By Jim Rossignol on November 10th, 2011 at 10:45 pm.
We’ve just had a note from Gabe Newell saying: “Our Steam forums were defaced on the evening of Sunday, November 6. We began investigating and found that the intrusion goes beyond the Steam forums.”
We learned that intruders obtained access to a Steam database in addition to the forums. This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information. We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked. We are still investigating.
It might be a good idea to change your Steam password, clearly. Full text below.
The following is being IM’d to the Steam user base.
———————-
Dear Steam Users and Steam Forum Users,
Our Steam forums were defaced on the evening of Sunday, November 6. We began investigating and found that the intrusion goes beyond the Steam forums.
We learned that intruders obtained access to a Steam database in addition to the forums. This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information. We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked. We are still investigating.
We don’t have evidence of credit card misuse at this time. Nonetheless you should watch your credit card activity and statements closely.
While we only know of a few forum accounts that have been compromised, all forum users will be required to change their passwords the next time they login. If you have used your Steam forum password on other accounts you should change those passwords as well.
We do not know of any compromised Steam accounts, so we are not planning to force a change of Steam account passwords (which are separate from forum passwords). However, it wouldn’t be a bad idea to change that as well, especially if it is the same as your Steam forum account password.
We will reopen the forums as soon as we can.
I am truly sorry this happened, and I apologize for the inconvenience.
Gabe.
Shit.
report
Not good. Not good at all.
report
Ninja’ing a top comment reply because I think it bears everyone knowing (cut and paste from page 2 comments)…
8 Digits IS NOT ENOUGH!
Hell 10 digits isn’t – but 8 is a joke.
Any standard “human” password (as in not random ascii; a few letters [1 or 2 upper case], a couple of numbers and 1 or 2 common punctuations [fullstop is the most common]) can be broken in 2 seconds.
Yes, 2 seconds based on GPU driven brute forcing software and an average GPU.
Hell even fully random 8 char gibberish (full ascii) passwords can be GPU broken in hours or days rather than the years a CPU would take.
12 will give you years, but faster GPUs are quickly (frighteningly quickly) making even 12 digit alphanumeric passwords useless.
I’d highly recommend everyone to use 1 highly complex master password (a complex mnemonic of at least 15 characters with at least 3-4 numbers and 3-4 punctuation)
Say something like:
I WANT ten BIG apple pies for my (50th) birthday (remembering the capitals by stressing the words)
iW10Ba3.14sfm(50th)bd
Easy phrase to remember (with some practice), solid 21 digit alphanumeric (+) password.
Heck even just “iwant10applepiesformybirthday” is exponentially stronger than any 8-10 digit utterly random ASCII password.
Then use that with a password manager – hell a 256 bit AES encrypted 7-zip with a text file to cut and paste from in works in a pinch.
report
http://xkcd.com/936/
report
^^^^
Read that comic above. It makes passwords fun!!
report
The only problem with that method is if it catches on, hacker will develop faster methods of calculating them – for now it is the easiest way of remembering complex passwords, but in 5 years time it might be as useless as “word + 2 numbers” but by then you could just start adding extra complexity to defeat that.
Constant arms race.
By 2020 All of us will have 100 digit word and number sequences, hell either that or personal password managing devices that use biometrics as their key.
report
It’s pretty obvious that, eventually at least, biometrics is going to be how security is done.
As of now, four 4 letter+ random words is more than enough, and probably will be for a good amount of time.
report
All of this aside, Valve is also probably having to deal with Secret Service and FBI agents right now. First: I’m sure Valve reported to the proper authorities. Second: even if they didn’t, the proper authorities are, I’m sure, going to want to look into this.
report
OK, I gotta say I don’t know US law enforcement very well, but this sounds pretty… overkill? Secret service? Aren’t they mainly considered about congress members and president’s lives and such?
report
Now not to say that I am an expert or anything. But the argument that 8 digits is not enough is complete crap to me. Sure your GPU may brute force guess my password in 2 seconds – but so what? It does not know that it has guessed the correct password, to actually be of any use it has to test the guesses against the server that holds the password. And there are plenty of failsafes in place at most places to stop such activity, or monitor it and shut it down.
I have had accounts broken into where I have used simple passwords – i.e. a word and a number – two or three times. I have never had anything broken into that uses a random string of even more then 5 characters. Because to break such a password takes extra time, and more likely to be detected. Usually to warrant such extra effort they would be trying to break into a Steam database, rather than attempting to break into some random account which is potentially going to get them no reward whatsoever.
report
Secret Service protects the President and other politicians, yes… But they also have other duties. For example they handle counterfeit operations on behalf of the Treasury I think.
report
Kaira – the Secret Service used to handle identify theft and similar cases. I think that area of law enforcement is actually part of Homeland Security now (not sure, last time I dealt with them was in 03, and it was still handled by the Secret Service).
report
“I have never had anything broken into that uses a random string of even more then 5 characters. Because to break such a password takes extra time, and more likely to be detected.”
Indeed. If you have a character limit or otherwise can’t use the tons-of-characters method, I recommend using words that are not in any dictionary. They’re a bit tougher to remember (because you’re making up or deriving words that you better remember how to spell), so try to invent a “keychain” of unique words that only you know and use. If you want to go even more advanced, try to remember a short string of nonsense symbols to go along with it, such as @23% or m00# that might have some significance to you but don’t mean anything.
Of all my internet accounts, only one has been hacked, and that’s because it was a six character plain English word that I never changed since 1997.
report
That xkcd comic is amusing (as usually) but wrong. Dictionary attacks are a very old refinement of the brute force approach.
report
The XKCD comic allows for dictionary attacks. Note that the number of bits of entropy assigned to each word are way way lower than the number of bits required to represent the sequence of characters which comrpise the word.
report
Biometrics are a thoroughly unsafe authentication method, trumped by social engineering, intimidation, exploits of faulty scanning devices and if all else fails, sharp knives. The good thing about passwords is that they are hidden inside a vault that can not be externally decrypted without destroying it (your brain).
And the xkcd method is sound, but only if the cracker can not know if parts of the password he tries are correct. If there’s no feedback from the system about that, then it’s as safe as a randomized string of the same length.
report
The only way you can leverage a GPU against a password is when you have the database like this. Otherwise it’s not possible.
report
best xkcd comic strip
http://xkcd.com/538/
report
Usage of more than one language (type a word into Google Translator if you don’t know anything besides Schnitzel) and non-standard delimiters (e.g. Apple+Nashi=Schnitzel) is sufficient imo.
report
R.E: Dictionary attacks and the XKCD comic: Not quite true.
How many possible characters are there on your keyboard for password use? 26 letters, both cases, 10 numbers, 35 or so other characters? So maybe 100 different usable characters, tops? So an 8 character utterly random password has 100^8 different combinations that it could be (very roughly), so about 10^16.
Now look at the XKCD example. He’s using full words, so even if you only have 4 words in your password your search space for attempting a dictionary attack is dictionary size^4. The OED has about 170’000 words. That’s a *much* bigger search space. Sure, in reality that’s a lot lower. Say that you expect people to only use words that are individually 8 characters or fewer. Most people don’t know anything like all those words in the dictionary. A quick almost completely unscientific google search finding an article on the BBC and a few others with similar figures suggests that people have a vocabulary of something like 40-50’000 words in their native tongue. So take 1/2 of that as the number of words people know with 8 characters or less (and it’s probably actually more than that). Now you’re looking at 20’000^4 as your search space to do a dictionary attack. That’s still a larger search space. You’re talking about an exponent of 10^16 for the 8 character random password and 10^17 for the 4 words. Of course this argument falls down completely if that BBC article is wrong and most people only have a vocabulary of 2000 words, or only normally combine 2 words instead of 4+, or only use words of 5 characters or less, or something ;)
I think this is very much a case of different strokes for different folks. If you would normally have a 10+ character random password that is completely random and isn’t just a word with common substitutions such as o->0 and a->4 then you’re probably better off sticking with that. If you normally have a 6 or 8 character password that’s a word with 2 or 3 common substitutions because you can’t reliably remember anything different then you’re probably better off with the 4 random words route.
report
I use mainly 8 digit passwords, but sometimes I use letters that are the same in Latin and Cyrilic I am from Bulgaria and even if the pass is breached it will give an error, because it must use the cyrilic letter instead of the Latin.
report
This whole “secure password” conversation is pointless if the system allows for a “lock out” after 2-3 failed attempts and then forces a password reset or a captcha. Can’t brute force that.
report
About that xkcd comic: The caps, symbols and numbers are there for a reason, they make your password harder to break because you’re increasing the size of you alphabet. That said, you don’t need to go crazy with it like the first example. “Correct.horse.battery.staple0″, for example, would be much better.
report
No, Xan, you don’t get it. The database is compromised, meaning that the hackers now have the database at hand. There is absolutely no server involved at all. They hack the database, not the server.
Also, the xkcd password strength is calculated on having 11 entropy bits per word which means that you’re choosing from a 2^11 list of words.
Even if hackers know that you are using a 4-word combination as a password and even if they have the wordlist you used for generating that password, it’s still (2^11)^4=17592186044416.
Even if they can use 100 billion guesses per second, it still takes about 3 minutes to crack that password.
Not safe enough for you? Well, how about instead of putting spaces in between the words, you put in some random punctuation. Like, instead of “correct horse battery stable”, you’d use “correct§horse4battery%stable” which increases the searchspace significantly, even if the hackers know you’re using that method.
report
To those saying that hackers need to get your password from the website database (well the hashed password) you are correct – you can’t brute force at the point of input (because of lockouts).
But in situations like this where someone manages to get the encrypted passwords, it might be days, weeks even months before the trespass is discovered by the server admin – and in that time any 8 digit or less alphanumeric password can be broken by a single ATI 5770 GPU in 2 seconds, so they won’t need to brute force a login, they can just type the password correctly.
9 Digits in about 2 hours, 10 in about 20 hours.
A 4 digit number is secure if they have to manually guess it at the point of input (on the website like a user, or for example as a pin number for a bank card) but no hacker would ever bother with that, they’d be locked out after a few incorrect attempts. No they hack the database get the hashed password and then brute force the hash.
Basically brute forcing the password is done locally, nothing is entered into the website they wish to access.
Say the hash is “b18450a4854617620e942d439eb8a6a0″, there is no mathematical way to calculate the password from that hash, but you CAN calculate a hash from a password.
So these programs use the GPU to hash every single possible letter, number and symbol combination, then compare the result to the original hash, and once they get “b18450a4854617620e942d439eb8a6a0″ they know what the correct password is.
They can then simply enter that password like a legitimate user.
So again, 8 digit fully random symbol passwords such as:
u”`/>HI8
W0qhOhD#
;P*EP”_*
wne%GQ&t
QA`BMF:!
c*T2.h/x
y}udZ9aT
All randomly generated using every key available on a common English keyboard can be brute forced in about an hour (letters and numbers only is 2 seconds) on a mid range GPU (5770). Which can manage about 3 billion password checks per second.
Simply put small weak passwords give them a large window of opportunity, from when they manage to get the password database, and crack the password – to when/if the server admin of the website in question discover the breech – which again might be days to weeks.
Long passwords don’t – it takes too long to de-hash them.
report
And to temper Starky’s fear-mongering:
http://www.shamusyoung.com/twentysidedtale/?p=11523
Salted, hashed passwords take a long time to crack.
This is why current best security practice seems to be “change your password every few months”, not “every few minutes” :S
report
That link gets some very fundamental things wrong – I’m no crypto expert, but it’s clear that neither is he.
Salting doesn’t increase the time to brute force an individual password (well not much anyway – because the hacker knows the salt) – it slows them down by requiring them to decrypt each hash 1 user at a time rather than running a single pass and comparing every entry in the database at the same time (or even decrypting them based on known hash values), because every salt is different for every user.
It’s quite easy to discover how the salt is added (at the end, at the start (some even add it every other character or other such patterns) by simply brute forcing a known password.
Simply put less complex (passwords that can only be lowercase and numbers for example that some bad sites still use) will still be brute forced in minutes if not seconds (using new GPU software such as ighashgpu) with or without salt.
Proof: http://mytechencounters.wordpress.com/2011/04/03/gpu-password-cracking-crack-a-windows-password-using-a-graphic-card/
report
@Nixitur I should have been more clear. What I meant was password strength is irrelevant if someone is trying to brute force it to get into your account. When someone already has the database with passwords it’s again irrelevant because what matters then is how the passwords were encrypted.
Starky started with telling people to use safer passwords, why? If someone has the whole database it won’t matter how safe your password is, all that matters is how the database was encrypted.
report
Xan, That is utterly, utterly wrong.
It totally does matter. password strength is EVERYTHING (the only defence) against a brute force decrypt.
Brute forcing works by trying every possible combination of characters, hashing them, then comparing the results to the hash from the stolen database. The hacker KNOWS the encryption – it is publicly available information – anyone can easily hash any string they wish. What stops it been useless is the fact that there is no mathematical way to de-hash a value back to the original string.
You can only calculate every possible hash value then compare to the stolen hash, and when you get a match you have the password.
Starting at whatever the minimum is for the password length of the site (say 6 characters) using the same rules the site enforces (so if it is lower case and numbers only maximum of 10 characters the hacker knows brute forcing any password will be fairly easy).
Even if the hacker knows the length of the original password, a more complex password will still take longer to de-hash, simply due to the fact that there are more combinations that must be tried.
Again a 5770 can compare at the rate of 3 billion per second – so it can chew through simple passwords (even up to 9 or 10 digits) in a mater of seconds to hours. Complex ascii passwords up that to days and weeks.
So once again it is utterly wrong that password strength does not matter if a hacker accesses a table of hashed and salted passwords.
In fact it is the utter opposite, password strength is the ONLY defence.
report
Aaand password changed. Pity- i had just memorized my 17 digit random alphanumeric password.
(My steam account is worth more than my bank account (sadly/gladly?)
report
gladly
report
“(My steam account is worth more than my bank account (sadly/gladly?)”
Wow I just realised the same thing! Not sure if I’m sad or happy. It’s a confusing emotion.
report
My Steam password is more complex than my bank password because my bank doesn’t allow for long, complex passwords.
After all, the security of my bank account is their top priority, so it only makes sense, right?
report
Relevant XKCD might save you some time memorizing:
http://xkcd.com/936/
report
http://imgs.xkcd.com/comics/password_strength.png
Get it together Mitthrawn!
report
I use KeyPass Portable for all my passwords, lets me use different stupidly long passwords of random gibberish for every site and so long as I remember my USB stick I can log in from any Windows machine.
report
If you’re sticking your password keychain in “any Windows machine”, it’s not the most secure thing in the world.
This is the future. Surely you people have smartphone apps that can do this for you by now. (Along with remote wiping so you can reduce the risk of a theif sitting there brute-forcing the master.)
report
I like that XKCD comic- but doesn’t not using numbers/grammatical keys reduce the time it would take to hack it? I guess you could just put a comma on the end or something to throw the infernal machines off.
report
@ LionsPhil
Well I only use it on machines that I’m prepared to log into anything on, which is to say “not most of them”. My point was more that by having it on a USB stick it gives you greater freedom than a local install. It’s also a lot more convenient to be able to copy and paste your 20 character gibberish password than type them in off a smart phone.
report
In before “I TOLD YOU. THEY CALLED ME MAD WHEN I REFUSED TO GO DIGITAL. MAD. WELL WHO’S MAD NOW.”
Although obviously this is a shame.
report
You’ve gone digital – you’re here – you’re as open as anyone :)
report
I have nearly all my games on Steam these days, I wasn’t talking about me. :P
report
I was digital before it was sexy. In fact, I MADE it sexy, and I still don’t have a facebook or twitter account.
report
In after lame “In before” comment.
report
As that text is in all caps and related to video games, I’m assuming you’re quoting the Devil.
I personally blame the cephalopods.
report
Well shit. How long before the Half-Life 3 source code winds up on a torrent site?
I kid, Valve. I kid.
report
They might have defaced the forums because they were mad that the game development stuff is too secure to hack.
Making Half Life 3 100% unhackable is easy for Valve: set up an internal network and cut off all internet connections to and from that network (except maybe one gateway if you really need offsite backups, but as long as those backups are properly encrypted they’ll be useless). That only leaves physical connections, and employee loyalty will prevent problems in that area.
I work for a bank, so I’m required to take security consciousness training regularly. The two biggest concerns for my department are fraud / money laundering (which doesn’t matter because I don’t interact with customers myself) and privacy violations that can only occur by employees abusing access to privileged information. Basically it boils down to: If someone is fired, don’t let them in a restricted area even if they’re lovely, friendly people, who the customer is sending a check to is nobody’s business, and never let anyone plug a USB into anything else without permission. Hacking is a non-concern because of secure intranets*. Some computers have limited internet access (which has firewalls and such), but all the customer information is kept physically separate.
*This is a technical term, not a misspelling.
report
Well, if the hackers touch it up a bit, we might have Episode 3 sooner than we thought :D
report
But…my steam account is different from the forum one.How can they have my password?
report
Read the text?
report
Ah…ok got it.Well i changed my password just in case and thank gabe for steam guard
report
Thank god for Steamguard, eh? :P
report
THAT
If you didn’t already have it activated, do so and you’re safe and sound (your account is – someone may be able to post to the forums as you but as they’re forcing password changes there, they can’t).
Note: The only catch is if you use the same password for other accounts (with the same email address) – or god forbid, you use the same password FOR your email address (which is mind numbingly stupid).
Thing is tho – someone defaced the Steam Forums – how could they tell? That’s like mad graffiti appearing in a madhouse surely? :)
report
Seems like this is set as standard.
I’d never heard of steam guard until now.
Also, using Paypal to pay for content must help a lot?
report
they have our credit card info (even if encrypted) there’s no need for Steamguard to stole us money…
I really hope they’ll get those lamers and kick their stupid asses to jail. A jail with a lot of showers and soap bars.
report
Gaben’s UNBLINKING EYE OF JUSTICE can tell the difference, always.
report
So watch your credit card statement carefully. If you see purchases you didn’t make, contact your bank’s fraud department. They will refund the charges and issue you a new card.
If you’re really paranoid, call your bank now and ask for a new card.
Credit cards fail nicely. I’m not worried about my credit card being compromised, because I know I can get it sorted out easily.
report
Why is it that when hackers are brought up on a game related site, someone always mentions/alludes to prison rape?
report
I always assume it’s because some people get off thinking about that sort of thing. Whatever turns them on I suppose.
report
@lurkalisk: No, I’m pretty sure Eclipse is just implying that they are naughty, smelly criminals.
report
@ VelvetFistIronGlove: “Credit cards fail nicely”
Well, not that nicely, depending on the situation.
I’ve had my bank catch CC fraud right away with automatic flagging of suspicious activity, before the statement was even sent for that month. Which is nice, but then they want to cancel the old card and issue a new one. I have a bunch of household stuff on CC auto-pay, like the internet connection, storage rental, and other stuff. Every time I have to enable a new card — and I’ve had to do it a few times due to fraud — it’s a major pain in the ass to track down all my auto-pay billing utility accounts, and inform them of the new CC details.
Yeah, I know… get a separate card for the high-risk stuff, like gaming accounts. But multiple CC accounts will bleed you dry with fees. If anyone wants to know why some of us prefer to use something like Steam for almost all of our game purchases instead of “supporting Indie developers” or whatever… well, that’s why. It’s a drag that Steam was hacked, but that could happen anywhere. Sticking to one main digital distribution outlet minimizes the risk.
report
I’ve got Steam Guard set to email to my Gmail account, which itself is set to not allow you in unless you have a random six-digit passcode that’s re-generated every ten seconds on my phone. Saved my ass when Mt.Gox got hacked, I’ll say that.
report
@Zenicetus Yes, it’d be a huge inconvenience, but no great financial loss.
report
“I am truly sorry this happened, and I apologize for the inconvenience.
Gabe.”
Somehow this part calmed me.
report
Aww, Gabe! Give us a hug big fella
report
This was a very classy, and sincere way to handle the compromise.
Sony could learn something from this.
report
I agree. It’s a classy statement and a far, far better response than Sony’s.
report
Yeah, I’m truly sorry they waited 5 days to tell us it was hacked. I mean I appreciate that they needed to investigate it but “the bad men” (theoretically) have a 5 day lead now.
report
Oh shit.
report
If the passwords are hashed and salted as they say, there’s no way for the hackers to find the user’s actual password from that info. So really there’s no need to change passwords.
report
What does salting a password mean?
All these encryption words recycling culinary terminology make me hungry.
report
I think it means that instead of hashing the original password, you add something random at the end of the password, then encrypt it. So 123 gets turned into 123[randomgibberish], is then hashed. [randomgibberish] is of course saved, too, otherwise you couldn’t check the password later on.
The advantage is that you can’t just compare the hash to a list of hashes of common passwords, you have to actually add the salt – which is different for each user – to the passwords and hash the result, then compare. That’s a lot slower, thus common passwords are harder to crack.
Oh, regarding hashing: That’s a function for encrypting the password in a way that it cannot be decrypted again. For example you could save if the password’s length is odd. You wouldn’t be able to tell the original password based on that information, but of course you could easily find a different one that returns the same value when hashed, which would work as well, so the actual hashing functions are more complex.
report
Hurrah for someone talking sense. If passwords are hashed and salted, then noone has your password. Not even Valve. But you should be changing your passwords regularly anyway, so now’s a good a time as any, right?
Hashing is a one-way process to secure passwords (there’s literally no way of getting the original text back). Salting just ensures that your hash doesn’t match someone else’s who has the same password as you.
report
Salting is good. An unsalted password hash is findable on rainbow tables. It’s how Anonymous hacked HBGary a while back. Here’s an awesome article over at Ars Technica on how they did it, with much interesting stuff about salts, SQL injection, and the like. http://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.ars
report
Since the passwords are hashed, hackers would be unable to get the passwords so long as they are sufficiently strong. However, inevitably some users will always choose weak passwords. All it takes is for an attacker to brute-force hash many weak passwords looking for a match in the database, which indicates that a password was discovered.
Salting is when a little extra (known) data is added to the password before it is hashed, which doesn’t improve protection for an individual user, since the data is known, but it makes an attacker’s job much harder because it means they can only brute-force one account at a time instead of all at once. It also gives protection against rainbow tables (which is just a huge lookup table which matches inputs to every possible hash output), but Valve was probably using a hashing algorithm which produces large enough digests so that rainbow tables wouldn’t be practical.
report
Salting doesn’t make it impossible to retrieve a password since the hackers will have the salt as well (it’ll be stored in the database along with the password). What it does mean is that they’ll have to decrypt one password at a time and they wont be able to use a rainbow table to decrypt massive amounts of passwords at once.
Basically it makes your password a lot safer but not completely safe,
report
Salting hashes does not make your passwords invulnerable. It merely makes it take a little longer to find them, if they are “weak” enough to find (and many, if not most, are). The attacker simply won’t have the benefit of using rainbow tables or just one attempt per password.
Many, many people choose “weak” passwords either out of ignorance, comfort, or carelessness. Many use the same password on their email account or on other gaming services. Many use variations on the same “base” (Steam password = hunter2, Desura password = hunter3, email-password = hunter4).
Change your password(s). It’s the only way to be sure. And just hope that Valve implemented the CC-Crypto well enough.
report
If you’re handling passwords in your web application, you should be doing all of the following things:
* Secure your systems to the best of your ability. Keep up with bugfix releases of your favorite CMS, blog, framework, web server, database, operating system, and so on so you don’t get embarrassed by some six month old exploit.
* Account for both short 8-symbol passwords with random symbols and long passphrases without said requirements. If my password is “RPS is the best blog in the world”, don’t limit me to 20 characters or force me to throw a $ in there when there’s tons of entropy in that password that is easy to remember and hard to crack.
* Use a slow hash like PBKDF2 or bcrypt. Hashes like a single pass of md5, sha1 and all of the sha2 variants are designed to be fast to compute, which is precisely the opposite what you want.
* If you’re using PHP and want to use bcrypt, be extra careful that you’re using the correct incantation of crypt(), fucking it up has the potential to revert to some very insecure hashing defaults without giving you so much as a warning. In fact, just use the phpass library and save yourself the trouble.
* Use a per-password salt, called a nonce. People have discussed salts before in this thread, but I’ve heard a lot of grief from developers who are scared to store the salt in the same place as the hash itself, since they think that storing the one-time salt in a config file makes them safer somehow. *rolls eyes*
* If an intrusion happens, detect it early and preferably force your users to change their passwords on next successful login. Remember, it’s already game over, and you want to make sure that whatever passwords they get out of that database are useless. Of course if you took the rest of my of advice it will probably take them at least a few years to get a single password, but better to be safe than sorry.
report
Bears repeating. A few extra CPU cycles is well worth the massive, massive increase in security should the worst happen.
Unfortunately, MD5 and SHA1 still seem to be by far the most common.
report
This seems like a good time to point out BozoCrack. Salt is important.
report
It’s worth noting that this is – for now – a problem with the Steam FORUMS and not the Steam client.
If you used the same password for both – DOH! DUH! DIM! – change them both and make them different.
I don’t have a CC on Steam (I use PayPal) so that’s not a problem.
“Purchase History” – is publically available anyway
Did I miss anything?
report
Yes, yes you did, apparently SPUF and Steam/Valve’s databases are linked somehow, enough for someone to get into them and (possibly) take encrypted (thankfully) credit card info.
report
Even though it’s a fucking shame, at least this guys look legit. Salted, hashed and encrypted info and 3 days delay on informing and asking for passwords.
report
Hey, it’s still miles better than Sony’s “yeah, let’s transmit passwords and credit car details unencrypted, and wait a week or two before we tell everyone their accounts have been compromised”.
report
Oh.
I’m not even sure if I have a Steam forum account.
Edit: After a few failed attempts to log in, it seems I probably don’t. Phew.
report
“found that the intrusion goes beyond the Steam forums.
We learned that intruders obtained access to a Steam database in addition to the forums. This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information. We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked. We are still investigating.”
So if you have a Steam account of any form, you need to be worried.
report
What a shame.
report
Whatever happens, I’m sure there’s a TF2 hat in this somewhere.
report
I WOZ HACKED Hats – available soon to anyone who has their account trashed by random lunatics(*)
(*) evidence that you have a PSN or XBL account (which has almost certainly been hacked or robbed) will cover this.
report
Xbox Live IS robbery.
report
SteamGuard and the fact that the passwords were hashed and salted removes any care that I could have had about this. Sony could learn from these guys. Yeah, they were hacked, but the damage is minimal. Even if someone DID figure out your password, your Steam account is still linked to your computer.
report
It’s always surprised me that they used an ‘off the shelf’ forum package (Blizzard do too) because if there’s a security hole to be found, it will be in one of those fuckers…
report
Reassured that I had to go to my emails to get a code to put in when I went to the website to try and change my password, discovered you can’t do it through the site, loaded up my Steam client and was prompted for another emailed code before it’d consider a change password request. They seem to understand what security’s about.
report
I don’t think SteamGuard work for forums. The forum is offline now, but you can still log into it. It doesn’t ask me for code on a new machine (or old, actually changing the motherboard is enough for it) when accessing forums. It asks only when accessing steam account. Which uses separate password.
report
Who cares about the forums, really? Do you? Do I?
Oh no, someone is running around parading as me and pretending to be me. Unless they’re incredibly fucking talented, they’d have a hard time emulating me. I’ve seen people try, it’s just not doable because there’s a fairly unique signature to the way I write. A bunch of people tried it once and we were swapping names, I was the obvious one every time.
So I’m not bothered by that. If someone did steal my online identity (oh no!) then the people who know me will have figured that out within a matter of sentences. I don’t know why, mind you, but this has always been a thing. So I’m really not bothered by that.
What am I bothered by?
I’m bothered by the thought of losing my Steam games or my credit card details. If this was Sony, I’d be pissed, because Sony have proven time, and time, and time again that they haven’t the first clue what this “security” thing is, or how to put it to good use. But Valve? Just look at the example above. It’s Valve. Valve understand security, we’re not going to get fucked over by them.
People wonder why I swear by Steam. See? This is why. Valve was hacked, but the damage was minimal. You won’t need to panic, you won’t need to cancel your credit/debit card, you won’t need to worry about all your games being stolen from you. Because Valve gets security.
Heavily encrypted databases get discovered all the time, it’s fairly common, you don’t hear about it, but it does. Keeping them out of the hands of other people isn’t important because you may have some jerk working for you that may just leak them anyway. You have to assume worst case scenario, you have to encrypt them, heavily. To the point where it would be damn near impossible to crack them.
You can bet Valve did.
And yeah, I’m not surprised that the hackers got in through a probably horridly coded third party forum solution. Valve should have written up their own, really. At the very least, they’ll probably go over this with a fine tooth comb, now.
But yeah, I’ll still stand by Valve, because they understand security, they understand worst case scenarios. If this had been GoG, or Gamer’s Gate… would they be quite so prepared? I’m not sure if my answer would be yes. :P I’ve never revealed all of my reasons for standing with Steam as I do, but ridiculous security is one of them. SteamGuard wasn’t the beginning of it, it was just a really nice step up and evolution from what they already had.
report
This post is far too short for a Wulf second post.
Impostor!
report
A reference to GW2 superiority is also missing. Someone probably hacked his account.
report
I changed my password several days ago when I learned this happened.
report
When did you find out about it?, seems a bit late for Steam to be telling us now.
report
It was mentioned in one of RPS’ threads or article comments. I forget where exactly.
report
I first heard about it on Twitter on Monday I think, someone had noticed that the forums were odd.
report
I asked why RPS hadn’t mentioned it yet in one of the comment threads yesterday, and there was a (surprisingly mostly ignored) post in the forums before that.
But the general gist was up on Joystiq, Kotaku, etc… 3-4 days ago.
report
“If you have used your Steam forum password on other accounts you should change those passwords as well. ”
Well damn. There’s one problem. I don’t remember what my password for the forums was >_>
Steam forums are still down right?
report
LastPass.com – never use the same password twice again – never have to remember one either…
report
So instead of having separate passwords to protect all your accounts separately, you have one big password which would give hackers complete access to everything…yeah, I’ll pass.
report
Well mighty thanks man
Looks like i’ve got something to entertain myself with until Skyrim is unlocked in 45 minutes
report
What Brumisator said… Surely LastPass only works until someone steals your laptop?
Y’all need to get a formula, beats remembering/writing down individual passwords. I’ve got about fourty different passwords, don’t need to remember any of them – just need about 10 seconds to work it out if it’s one I haven’t used in a while.
Which itself only works until a particularly clever person finds two of my passwords to compare (or one in a nightmare scenario) and cracks all my passwords simultaneously. Ho-hum.
report
What laptop? And you don’t save the “master” password, only you know it.
report
Well played. I’ll take my leave now, but I ask only that you consider this recommendation from the LastPass homepage:
“It’s so easy – FOX News”
report
Oh damn. That “so easy” might even be a reference to hacking lastpass!!!!!
report
Keepass is a much better solution imo.
Stores passwords locally under a master password fully encrypted, is open source – so you can be fairly sure there’s no dodgy code in their spying or broadcasting data, and no malicious security holes or improper encryption implementation (if their was it would be quickly flagged).
Obviously the only real flaw in the system is the master password – as it is stored (encrypted) where keepass is (locally or like me, on a sUSB stick)
But then in order to break your passwords not only would a hacker need to have accessed your actual computer files, but then break (what should be) a complex password.
report
There is a lesson for everyone, here.
Use throwaway passwords for forums. That is all. Yes, including for RPS. If it’s nothing to do with money or valuable data, you should just use throaway passwords for it, because it’s eventually going to be hacked anyway, and then people are going to use that to figure out how you go about passwording things, then they’re going to use that information to steal from you. If they can.
Seriously…
This site;
Every site like it;
Gaming sites;
Forums;
Comic sites;
Every unimportant site…
USE A THROWAWAY PASSWORD.
Being paranoid helps. 8D
report
Oh and !!!WARNING!!!
8 Digits IS NOT ENOUGH!
Hell 10 digits isn’t – but 8 is a joke.
Any standard “human” password (As in not random ascii; a few letters [1 or 2 upper case], a couple of numbers and 1 or 2 common punctuations [fullstop is the most common]) can be broken in 2 seconds.
Yes, 2 seconds based on GPU driven brute forcing software and an average GPU.
hell even fully random 8 char gibberish passwords can be GPU broken in hours or days rather than the years a CPU would take.
12 will give you years, but faster GPUs are quickly (frighteningly quickly) making even 12 alphanumeric passwords useless.
I’d highly recommend everyone to use 1 highly complex master password (a complex mnemonic of at least 15 characters with at least 3-4 numbers and 3-4 punctuation)
Say something like:
I WANT ten BIG apple pies for my (50th) birthday (remembering the capitals by stressing the words)
iW10Ba3.14sfm(50th)bd
Easy phrase to remember (with some practice), solid 21 digit alphanumeric (+) password.
Then use that with a password manager – hell a 256 bit AES encrypted 7-zip with a text file in works in a pinch.
Edit:
Like Wulf though I also use a standard “who gives a fuck if they hack it” password (9 digit) for sites that never contain any personal data that can’t easily be found by a quick google of my real name.
Anything with any sensitive data whoever (email, shopping, banking, paypal, steam, business contacts, names/addresses etc, etc… has a complex long (20-40 character, depending on the limit of the site in question) randomly generated password hidden behind a complex master password, stored on a USB drive on my keyring.
report
Gotta agree with Starky on KeePass. Great little program. Recommended to me by an admin on MajorGeeks, and I trust that site pretty highly.
report
“Y’all need to get a formula, beats remembering/writing down individual passwords. I’ve got about fourty different passwords, don’t need to remember any of them – just need about 10 seconds to work it out if it’s one I haven’t used in a while.” So very much this. It’s strong, it’s easy, and you’ll never have repeat passwords for anything. Take the name of what you’re logging into, alter it in some way, and salt it with an extra phrase that you use everywhere. For example, if you’re logging into RPS:
Rock Paper Shotgun
shotgun
nugtohs
nugtohsB1rd (because you’re a hipster, so you put a bird on it)
Quick, easy, and you’ll always know your password for everything. Gmail would be “liamgB1rd”, Steam would be “maetsB1rd”, and so on.
report
Turning on that steam guard feature now. And guess I’ll have to change the password too.
report
Don’t destroy my hope for a digital-only future, you Anonymous Internet Hacker Scum. The next stage in human evolution will be tweeted, damn it…
report
Here’s to hoping Steam Guard works then.
report
Dear Gabe,
Thanks for your concern and quick actions – I’ve changed my password, now any chance of Skyrim for £10 off? :)
report
Surely Half-Life 2 would be more appropriate?
report
Surely you can’t want us to believe there’s someone with a Steam account that still doesn’t have HL2?
report
Attention grabbing headline “Steam Hacked?”…
When in truth it was just the forums and so people should stop worrying.
report
Did you read it at all? Gabe said himself that they got access to a database separate from the forums, containing all sorts of goodies.
report
“We learned that intruders obtained access to a Steam database in addition to the forums. This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information.”
So yeah.
I when I try to change my password, it says to me ‘Steam cannot currently process your request’
Does this mean it’s down or that I’m enterting the wrong existing password? I can’t offhand remember what it is, but have a combination fo things it might be, so I’m not sure what the problem in this case is.
EDIT: It gives that error message when you enter the wrong password, I finally figured out what my actual password is and it worked. I have a password system with variables and the last time I had to log into Steam was a year ago!
report
SERIOUSLY READ THE DAMN TEXT.
“We learned that intruders obtained access to a Steam database in addition to the forums”
SERIOUSLY.
report
“We learned that intruders obtained access to a Steam database in addition to the forums. This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information.”
Read the post again.
EDIT: in the time it took me to post this, three other people posted the same thing.
Go team RPS commenters, I guess!
report
Maybe you should try reading beyond the headline.
Wow, that was some quick correcting. Five replies before I even saw one.
report
Try reading it again yourself:
user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information. We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked.
So they got user names, names of games you purchased, maybe email addresses and billing address. The rest is encrypted and unreadable to them. Big deal I am sure we can get your email addresses off facebook or some other sites, also mailing addresses are available all over the place such as election registry.
I am sure our own government sells most of this personal information to third partys for money already anyway.
report
How serious the threat is is irrelevant to this discussion. You were complaining about RPS using “Steam Hacked?” (which has now changed) as their headline saying that it was “just the forums” when in the first line it says “the intrusion goes beyond the Steam forums”.
You didn’t read the article!
report
ger. I made a Steam forums account last week, to inquire why my Cossacks Art of War wasn’t launching properly.
shoulda waited a few weeks.
report
I hope someone from Valve will read this, but it’d be reassuring to know in what way our passwords were hashed and salted.
report
In what way were they hashed and salted? Well, I’d assume they were cut into small pieces and recooked (probably with potatoes) and salted to taste. There’s really not much to it. I’d rather find out how they poach their eggs.
report
Saldek wins RPS today.
report
Haha, brilliant Saldek. :D
report
Assume it’s not bcrypt and act accordingly*. Because it probably isn’t.
* If you used a reasonable password (not based on a dictionary word, 8+ characters alphanumeric) you should be changing any other accounts which used the same password within the next couple weeks.
If it’s a crappy password that you also used on other important stuff, panic and change everything now now now.
report
When Sony got haxxord I was like “aint gonna happen to Valve or MS cuz they know their shit and aren’t a completely dysfunctional outfit to boot” :/
report
It’s not getting hacked that’s the problem — almost ANYONE can be hacked, regardless of security efforts — it’s having the important information locked down correctly that matters. And it appears that Valve did everything right in that regard.
report
The right thing to do would be to automail every user telling them to change the password Not to slip a note to a blog what is this, put that pie down JESUS
report
They did. http://i.imgur.com/3Qjir.png
The problem is that you need to turn ads on.
report
You can turn off ads?
My incompetence saves me yet again!
report
That’s the thing that pops up when you quit a game, right? Yeah that’s not how you do it. At least most people won’t disable it since it’s worded like “want to disable update notifications, DLC notifications and uh want some pie? also ads”.
report
Any (yes, ANY) bigger website can be “hacked”. The question is how you deal with such attacks and whether you even notice them if they succeed. Valve are not gods, their systems are fallible. They did it right though; passwords hashed/salted, cc info encrypted, SteamGuard, user notification in spite of having no evidence of actual account break-ins due to this, etc.
Sucks that it happened. May happen again. But at least they don’t screw up so very royally as certain other “vendors” do.
report
BRB hacking Google.
report
I did it!
http://www.google.com/webhp?hl=xx-hacker
report
well, they arnt letting me change my password at the moment
report
You sure you’re putting in the correct existing password? The message it gives for an incorrect password when trying to change it makes it sound like the service is down, but it isn’t.
report
Steam Guard should be sufficient protection against my Steam account, so the only precautions I’m taking is changing my e-mail password, as that is the main key in the whole environment. Without access to the e-mail they won’t be able to circumvent Steam Guard and as such, they will be unable to access it.
<3 Steam Guard.
report
Whilst I agree that Steamguard will protect your games, I don’t think the hackers give two hoots about using your account to purchase games for free. They want your credit card details, so they can waltz off into the sun and spent it on more frivolous things.
report
Covered by Steam Guard, so I won’t be affected by this (hopefully).
Doesn’t matter if my forum account got stolen, as I don’t use that password for other sites (I think).
report
“This database contained information including [...] email addresses, billing addresses.”
sort of contradicts
“We do not have evidence that [...] personally identifying information were taken by the intruders”
Also, why was personally identifying information, such as billing address, not encrypted? They only say CC#’s were.
Or am I reading this wrong?
PS. Jamestown DLC is out <3
report
The way I’m reading it it looks like, Gabe is saying the database was accessed but they don’t know if anything was taken
report
Thats what I read.. But if they had access to the database I’m assuming they downloaded it, which means they have the info. I doubt there are all too many hackers that would deface and do nothing else; even if its not a criminal hacker that did this I’m sure even scriptkiddies would download the data and sit on it…
report
Plus unlike Sony, Valve actually encrypted the CC info
report
Jamestown DLC is only new craft/characters; not sure I see the sense in that when most people have surely already settled on what works for them and don’t use anything else (and that it’s gunner, because everything else is relatively crap, or maybe beam if they just want something easy to manage and don’t care about scoring or how hard Croatoa will be). I would’ve thought more challenge events would have more value, but maybe most people don’t pay much attention to those. It is silly cheap like the torrent of absolute tat that got puked all over Magicka, to be fair. I’m still having it because the powder keg thing looks like it might be what the exploding shot ship no one uses ought to’ve been, so I want to give that a go.
report
Steamguard is definitely reassuring; I’ve been using it for a while.
While, if the passwords are hashed, there’s no need to change your password, I’d still change it anyway. There’s _always_ a small chance that it was recorded in plaintext at some point; better safe than sorry.
P.
report
They might not have evidence that the CC# encryption had been cracked, but if they got the numbers it’s only a matter of time until they figure out how to crack it. And it’s already been 4 days. So I suggest that anyone that had used a credit card with steam (I’m not sure if it should be everyone or just the ones that used the checkbox to store the credit card info with steam) should call their bank and change the credit card. You’ll have to wait a a few days for them to mail you the new card, but I think that’s a small price to pay for your financial security.
report
I am really not a steam fanboy, but damn, something about gabe just transmits calmness and fairness directly into my brain!
report
Um, wasn’t this hacking of the forums known for… two or three days? If so, quite slow action telling to people, but still better than certain services I could mention.
report
Yeah there has been a post on Facepunch for 3 days now saying the Steam Forums got hacked. Nobody seems to know when Valve them selfs found out that other information has been compromised. They could just have done it like others and kept quiet about it.
report
They knew the forums had been hacked, but not the database. My guess is that they were looking into the forum fiasco and then found out about the DB, wanted to assess what was going on and what potential damage might have been done, and then said something about it. It’s not like they’ve been sitting on this for weeks on end. SPUF went down on the 7th. That’s pretty good communication. I’m sure they’re also having to deal with both FBI and Secret Service right now as well.
report
Bugger. Changed Steam password, which was unique anyway. Annoyed that I had credit card info associated with the account, I removed it when Sony was hacked, but it slipped back on there. They say its all encrypted though, which is good. Can’t get onto the forums to change that password yet, but again, unique.
Actually, a question about stored credit card data. Do they actually store the numbers, or just a token? Obviously some places will do things the wrong way, but if storing tokens is a possibility then it would make security a hell of a lot better.
Edit: Hah, just realised my card expires at the end of this month anyway. I can’t see the encryption being broken before then. Will keep an eye on it though.
report
Well, that requires a big FUUUUUUUUUUUUUUUUUUUUUUUUUUUCK.
report
Never registered on the forums and with Steam Guard, it’s a non-issue for me.
report
Whether you have a forum account or not doesn’t seem to matter. It sounds like they were able to access the main Steam database.
report
Except the key word there is seem to because you don’t really know. And regardless, it’s a non-issue anyway. You can either panic like chicken little and go through needless hassle or you can be vigilant like you should have been anyway and not need to worry.
report
Whatever, Gabe.
Now ,where is the Thanksgiving Sale ? (holding wallet ready)
report
:D
report
Well its usually good policy to change passwords semi-regularly anyway (apparently) so I did my Steam one just in case. Steam Guard now seems like a good idea!
report
That’s more of a high-level security procedure, spy stuff. Changing your password doesn’t prevent you from being compromised so much as stop the access of someone who is silently accessing a compromised account.
report
My Steam account password is an old password that I’ve stopped using elsewhere, plus SteamGuard means that should be safe. My Steam forums password has been leaked before (Nexus forum hacking), so not a big deal. More worrying is the fact that they might have encrypted credit card details. Thankfully, I’ve never saved my billing address and credit card details, and my last Steam purchase was the Halloween sale, so *hopefully* they’ve disposed of the details.
report
It was only a matter of time really, the sharks have probably been circling for a while, looking for a weakness. Kudos to Gabe and team for dealing with it quickly once the scope of it was realised.
report
But I don’t remember what my account password is. Steam does, which is the only reason I’ve been able to connect to it for a while. I suppose I should try to get that fixed at some point.
report
It’s the end of world I tell you!
report
Wheres my free games gabe.
report
Salting doesn’t make weak passwords invulnerable, as xkcd demonstrated amusingly.
report
The comic you reference has nothing to do with Salting passwords. It has to do with alphanumerics/symbols being used in a password vs having a long password.
report
I only use PayPal. I’m safe. :)
report
Lol, I hope you’re being very sarcastic.
report
He’s safe from any intrusion into Steam’s system as he wouldn’t be so daft as to use the same password on PayPal and Steam…
report
Nope, being very serious. :)
And yep, I use a different password for almost everything.
report
Thankfully I got a free year of identity theft protection out of the PSN hullabaloo, so now I guess we’ll see how effective that is.
Also, any recommendations for a password manager?
report
KeePass does what it advertises and runs on practically everything.
If you think LastPass is a good idea, you are beyond help.
If you want distributed/shared copies of your passwords, consider KeePass+DropBox (or any similar service).
report
How is Lastpass any less secure than keypass + dropbox?
report
LOL!
You mean the same dropbox that earlier this year let anyone into anyone’s account with just a username and no password required??
Lastpass is pretty damn secure. especially if you use it with Google authenticator or a Yubikey and also an email address that is set up purely as your last pass account name and doesn’t get used for anything or sent to anyone.
Everything sent to lastpass is encrypted and decrypted LOCALLY ON YOUR COMPUTER meaning lastpass only store the encrypted data which means even they can’t access it. So if you lose access to your email account and lose your password you lose your lastpass account as they can’t reset it.
report
I’d argue against using Dropbox for storing sensitive data, since it’s not really secure. http://www.wired.com/threatlevel/2011/05/dropbox-ftc/
report
I like Dropbox but I don’t – even for a second – consider it a ‘secure’ solution – and I’d not store passwords or anything like that within a million miles of it.
LastPass is pretty excellent I reckon – their recent adoption of Google Authenticator codes makes them even more secure – in fact I’d say they were about as secure as it’s possible to get without landmines and laserbeans…
report
Dropbox stores all my passwords. I don’t really mind its insecurity, my password file is encrypted. I wrote the encryption myself after reading papers on current techniques, and I’ll rewrite it if weaknesses are found, so I trust that security. Otherwise, go nuts trying to guess my 43 character password with letters, numbers, and punctuation. Hint: Does not use euro signs.
report
LastPass does all the encryption client-side with the magic of Javascript. It’s good stuff – if you lose your master password, you’re probably screwed. (“If at this point you have failed to remember your password, your account hint didn’t jog your memory, and you’ve tried the password recovery on every machine you’ve logged into, your only recourse is to delete your account and start over.”)
report
You’d be even more screwed it you forgot your KeePass password though.
report
Lol steam is going nuts. 2 “false” daily deals on the news page. Happened before i know
I’d jump on that EYE 50% off deal like a shark. if only it were true.
report
“Salting doesn’t make it impossible to retrieve a password since the hackers will have the salt as well (it’ll be stored in the database along with the password).”
Exactl, but if you have a good password it probably won’t be broken.
I wonder how the CC details are stored though.
edit: fail reply, goddammit
report
CC details will probably be stored using 256 bit AES.
report
Lastpass is great but I wouldn’t trust it with my passwords to anything important. All those forum and website passwords fine – anything to do with Google, email, digital distribution (like Steam) or anywhere that holds my financial info is in my noggin.
report
Man, Origin fans are rabid!
report
That made me laugh pretty hard.
report
I’m tired of these motherfucking hackers…
on this motherfucking plane.
report
I just want SPUF to be back up. I almost killed myself WITH SUICIDE from so much spuf withdrawal
report
(http://url7.me/c6i4 )
(http://url7.me/c6i4 )
(http://url7.me/c6i4 )
report
Oh Steam Guard your super-usefulness has been confirmed.
report
Trying to change my pass and i’m getting the same error others have reported about steam not being able to process my request yet i am 100% certain i’m entering the correct pass.
Has anyone been able change theirs in the last few mins?
report
Yes, i just did, without problems.
report
Yeah I just changed my pass and I would give me that two times, then it worked. Guess a lot of people are changing their passes right now.
report
yeah weird, has worked now cheers.
Now skyrim just has to hurry up and decrpyt itself and all shall be right with the world again.
report
Man, i’m so glad BF3 is on that other system. ^^
report
To see someone talking about BF3 with the name “mod the world” is highly amusing to me.
report
Thank you RPS.
report
i second that!
-> i wouldn’t have found out about this otherwise!
as my steam program thing didn’t tell me anything – and i haven’t even blocked ads or whatnot – very curious
report
2nd HUGE breach in Valve security.
Honestly, they’re rolling in money, they really need to pump more of it in to security. There is no excuse for something like this to happen, when they have that many people trusting them with CC info…
I’ve been a defender of Valve for a very long time, and they have lost some major points here with me. Get your shit together, Valve….
report
mate. if you believe there is security which cannot be breached then you live in a naive world.
Of course valve can be hacked. and if they stay in business they will get hack again.
so will facebook
so will rps (when they grow to mega game site)
there is no true security on the web. any information can be stolen and used against your will.
report
Indeed, Valve can and should have the best security they can reasonable have – and have in place a system of what to do and implement should it be broken – but nothing is invulnerable.
Hell breeches are almost inevitable – the key is to ensure that any breech results in minimal damage – which valve have done.
Encrypted and salted passwords and encrypted the creditcard details (good valve, bad sony).
Even if they know the salt (which thety probably will) it still adds complexity to calcuplating the hased password, simply because there is NO mathematical method of going from hash > password
A password must be entered and then the hash calculated and results compared – so even if the salt is known and brute force is calculating say 1234567890salt (where numbers can be any alphanumeric) it’s still takes more computing time than just 1234567890 (just due to generating the hash itself to compare).
report
@Lukasz:
Indeed. It’s kind of sad that there’s a gigantic amount of people out there who think good security is just a matter of throwing money at a department and have them make serious frowny faces as they furiously type at their keyboards and TA-DA! A shiny, impenetrable security system is built! Any time a hacker dude with his 60′s-style eye mask and black-and-white-striped long sleeve shirt cackles types “HACK INTO VALVE PL0X!”, the giant impenetrable wall of 1s and 0s will bounce off the evil hacking bits like a skinny infant on a trampoline! Boom! Out goes the bad bits from the bad guy! Boom! Our wall is unstoppable! The evil hacker dude goes “WHAAAA?!?!” as he’s baffled, absolutely baffled at this amazing feat that he runs away with his arms in the air wailing like a madman for he has been defeated! He shall never again don his hacker mask and attempt his nefarious plans ever again! Valve wins the day, and all they had to do was unload wheelbarrows of cash at the feet of the po-faced geniuses! Type on, defenders of justice, type on!
report
So I changed my Steam password. I am sure these criminal arseholes will be really pissed off now that they can no longer play TF2 using my account. Too bad they can just console themselves buy buying stuff with my stolen credit card details.
I hate this.
report
Why does SteamGuard have anything to do with this? Don’t you (RPS commenters, supra) see that part about hackers potentially having access to credit card information? It doesn’t sound like that information is contingent on logging in as me.
report
They have access to ENCRYPTED credit card information – which even if they just used 128 bit AES for the CC numbers (in reality probably 256 bit) – It would a few thousand years per credit card number to decrypt.
report
@Starky. Ok, thanks for the explanation. I’m a lot less worried now.
report
Not to mention that you should always assume someone somewhere has obtained your creditcard details, and be checking your account/statement regularly anyway. Back in the day it used to be people lifting the carbon sheets from the creditcard imprinters out of rubbish bins, now it’s lifting the detail from any number of electronic sources, be it the local club (with an employee who has a drug/gambling problem) or some online store that retains your card details in their database without telling you.
report
“They have access to ENCRYPTED credit card information – which even if they just used 128 bit AES for the CC numbers (in reality probably 256 bit) – It would a few thousand years per credit card number to decrypt.
”
Reading the info from valve they have access to the encrpted credit cad information but NOT the numbers, they add in there that there is no evidence the numbers were taken.
I read that as the credit card info (address etc ) were taken, but NOT the numbers themselves, which were never touched.
Basically they have the information on you that you could get from the electrol roll :P
(i could be wrong in my understanding of this, don;t have any current CC details on steam anyway unless i accidently left the “save card details” box ticked last time i got something)
report
No, I think there is a chance they have the credit card numbers as in the CC numbers were actually in the database, but there is no evidence the database was downloaded, just accessed – but if they were accessed you have to assume they were taken. But, the credit card numbers will look something like this:
“7AD3C3BF888C9E885CC206D5822ABE44D665F8A47CCB1A02FF069A”
Which without the decryption key (itself a 256 bit string) will take them several trillion years to decrypt by brute force (trying every possible key combination).
There is virtually no chance they will have that key, it would not be stored in the same database – hell it should be stored on part of the server that cannot be accessed from the internet at all.
report
That CC database had better be encrypted with AES256, otherwise Valve isn’t fit to run a huge online store.
report
From what I’ve read it was indeed AES256. Hopefully that’s right. I’d also like Valve to say whether the CC info on the database was transaction info or saved cards on accounts as I didn’t save my card details to my account.
report
Great- I’ve only just finished changing all my passwords from when my (defunct) XBLA and/or EA logins got hacked recently.
At least Steam have owned up to it quickly- many large firms keep quiet about such intrusions unless they’re sure credit card details have been swiped, and so no-one can identify the weak links in their accounts.
report
No Steam Forum account, but I did just change the password for my main Steam Account to a nice and randomized 20-key password.
As far as credit details go, can anyone tell me if using PayPal makes the leaked credit card information less of a concern?
report
If you use PayPal they don’t HAVE any credit card info to leak – so yes.
report
I’m changing mine to password132.
They’ll never catch me!
report
That’s amazing! I’ve got the same combination on my luggage!
report
Spy! Hackin’ mah credentials!
Steam forums down!
report
(TF2 announcer) INTRUDER ALERT! HACKER IN THE BASE!
(Gabe) RED SPY IN THE BASE ?! (drops donut box)
(announcer) PROTECT THE USERS DATABASE!
(Gabe) NEED TO PROTECT THE USERS BASE! (storms to datacenter room)
(Robin Walker, already trying to open the door) LETS GO! LETS GO! LETS GO!
(Gabe) Back off, son… (types “1111″ in the security lock)
…
report
oh loook i cant change my password because its connected to an old dead email address and i cant change my email address because it requires me to read an email on the old dead one
fuck you steam
report
Yes, your ineptitude is obviously their fault.
report
If you have a physical product that you’ve activated on Steam, I know you can take a picture/ scan it and go to Steam tech support to change email addresses. It happened to me a while back. I think they have some other things built in place too, but it cannot be instantaneous since email is their primary point of contact.
report
You dont even need that, just email tech support and they’ll fix it up for you.
report
I’ll admit that my Steam password was one of my less secure passwords, and that as a student currently studying computer security I should have changed it ages ago; but now I’ve changed it and stored the password in my KeePass database :)
report
Steam canceled Paypal as a payment method for Russia, thanks to this my credit card is compromised now.
report
In fairness to them that’s more PayPal’s problem than Steam’s – they stopped accepting it because they had a tonne of trouble with it…
report
Obviously this isn’t the first time this has happened, but I always run into this same problem. I have NO idea which of my dictionary of passwords I was using for the Steam forums, and since they’re down for security, it’s kinda hard to figure out which one was compromised.
Oh well… how much to you want to bet Origin pulls an Apple maneuver and goes “Ha! We NEVER get hacked!”… and then get hacked three days later.
report
I seem to recall mentioning their lax approach to security a couple of times, and getting shouted down.
Anyone wanna argue that *of course* Valve knows what they’re doing, and *of course* your information is safe with them now?
They were informed of (smaller) security issues several times before, and completely failed to react.
report
Once again, Steamless and clean here since 1980.
report
Good for you! Me and my (un-hacked) steam account with £2000 worth of games I paid around £500 for are very happy for you.
Swings and roundabouts, my friend.
report
OK, nice to know my credit card details (which I do not store there BTW, does anyone know if Valve still has them coupled to my account that case?) were encrypted, but why was there no e-mail send to all users?
I haven’t seen that particual Steam popup at all, they have my e-mail, inform me!
Really, why should I learn from this via some third-party website, with not even a link to a steam domain in it.
report
Well, I haven´t received any messages from Steam yet either, and haven´t fired up the client during the week, so this is new for me too… You should think they would have sent mails to everybody by now… : (
Fortunately my CC expires this month, so I hope I don´t get any surprises…
report
Its possible they are sending out emails, but if they just fired off 5 million + emails at once (basing this on peak logins, no idea how many accounts they have) they would be classed as spam and blocked.
Needs mulitple servers and a slower send out speed, it could be happening, might not be, butat least there is some info on the client, when you sign in or when you play a game.
report
Simply mass mailing is not enough to get you marked as spam Milky; I get mass-mails from GoG, Sony (PSN), Microsoft (Xbox), Impulse and others every week without any problems (and at least the PSN and Xbox mails must be sent to millions worldwide).
report
As sneetch said, there doesn´t seem to have any problems sending promotions e-mails, don´t know why this should be different. It has been some days, though, so even if it worked as you say, we should have received some mail by now – SOE at least did this.
report
“As sneetch said, there doesn´t seem to have any problems sending promotions e-mails, don´t know why this should be different.”
I would suggest you get a bit of background information on email marketing before arguing my point. Basically its not as simple as just sending them out, there are codes of practice on this sort of thing and just hitting send on even a small number of 10k without abiding by them will get your computer marked as a spam sender and banned from a lot of places. I will explain a bit below.
I am going to say here first that i am NOT saying if they have or have not done it, simply putting out a reson why if they HAVE done it , they might not have sent them all out yet. Its also possible that they just havn’t bothered and are jsut going with the steam message.
“”Simply mass mailing is not enough to get you marked as spam Milky; I get mass-mails from GoG, Sony (PSN), Microsoft (Xbox), Impulse and others every week without any problems (and at least the PSN and Xbox mails must be sent to millions worldwide).”
Firstly as a rule of thumb these campaigns are planed a good couple of weeks in advance, not just rushed together (that does changes athings a little, not too much tho). The actual act of sending out the emails may be shipped off to a third party, these third parties will have email servers that are marked as ok by email receivers (which means they can send lots at once) they will have lots of servers, all sending emails out at what is actually a very slow pace for email, since its perfectly possible to send thousands in a second).
Its very possible that the mass email that you got from them will come through at a very different time for your xbox live friends for example, some of this will be due to regional timing, but some due to speed of sending.
Any third party may not have the capacity for a “we need to send this out now” job (again due to time booked), and you can’t just set your own computer to send out the emails at a fast pace, as you will get ip blocked very quickly by the major spam filter companies,meaning the email doesn’t get through.
They might try to do it in house but if your not registered and auhentication you will have to rate limit your sending, and its actually not that many your allowed to send per minute before you get blocked for some providers.
Basically any email sending out process normally requires a bit of planning, tis why the website options tends to get used first.
And again, as this is the internet and even tho I mentioned it above by now someones probably forgotten what i said 2 minutes ago, I am not saying if they have or have no done it, simply given a reason why we might not have emails if they have done it.
report
Well, Milky1985 thanks for taking the time to write such a long answer. I know it must not be so simple as adding your whole contact list and hitting send, but it´s been some days since the hack and, as credit cards may have been compromised (and Steam accounts that, in many cases, may be many times more valuable than the cards) I think swift action to alert the affected should have been taken. That´s why I still though I should have a mail from Valve in my inbox right now and I don´t. But, as someone above has said, I suppose we all now get some hats in compensation ; )
report
I have such a badass password – 8 random letters + 6 random numbers (combination of two default passwords I was given by local internet providers in ’96 and ’98 AND I have Visa Electron with no money on it (or perhaps 3€ or something) so I’m not even worried :)
report
My Credit Card Information wasn’t saved and I changed my password: safe!
report
To everyone relying on Steam Guard:
STEAM GUARD HAS BEEN FUNDEMENTALLY AND FATALLY COMPROMISED.
I repeat:
STEAM GUARD HAS BEEN FUNDEMENTALLY AND FATALLY COMPROMISED.
They had access to the database.
Steam Guard creates its machine identifiers and has to store them … as rows in a Valve database.
It is likely that the hackers could have authorised *any combination of machines they liked for any account they liked*
DO NOT RELY ON STEAM GUARD FOR PROTECTION.
report
Assuming that Steam Guard data was in the database, which it would seem it wasn’t, and assuming that write access was gained, which it would seem it wasn’t, adding new computers would require on-going database access. Which there isn’t.
report
So log in, deauthorize any other computer, then you go safe again….
Of course the threat of steam guard being broken is based on information we do not have, as valve have not said anything about how it works or if there have been db injections (which imo would be easy to detect and reverse), and the hackers would still need to know how to generate the machine code , and it wold possibly be obvious if the same amchien code was valid for 1000′s of accounts.
Overall, as it says a lot on wikipedia ,”citation needed”
report
I don’t remember if I ever signed up for the Steam Forums… I don’t have any stored passwords for them, and haven’t used them for ages… but who knows. And I can’t even check as they’re offline.
i CANNOT work out a good solution to this password problem…. as i spend hours changing loads of passwords on the off-chance yet again.
- Having the same password is a risk, even if you break it into groups (as steam was part of my more-important group).
But setting up highly secure random passwords for every site has issues too:
- Lastpass seems ok, but they’ve had security issues and I don’t see how having their database stolen with ALL my encrypted passwords would be any worse than having steam’s database stolen with one.
- Keepass would be great (if a little fiddly) if i just used passwords on my home PC… but I also need them sometimes on my work linux pc, and on my android phone.
There is keepassdroid, but even with that logging in to things on my phone is going to be very very fiddly.
Sigh…
report
1) Use a password manager to create, save and autotype your passwords. KeePass, 1Password etc.
Eg my password at RPS is 46 random chars long and I don’t care. KeePass types it for me.
You can share the PW database among computers via Dropbox or physically with a USB keychain.
OR
if you’re doing it by hand
2) Use a sequence of random (!) words as a password.
Every 133T combination like Tr0UbaDor is only difficult for you to remember, not for a cracking machine to crack in a few seconds.
Also meaningless symbols are not difficult to crack, again only difficult for you to remember.
2a) Always use new passwords, never reuse them.
And a part for webmasters:
Use bcrypt.
http://codahale.com/how-to-safely-store-a-password/
report
The problem everyone seems to be missing (or not understanding) is that:
- salted username + password details are relatively unimportant: properly salted, it’ll take time to crack. People can change their passwords next time they login, and hopefully are not sharing passwords between different sites and are also using things like Steam Guard, and Google’s 2-step authentication for gmail.
- the main problem here is REVERSIBLE credit card information. Think about it, Steam remembers your credit card number. It’ll store it in an encrypted state, and is able to reverse this at will. Hopefully it was just the DB that was compromised and not the app server that contains whatever secret info needed to reverse the CC info.
report
Guess I’m the only one here that don’t use steam.
Then again, things like this could be less dramatic if people had more services similar to steam (without the DRM of course). Hopefully that will become an option in the future.
report
i fail to see how spreading your information around into more potential hacking targets at the same time increasing the chances of ending up with some jackass company with a ridiculously insecure system would make anything any better
well, ok, there is the advantage of ONLY losing half your gaming library when valve explodes (probably Gordon pissed off about ep3′s delays)
report
I’m curious as to why people did this. There must be easier targets than Valve, with the upside that another company’s data might not be so hard to crack.
And the “Because they can” or “To show off” arguments don’t seem to hold up, as none of the usual hacker groups are claiming credit.
report
Well seams like my angry rant at the plonker in the bank when they decided to cancel and replace my debit card rather than renew the same number has worked out ok.
Grrrrr this has to be about the 5th time this year I have had to go round and change a handful of passwords. Thankfully not too many accounts shared the same credentials as my Steam account (hoping for a surprise delivery from Dominos).
Makes you wonder when a software company, let alone one with as many talented employees such as Valve still use third party forums such as vBulletin.
report
Steam makes you register each computer so unless they have access to your e-mail you shouldn’t worry about your steam password.
report
That’s pathetic, how can they use the same server/network for forums/steam db. I think Valve really need to hire professionals and stop risking the people information, PATHETIC.
report
The random uninformed forum-raging arm-chair-analysing internet-security wannabe-consultant has spoken.
Heed his ill-researched wisdom and despair!
report
Ohh please next time go insult something you have knowledge about, its public info how Steam works, we know their server, they use almost open-source bulletin board and in the end they have the public forums and user personal data on the same network, if that ain’t a security risk, then GTFO troll.
report
So this is how trolls feel when they’re successful? It’s a revelation, now I understand why so many do it.
report
Terribly naive of me, I know, but is it really too much to ask that people simply stop trying to steal my shit? Looks like it’s time for more password changes.
report
I guess my credit card just got hacked earlier this day.
I currently lived in the Netherlands, and this morning I got a phone call from my bank. The guy told me somebody was trying to use my credit card to book a hotel in US. They double confirmed it was a false (of course because I was sleeping in my house in NL.) and blocked my card from further misuse.
After I finally woke up, I began to wonder why. I seldom use my credit card, because we use bank debit card most of the time in NL. Then I found actually I only use my credit card on steam purchase, and I quickly related to the recent steam hacked event.
However, I am not here to condemn steam for this ill event. My bank is vigilant while dealing with false purchase in a rapid and accurate manner, and for that I am grateful. Just want everybody on steam to keep their eyes open, and hope this will not come to you.
report
Comes from a Chinese URL shortener….I would avoid!
report