Steam forum and database hacked
The Steam forum and database has been compromised, causing concern for hundreds of thousands of gamers.
‘We learned that intruders obtained access to a Steam database in addition to the forums,’ added Newell, ‘This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information.’
However, ‘we don't have evidence of credit card misuse at this time. Nonetheless you should watch your credit card activity and statements closely.’
As well as requiring Steam forum users to re-set their passwords, Valve is also advising that if you use the same password for other sites, you should change those too.
While there’s no knowledge of Steam accounts (which are separate from Steam forum accounts) being compromised, ‘it wouldn't be a bad idea to change that as well, especially if it is the same as your Steam forum account password.’
Thoughts or advice on the situation? Tell us via the forum.
Previous Article
78 Comments
Discuss in the forums ReplyComing straight out and saying it seems much smarter than saying there's nothing wrong, there's nothing wrong, THERE IS NOTHING WRONG!
.
Still, just set new passwords on everything, can't be too careful.
They key difference between them and Sony, however, is that they hashed the passwords.
Tbh though I do wonder what the cause of it was. I have a feeling they got hold of an employee's forum account, which they then used to alter the forums, and this employee also had access to the database. So, either the employee used the same password for the database or maybe they had access to his/her email and got in through that. Hopefully Valve will be up front and explain what exactly happened once they've fully investigated, but I wouldn't expect them to..
@denis_iii: You can only change your Steam password through the Steam program. Forum accounts are separate to Steam accounts though (you might not even have one), and it's the forum account that they're requiring everyone to reset. They do advise you change the password for your main Steam account though, and on any other account elsewhere that uses the same password.
thanks, am at work so will change my steam password tonight. steam forum account reset to random password with there password reset thang.....i've been meaning to change my pw's for years so will start today across all other sites with non universal password as i stupidly had before.
I did. Gotta love Robert--pissing off hackers everywhere.
Doesn't make it any safe... So... Cancel the credit card is going to be my solution :/ damn...
Nothing is safe, ever. Online is safer in some ways, but less secure in many.
@Xir: how long will it take to brute-force crack that do you think? Even if it's a month or two that will still cause a huge problem.
If they used any sensible encryption scheme, then we talk about years of decades (or much, much, much more).
For example AES :
http://www.theregister.co.uk/2011/08/19/aes_crypto_attack/
DES3 :
http://en.wikipedia.org/wiki/Triple_DES
Pretty much any good encryption algorithm is unbreakable these days, unless you can get the key directly from the source (Steam in this case).
Still, its getting a lil crazy lately with all the big companies getting hacked.
I sometimes get the feeling that a lot of these hacks are out to find easy to crack security settings and are just a modern equivilent of smash and grab raids. Basically in and out quick grab what you can, take whats easy to get and move on to the next one.
It'll be interesting to know how much of their data (or our data) they encrypt.
I better pootle off and change my Steam password then.
Edit: Changed my Paypal password as well.
P.S.
Don't tell anyone o.k.
m'eh.
and i would probably spend less money too....
lol
For those that might want a better idea of password security take a look over at Steve Gibson's site:
https://www.grc.com/haystack.htm
and
https://www.grc.com/passwords.htm
I use the Ultra High Security Password Generator for my Wifi Keys
http://imgs.xkcd.com/comics/password_strength.png
Plus Valve doesn't store your cards security numbers on the back of your cards (CVV code), additionally they'd have to bypass Visa/Mastercard security as well, plus your banks fraud protection.
Really Valves security and response in regards to this has been second to none, and things couldn't be much more secure. Steamguard, and the encrypted details mean that theres very little to worry about, I've requested new cards from my bank just as a precaution/best practice but other than that theres nothing really much to worry about. Unlike when Sony kept credit card information with user information in plain text.
- edit: Yes Denis_iii you can chose for steam to remember your details, or not. Again :best practice:.
- PS I do a lot of work in IT security, nothing is 100% secure, but Valves precautionary measures have been :best practice: and you cannot ask for more really.
I wasn't scared of driving under bridges. One "fell" on me and I'm not dead.
You guys, I'm invincible. Nothing can harm me. Nothing bad can happen to me
Okay, my debit card was cloned TWICE BUT nothing bad happened. Invincible
no
I'm on the steam forum but not so sure why, mostly people complaining about games being console porrts etc .
Why?
This is such a BS myth.
Unless I they know of your other accounts, your password is only going to get them into Steam. I could tell you the password to my email but what good would that do if you don't know my email address.
And what if Last Pass gets hacked? :P
Uhh, your email address is stored in your steam account. If you happen to use the same password for both your email and steam, then they can get into your email and if they can get into your email then they can find out about EVERYTHING you ever registered to.
Trouble is that hackers now have automated tools to take a given set of credentials and hit all the big sites - Yahoo, Gmail, Facebook, etc. If you're talking forum passwords, whatever, no one cares - use the same one on all of them so it doesn't clutter up KeePass/LastPass/1Password, etc. On anything important, don't reuse passwords across any of them, ever. Preferably not even variations (I used to use variations on two passwords for everything) - using a variation of something you're already using somewhere else give a brute-force attack a head start - why give them 6 out of the 10 chars of the p/w?
After my Yahoo account got hacked a couple years ago (almost my own fault - 6 lower-case letters, a known word, etc.) I got KeePass and let that generate passwords of 80-150 bits of entropy. The p/w protecting that isn't as strong, but someone would need access to the .kdbx file itself, so I'm not too worried. That I have on my main drive, backed up to another HDD, and on the flash drive I keep with me, so I won't lose it and be totally hosed (unless my house burns down and I run out without pants on, but then I've got bigger problems anyway.)
What gets me about this is Steam got hacked on 11/6. I hadn't been on Steam since I dumped my old bank and opened an account with a credit union, so Steam still had the now-inactive card. On 11/5, they had an awesome sale on Tropico 3, so I put in the new card, told Steam to store it to keep it easy...FUUUUUU. Changed p/w and deleted card number last night...think I won't let it store the card - that made it way too easy to blow money with almost no effort. Given the backlog I've got that I haven't even downloaded yet, probably better all around that way.
Where I work, we don't even take CVVs on cards - the system doesn't even have a place to put them in. Aside from that, on our own company credit cards, at least one gets stolen an average of once a month, without necessarily having a CVV (a lot of the places we use them don't take CVVs, either.)
As to security, I have a lovely little tale. This was on a debit card, so maybe not quite the same, but still a little disconcerting - One day I needed cash, so I hit an ATM. My wife had done the same earlier without me knowing, and so the ATM would only give me a lesser amount. After talking to her, it made sense and I didn't think much of it. However, next time I hit an ATM, told me no can do 'as a precaution'. I didn't get the phone # it showed, figuring I could just call customer service if I needed to. Next day, just to see, I tried the card at the grocery store, worked fine. Next time at ATM, no go. Pissed, I grabbed the receipt with the phone #. It was one of those irritating automated confirmations - 'this transaction for this amount at this location' The three transactions it wanted me to verify were the store, where it worked, and two failed attempts at ATMs. What security have you given me if you provide a thief the ability to still use my card until he tries to get cash, then tell him who to call to say yes the transactions are legit, so turn the spigot back on? Granted, a thief would need the PIN, but that was very close to what finally broke it for me and I closed that account shortly thereafter
Of course it matters there because both are tied together, point is, you don't need a different password for everything.
You still need an account to attach it to, don't tie all your stuff together and it's not a problem.
Why hack 5000 accounts, when you can hack one and get all 5000.
This or a rouge employee is the most common scenario for this sort of thing.
They don't really give a darn about your Facebook or Gmail account, they want your credit card.
What difference does the colour of the employee make? :p
We keep being told how safe the net is, but if big companies security can be compromised it makes you wonder.
I dont bother with online accounts and buying over the net. I have been told how wonderful and safe it all is, but seems its me thats laughing at my friends now.
I purchase my steam games at the shop and then put them on, so no card details etc etc.
Maybe if my steam gets hacked they can play some of my games and get some acheviments for me.
Buy through steam using Pay Pal, that leaves only a single point of failure as opposed to your card being everywhere.
When my card was stolen, it was an employee who took the card number from a sales invoice. No hacking needed and it didn't matter if it was at a local store or over the internet, it was still a person who chose to take it.
When I worked at the dot com, all phone orders ended up in the same system. We used to get people all the time saying they didn't trust the internet and wanted to order over the phone. We just entered it in through the backend into the same server.
Is that being caught rouge handed...:)
Rogue, rouge... My fingers are dyslexic, deal with it. :p
If LastPass gets hacked, then I might be a bit screwed but given that they're in the security business I'd hope they'd be more likely and quicker than even Valve to notify us and help get passwords changed. At the very least with LastPass I have an easy list of which passwords I need to change :P
xD
Once I enabled https all the time on my Hotmail accounts (typical MS, good idea but you have to dig into the options to find it) and changed my password, I relaxed about this, the hackers have no more info than is already out there from when I had a credit card app go missing in the post. Then again my account was hijacked last year so it's happened already, maybe that's why I'm more relaxed about it.
The problem with steam guard is it never sends me the email so I disabled it. No idea what the problem is the email address is correct and its not in my spam filters.
How come online banks never get hacked? DO they have some kind of superduper unhackable software? Is it insanely expensive? Or are some services just too flippant about security?
I have nearly 200 games on steam. Getting hacked would (obviously) be a real problem. My steam forum account didn't have the same password or name as my steam account but its a password I use for lots of things. Mostly low concern things, like this site.
Made me very paranoid.
In the case of services like Steam, the biggest problem would be a malware author (or gang) hijacking their update servers and using them to push malware onto subscribers' systems (35 million PC botnet anyone?). Valve have covered themselves with the Steam EULA section 9C ("VALVE DOES NOT GUARANTEE CONTINUOUS, ERROR-FREE, VIRUS-FREE OR SECURE OPERATION AND ACCESS TO STEAM, THE SOFTWARE, YOUR ACCOUNT AND/OR YOUR SUBSCRIPTIONS(S)." - capitalisation theirs) so they have less to lose from any possible compromise.
So you have never played HL2? Never played TF2? Never played L4D?
Fair enough but your missing so much there.
Steam is one of the best things that have happened to gaming, and I hate it when people start steam-bashing without a good reason. The fact of the matter is buying games through is about being clever...and waiting for the sales. All of my games on Steam I have had I have bought cheaper than I would EVER have gotten them via retail stores, even if I waited several years for retail prices to crash, I wouldn't be able to get them cheaper; same price at best. Buying non-offer items are more expensive yes, but not always.
The fact that steam didn't let you download it till that time was cos thats when the game was to be launched!! Intrusive pieces of software? Please explain why you think so? Unnescessary? It is the best user-friendly form of DRM out there that has a decent success rate albeit it is still possible to hack valve-games.
I got Far cry 2 for £3.99, could'nt get it that price retail
You haven't looked at Steam closely or at all apparently.
You can make a physical disk/backup for the games. The only real risk with Steam is if they fold and turn off all the servers, and from my understanding if they did that, they intend to make some arrangement so games don't just stop. Many will work without it anyhow.
For me, it's been a great service.
I can't complain too much about them getting hacked when other, larger companies are as well, and in worse ways. I'm unhappy it happened, but nothing is 100% safe.
As Shamus Young explains in detail in his Authorization Servers article, even if such promises were made, they'd have little value.
Aside from release dates, Valve tend to follow through on their promises sooner or later. These things aren't always written into EULAs - And maybe that's a good thing.
In practical terms it's rarely all that difficult to get Steam games working without Steam anyway, so if Valve somehow went bust some day so you can always count on Razor1911 and others to get your games working just fine as long as you downloaded them already before the system hypothetically stopped working.
Hell, some developers do it for you. My copy of X3 - TerranConflict which I bought on Steam works just fine without Steam after applying the legal and legitimate no-CD patch that Egosoft released for the retail version of the game.
The DRM component of Steam reliability in games is almost always encased solely in the game's core executable; so there isn't a whole lot that would need changing in the majority of cases to get a game running legitimately without Steam if the service went belly-up.
Steam is dangerously close to being a monopoly, yes; but to me there's a massive difference between a monopoly by a publically-traded giant of a corporation like Microsoft, EA or Activision known for treating customers like shite and lying through their teeth; And a monopoly by a privately-held company like Valve known for treating their customers well (aside from euro pricing) and being generally quite honest.
There's a good chance that PC gaming would be in a far worse state today due to unprofitability if it weren't for Valve and Steam; And the 'digital distribution' approach needed someone to get it right. Valve happened to be that someone, even if it took them a while to make Steam genuinely useful and appealing for the gamer.
Do you think any of the other companies would have been as successful if they tried?
Companies like Activision and EA have clearly shown that they would have screwed it up if they had been the ones to try because they have track records of being typical corporate scum and it seems to show in every single thing they do these days.
On top of that there's the fact that Valve has provided the industry with the formula for success in the form of Steam and still EA managed to cluster**** the whole idea with the abomination that is Origin.
The reason that Valve has a monopoly is that they're one of the few companies to really get the whole thing right. It's hardly their fault that other companies have proven themselves unwilling or incapable of achieving the same.
I'm not saying that a monopoly is a good thing by any stretch of the imagination and not everything that Valve does is ideal but I'm not entirely sure things would be better in PC gaming without Steam and I'd much rather have Gabe Newell running the dominant force than someone like Bobby Kotick or John Riccitiello.
---
As for the actual topic of companies getting hacked..
Every 'prime target' gets hacked sooner or later. It's how they handle it that counts; And so far Valve is handling it a lot better than others in the recent past such as Sony.
I know you can create a backup, but if you were unlucky enough to be hacked I can't see that helping you much when you can't log into your Steam account. Thankfully Steam are pretty decent at keeping things safe. But as you know s*** happens. Hence my not wanting all my games in one place, that, and I love having and opening shiney new physical editions. :D
A company's true colours are best judged when things go amiss and I fail to see, with examples like the above, how Valve can be compared favourably.
Most games you play for a bit then no longer care about. The only game from there I play regularly is L4D2. The rest of the games I have there I hardly play so losing them would not have been much of a loss anyway.
How many games would you really lose?
That game you played a year ago isn't really much of a loss is it? And how much would it cost to replace at this point? I could get back everything from Steam I want for about $10 at this point.
Most people lose interest in games pretty fast so the reality is that even if it went bad, you aren't going to lose much, especially as the company goes belly up, people will start bailing.
Steam was hacked just as any company can be, but they were at least smart enough to have put some effort into protecting the user. Sony did nothing. For all of Sonys money, they couldn't be bothered investing in even the slightest bit of encryption to protect user information. The fact that the crooks got in how many times after should tell you something as well.
Sorry, but I would rather have my Pay Pal on file with Steam, than a credit card on file with Sony PSN any day of the week.
Oh and as for APB, Steams policy is about the same as any store in the US. Once you open a bit of software, it's yours. No refunds. Too many people bought it, burned it then returned it, or they bought games like BF, cheated, got blocked and then returned the games for a new copy You most likely would not have gotten a refund at any US store either.
Then there is the matter of consumer rights. If I pay for something, I expect to be able to use it when and where I please - not being blocked from playing before a release date, due to server loads (i.e. the distributor not budgeting enough for server capacity and bandwidth) or due to being in a different region. If you care about your gaming, these things should matter to you too.
Perhaps Bit-Tech might wish to follow this up with Valve?
In comparison, after 21 days Sony had disclosed the full known extent of their security breach, arranged ID theft insurance for US users and had rebuilt the PSN network (still undergoing final testing, but just 4 days from relaunch).
Huh, from where do you take the information that there was no fix ? The fix was to fix the hole in forums through which they attacked. Why do you think the forums were online for few days ?
But maybe by "fix" you mean compensation etc... In that case use the correct words, becuase the breach was of course fixed.
News Steam forum and database hacked
Original post:
Valve co-founder Gabe Newell confirms that the Steam database and its forum accounts were hacked, gives advice to cope.
The article linked to this thread:
We learned that intruders obtained access to a Steam database in addition to the forums, added Newell, This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information.
So no, it wasn't just the forums...