow account hacked via rogue android app last year. I now have very random passwords that travel with me on an encrypted sdcard.
Made me very paranoid.
AstralWanderer 13th November 2011, 16:19 Quote
Quote:
Originally Posted by runadumb
How come online banks never get hacked? DO they have some kind of superduper unhackable software? Is it insanely expensive? Or are some services just too flippant about security?
Security does have a cost and in the case of banks, they have more incentive to get things right - they would be held liable for the costs of breaches at their end. That's not to say that compromises don't happen - but (so far) they've tended to be small scale with individuals being affected due to malware on their system.

In the case of services like Steam, the biggest problem would be a malware author (or gang) hijacking their update servers and using them to push malware onto subscribers' systems (35 million PC botnet anyone?). Valve have covered themselves with the Steam EULA section 9C ("VALVE DOES NOT GUARANTEE CONTINUOUS, ERROR-FREE, VIRUS-FREE OR SECURE OPERATION AND ACCESS TO STEAM, THE SOFTWARE, YOUR ACCOUNT AND/OR YOUR SUBSCRIPTIONS(S)." - capitalisation theirs) so they have less to lose from any possible compromise.
Noswal 13th November 2011, 21:57 Quote
This is why I don't link credit card info with my account.
SirFur 14th November 2011, 16:26 Quote
Quote:
Originally Posted by Apoptosis
I am so glad right now I've never bought anything from Steam. Nor do I intend to in the future - games are still much cheaper retail-bought. The first time I ever used Steam was yesterday when Skyrim neccessitated its installing. And it couldn't have been much more cumbersome: Steam wouldn't let me install the game until 2 AM on Friday, though I got the game in the mail on Wednesday; before installing, Steam forced me to download Skyrim's first-day patch for an hour at a speed one-eighth of my normal download speed; and now I have to start Steam every time I want to start the game. It has proved to be one of the most intrusive and unneccessary pieces of software ever to take up space on my hard-drive, and I am sure to uninstall it as soon as I'm done playing Skyrim.

So you have never played HL2? Never played TF2? Never played L4D?

Fair enough but your missing so much there.

Steam is one of the best things that have happened to gaming, and I hate it when people start steam-bashing without a good reason. The fact of the matter is buying games through is about being clever...and waiting for the sales. All of my games on Steam I have had I have bought cheaper than I would EVER have gotten them via retail stores, even if I waited several years for retail prices to crash, I wouldn't be able to get them cheaper; same price at best. Buying non-offer items are more expensive yes, but not always.

The fact that steam didn't let you download it till that time was cos thats when the game was to be launched!! Intrusive pieces of software? Please explain why you think so? Unnescessary? It is the best user-friendly form of DRM out there that has a decent success rate albeit it is still possible to hack valve-games.
AstralWanderer 14th November 2011, 17:30 Quote
Quote:
Originally Posted by SirFur
So you have never played HL2? Never played TF2? Never played L4D?

Fair enough but your missing so much there.
There are plenty of other good games out there that don't require Steam - and Steam is the second most restrictive form of DRM (activate-on-play) with only the always-online systems like Ubisoft's being more limiting.
Quote:
Originally Posted by SirFur
Steam is one of the best things that have happened to gaming, and I hate it when people start steam-bashing without a good reason....
I've posted elsewhere on this, so no point regurgitating, but there are several reasons to argue the exact opposite. Steam is currently the closest thing to a monopoly in the gaming world and such things tend to go badly at some point.
Paulg1971 14th November 2011, 19:31 Quote
Quote:
Originally Posted by Apoptosis
I am so glad right now I've never bought anything from Steam. Nor do I intend to in the future - games are still much cheaper retail-bought. The first time I ever used Steam was yesterday when Skyrim neccessitated its installing. And it couldn't have been much more cumbersome: Steam wouldn't let me install the game until 2 AM on Friday, though I got the game in the mail on Wednesday; before installing, Steam forced me to download Skyrim's first-day patch for an hour at a speed one-eighth of my normal download speed; and now I have to start Steam every time I want to start the game. It has proved to be one of the most intrusive and unneccessary pieces of software ever to take up space on my hard-drive, and I am sure to uninstall it as soon as I'm done playing Skyrim.


I got Far cry 2 for £3.99, could'nt get it that price retail
AstralWanderer 14th November 2011, 20:55 Quote
Quote:
Originally Posted by Paulg1971
I got Far cry 2 for £3.99, could'nt get it that price retail
Best retail price is currently £5.01 - not too far off and a bargain compared to Steam's normal price of €19.99. Still screws you over with activate-on-install DRM though.
Fizzban 17th November 2011, 21:38 Quote
Steam is for bargains in sales and indie games, nothing else. For me anyway. Anyone who keeps their whole gaming catalogue in an account that can be hacked is trusting a great deal in a company to not **** up. And they do, they all do. Pretty regularly in fact. If that game matters to you, buy a physical copy.
leslie 17th November 2011, 22:48 Quote
Quote:
Originally Posted by Fizzban
Steam is for bargains in sales and indie games, nothing else. For me anyway. Anyone who keeps their whole gaming catalogue in an account that can be hacked is trusting a great deal in a company to not **** up. And they do, they all do. Pretty regularly in fact. If that game matters to you, buy a physical copy.

You haven't looked at Steam closely or at all apparently.
You can make a physical disk/backup for the games. The only real risk with Steam is if they fold and turn off all the servers, and from my understanding if they did that, they intend to make some arrangement so games don't just stop. Many will work without it anyhow.

For me, it's been a great service.
I can't complain too much about them getting hacked when other, larger companies are as well, and in worse ways. I'm unhappy it happened, but nothing is 100% safe.
AstralWanderer 18th November 2011, 10:02 Quote
Quote:
Originally Posted by leslie
...from my understanding if they did that, they intend to make some arrangement so games don't just stop.
Care to provide a link for this? There is no mention of it in their EULA except under very limited circumstances (section 13.C.2 - if you have one game only, Steam terminate your account and only at Valve's discretion).

As Shamus Young explains in detail in his Authorization Servers article, even if such promises were made, they'd have little value.
Zurechial 18th November 2011, 10:27 Quote
Quote:
Originally Posted by AstralWanderer
Care to provide a link for this? There is no mention of it in their EULA except under very limited circumstances (section 13.C.2 - if you have one game only, Steam terminate your account and only at Valve's discretion).

As Shamus Young explains in detail in his Authorization Servers article, even if such promises were made, they'd have little value.

Aside from release dates, Valve tend to follow through on their promises sooner or later. These things aren't always written into EULAs - And maybe that's a good thing.

In practical terms it's rarely all that difficult to get Steam games working without Steam anyway, so if Valve somehow went bust some day so you can always count on Razor1911 and others to get your games working just fine as long as you downloaded them already before the system hypothetically stopped working.
Hell, some developers do it for you. My copy of X3 - TerranConflict which I bought on Steam works just fine without Steam after applying the legal and legitimate no-CD patch that Egosoft released for the retail version of the game.
The DRM component of Steam reliability in games is almost always encased solely in the game's core executable; so there isn't a whole lot that would need changing in the majority of cases to get a game running legitimately without Steam if the service went belly-up.

Steam is dangerously close to being a monopoly, yes; but to me there's a massive difference between a monopoly by a publically-traded giant of a corporation like Microsoft, EA or Activision known for treating customers like shite and lying through their teeth; And a monopoly by a privately-held company like Valve known for treating their customers well (aside from euro pricing) and being generally quite honest.

There's a good chance that PC gaming would be in a far worse state today due to unprofitability if it weren't for Valve and Steam; And the 'digital distribution' approach needed someone to get it right. Valve happened to be that someone, even if it took them a while to make Steam genuinely useful and appealing for the gamer.

Do you think any of the other companies would have been as successful if they tried?
Companies like Activision and EA have clearly shown that they would have screwed it up if they had been the ones to try because they have track records of being typical corporate scum and it seems to show in every single thing they do these days.
On top of that there's the fact that Valve has provided the industry with the formula for success in the form of Steam and still EA managed to cluster**** the whole idea with the abomination that is Origin.

The reason that Valve has a monopoly is that they're one of the few companies to really get the whole thing right. It's hardly their fault that other companies have proven themselves unwilling or incapable of achieving the same.
I'm not saying that a monopoly is a good thing by any stretch of the imagination and not everything that Valve does is ideal but I'm not entirely sure things would be better in PC gaming without Steam and I'd much rather have Gabe Newell running the dominant force than someone like Bobby Kotick or John Riccitiello.

---

As for the actual topic of companies getting hacked..

Every 'prime target' gets hacked sooner or later. It's how they handle it that counts; And so far Valve is handling it a lot better than others in the recent past such as Sony.
Fizzban 18th November 2011, 15:10 Quote
Quote:
Originally Posted by leslie
You haven't looked at Steam closely or at all apparently.
You can make a physical disk/backup for the games. The only real risk with Steam is if they fold and turn off all the servers, and from my understanding if they did that, they intend to make some arrangement so games don't just stop. Many will work without it anyhow.

For me, it's been a great service.
I can't complain too much about them getting hacked when other, larger companies are as well, and in worse ways. I'm unhappy it happened, but nothing is 100% safe.

I know you can create a backup, but if you were unlucky enough to be hacked I can't see that helping you much when you can't log into your Steam account. Thankfully Steam are pretty decent at keeping things safe. But as you know s*** happens. Hence my not wanting all my games in one place, that, and I love having and opening shiney new physical editions. :D
AstralWanderer 18th November 2011, 17:40 Quote
Quote:
Originally Posted by Zurechial
Companies like Activision and EA...have track records of being typical corporate scum...
While I wouldn't disagree with this viewpoint, these companies weren't always bad - EA was one of the main publishers back in the 8-bit days (gawd, I'm showing my age here) and Activision started almost as an "indie" competing with Atari. Why reminisce? Just as these companies changed, so can anyone else.
Quote:
Originally Posted by Zurechial
The reason that Valve has a monopoly is that they're one of the few companies to really get the whole thing right...
By not offering refunds on APB? (or for that matter, almost everything else). By disabling accounts entirely due to Paypal problems on a single game purchase?

A company's true colours are best judged when things go amiss and I fail to see, with examples like the above, how Valve can be compared favourably.
Quote:
Originally Posted by Zurechial
...so far Valve is handling it a lot better than others in the recent past such as Sony.
As noted in Arstechnica's discussion, aside from the timing of the initial message (Sony taking 6 days compared to Valve's 4), both incidents have very similar circumstances. If anything, the Valve breach is more serious since it has placed more users at risk.
leslie 18th November 2011, 21:53 Quote
Quote:
Originally Posted by Fizzban
I know you can create a backup, but if you were unlucky enough to be hacked I can't see that helping you much when you can't log into your Steam account. Thankfully Steam are pretty decent at keeping things safe. But as you know s*** happens. Hence my not wanting all my games in one place, that, and I love having and opening shiney new physical editions. :D

Most games you play for a bit then no longer care about. The only game from there I play regularly is L4D2. The rest of the games I have there I hardly play so losing them would not have been much of a loss anyway.

How many games would you really lose?
That game you played a year ago isn't really much of a loss is it? And how much would it cost to replace at this point? I could get back everything from Steam I want for about $10 at this point.
Quote:
Originally Posted by AstralWanderer
While I wouldn't disagree with this viewpoint, these companies weren't always bad - EA was one of the main publishers back in the 8-bit days (gawd, I'm showing my age here) and Activision started almost as an "indie" competing with Atari. Why reminisce? Just as these companies changed, so can anyone else.
You are talking a period of year, not weeks or days.
Most people lose interest in games pretty fast so the reality is that even if it went bad, you aren't going to lose much, especially as the company goes belly up, people will start bailing.

Quote:
As noted in Arstechnica's discussion, aside from the timing of the initial message (Sony taking 6 days compared to Valve's 4), both incidents have very similar circumstances. If anything, the Valve breach is more serious since it has placed more users at risk.
Steam was hacked, Sony was just plain incompetent.

Steam was hacked just as any company can be, but they were at least smart enough to have put some effort into protecting the user. Sony did nothing. For all of Sonys money, they couldn't be bothered investing in even the slightest bit of encryption to protect user information. The fact that the crooks got in how many times after should tell you something as well.

Sorry, but I would rather have my Pay Pal on file with Steam, than a credit card on file with Sony PSN any day of the week.


Oh and as for APB, Steams policy is about the same as any store in the US. Once you open a bit of software, it's yours. No refunds. Too many people bought it, burned it then returned it, or they bought games like BF, cheated, got blocked and then returned the games for a new copy You most likely would not have gotten a refund at any US store either.
AstralWanderer 18th November 2011, 22:42 Quote
Quote:
Originally Posted by leslie
Most games you play for a bit then no longer care about...
That might be true for you - but I can (and do) play games purchased 10 or more years ago. I doubt I'm the only one.
Quote:
Originally Posted by leslie
That game you played a year ago isn't really much of a loss is it? And how much would it cost to replace at this point? I could get back everything from Steam I want for about $10 at this point.
If the game used Steamworks then you wouldn't be able to replace it at all, in the event of losing access to Steam. As for value - it depends on availability. Many games go "out of print" and can only be replaced through the second-hand market.

Then there is the matter of consumer rights. If I pay for something, I expect to be able to use it when and where I please - not being blocked from playing before a release date, due to server loads (i.e. the distributor not budgeting enough for server capacity and bandwidth) or due to being in a different region. If you care about your gaming, these things should matter to you too.
Quote:
Originally Posted by leslie
Steam was hacked, Sony was just plain incompetent....For all of Sonys money, they couldn't be bothered investing in even the slightest bit of encryption to protect user information. The fact that the crooks got in how many times after should tell you something as well.
Some facts-checking would be useful here:
  1. Sony did encrypt credit card details, but not other data. PS3 PSN network traffic was also encrypted, though this was defeated. So it's fair to criticise Sony for not using enough encryption - but not for using no encryption.
  2. Valve didn't know their database had been breached until a separate compromise on their forum caused them to review security. We don't know how long their systems have been compromised for, or how many groups were involved. So they could have been compromised long before Sony (and Steam would be a more attractive target due to its ability to compromise 35 million+ PCs). We have to wait and see what turns up before passing judgment.
Quote:
Originally Posted by leslie
Oh and as for APB, Steams policy is about the same as any store in the US. Once you open a bit of software, it's yours. No refunds...
EA were offering refunds (though in the form of vouchers) - this was an MMO reliant on game servers so consumers in the US should have been able to claim store refunds due to breach of contract (and this would certainly apply in the EU).
AstralWanderer 28th November 2011, 20:38 Quote
It's now been 3 weeks since the initial closure by Valve and no further information has been given, nor has any visible action been taken to fix the cause of the breach. Continued silence from Valve is the worst outcome since it implies either security failings embarrassing enough to hide, or a compromise so serious that it hasn't been fixable so far (in which case, the affected services should have been taken offline to avoid compromising users further).

Perhaps Bit-Tech might wish to follow this up with Valve?

In comparison, after 21 days Sony had disclosed the full known extent of their security breach, arranged ID theft insurance for US users and had rebuilt the PSN network (still undergoing final testing, but just 4 days from relaunch).
faugusztin 28th November 2011, 20:56 Quote
Quote:
Originally Posted by AstralWanderer
It's now been 3 weeks since the initial closure by Valve and no further information has been given, nor has any visible action been taken to fix the cause of the breach. Continued silence from Valve is the worst outcome since it implies either security failings embarrassing enough to hide, or a compromise so serious that it hasn't been fixable so far (in which case, the affected services should have been taken offline to avoid compromising users further).

Huh, from where do you take the information that there was no fix ? The fix was to fix the hole in forums through which they attacked. Why do you think the forums were online for few days ?

But maybe by "fix" you mean compensation etc... In that case use the correct words, becuase the breach was of course fixed.
AstralWanderer 28th November 2011, 21:25 Quote
Quote:
Originally Posted by faugusztin
Huh, from where do you take the information that there was no fix ?
Because nothing has been stated by Valve about any fix on its news page.
Quote:
Originally Posted by faugusztin
The fix was to fix the hole in forums through which they attacked. Why do you think the forums were online for few days ?
Thread title:

News Steam forum and database hacked

Original post:

Valve co-founder Gabe Newell confirms that the Steam database and its forum accounts were hacked, gives advice to cope.

The article linked to this thread:

‘We learned that intruders obtained access to a Steam database in addition to the forums,’ added Newell, ‘This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information.’

So no, it wasn't just the forums...
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.



Discuss in the forums