Hack: Steam Database Compromised

By Jim Rossignol on November 10th, 2011 at 10:45 pm.


We’ve just had a note from Gabe Newell saying: “Our Steam forums were defaced on the evening of Sunday, November 6. We began investigating and found that the intrusion goes beyond the Steam forums.”

We learned that intruders obtained access to a Steam database in addition to the forums. This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information. We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked. We are still investigating.

It might be a good idea to change your Steam password, clearly. Full text below.

The following is being IM’d to the Steam user base.

———————-

Dear Steam Users and Steam Forum Users,

Our Steam forums were defaced on the evening of Sunday, November 6. We began investigating and found that the intrusion goes beyond the Steam forums.

We learned that intruders obtained access to a Steam database in addition to the forums. This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information. We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked. We are still investigating.

We don’t have evidence of credit card misuse at this time. Nonetheless you should watch your credit card activity and statements closely.

While we only know of a few forum accounts that have been compromised, all forum users will be required to change their passwords the next time they login. If you have used your Steam forum password on other accounts you should change those passwords as well.

We do not know of any compromised Steam accounts, so we are not planning to force a change of Steam account passwords (which are separate from forum passwords). However, it wouldn’t be a bad idea to change that as well, especially if it is the same as your Steam forum account password.

We will reopen the forums as soon as we can.

I am truly sorry this happened, and I apologize for the inconvenience.

Gabe.

__________________

« | »

, .

265 Comments »

  1. westyfield says:

    Shit.

    • Tomkan says:

      Not good. Not good at all.

    • Starky says:

      Ninja’ing a top comment reply because I think it bears everyone knowing (cut and paste from page 2 comments)…

      8 Digits IS NOT ENOUGH!

      Hell 10 digits isn’t – but 8 is a joke.

      Any standard “human” password (as in not random ascii; a few letters [1 or 2 upper case], a couple of numbers and 1 or 2 common punctuations [fullstop is the most common]) can be broken in 2 seconds.

      Yes, 2 seconds based on GPU driven brute forcing software and an average GPU.

      Hell even fully random 8 char gibberish (full ascii) passwords can be GPU broken in hours or days rather than the years a CPU would take.

      12 will give you years, but faster GPUs are quickly (frighteningly quickly) making even 12 digit alphanumeric passwords useless.

      I’d highly recommend everyone to use 1 highly complex master password (a complex mnemonic of at least 15 characters with at least 3-4 numbers and 3-4 punctuation)
      Say something like:

      I WANT ten BIG apple pies for my (50th) birthday (remembering the capitals by stressing the words)
      iW10Ba3.14sfm(50th)bd
      Easy phrase to remember (with some practice), solid 21 digit alphanumeric (+) password.

      Heck even just “iwant10applepiesformybirthday” is exponentially stronger than any 8-10 digit utterly random ASCII password.

      Then use that with a password manager – hell a 256 bit AES encrypted 7-zip with a text file to cut and paste from in works in a pinch.

    • FataMorganaPseudonym says:

      http://xkcd.com/936/

    • TWeaK says:

      ^^^^
      Read that comic above. It makes passwords fun!!

    • Starky says:

      The only problem with that method is if it catches on, hacker will develop faster methods of calculating them – for now it is the easiest way of remembering complex passwords, but in 5 years time it might be as useless as “word + 2 numbers” but by then you could just start adding extra complexity to defeat that.

      Constant arms race.

      By 2020 All of us will have 100 digit word and number sequences, hell either that or personal password managing devices that use biometrics as their key.

    • dsi1 says:

      It’s pretty obvious that, eventually at least, biometrics is going to be how security is done.

      As of now, four 4 letter+ random words is more than enough, and probably will be for a good amount of time.

    • stupid_mcgee says:

      All of this aside, Valve is also probably having to deal with Secret Service and FBI agents right now. First: I’m sure Valve reported to the proper authorities. Second: even if they didn’t, the proper authorities are, I’m sure, going to want to look into this.

    • Kaira- says:

      Secret Service and FBI

      OK, I gotta say I don’t know US law enforcement very well, but this sounds pretty… overkill? Secret service? Aren’t they mainly considered about congress members and president’s lives and such?

    • skittles says:

      Now not to say that I am an expert or anything. But the argument that 8 digits is not enough is complete crap to me. Sure your GPU may brute force guess my password in 2 seconds – but so what? It does not know that it has guessed the correct password, to actually be of any use it has to test the guesses against the server that holds the password. And there are plenty of failsafes in place at most places to stop such activity, or monitor it and shut it down.

      I have had accounts broken into where I have used simple passwords – i.e. a word and a number – two or three times. I have never had anything broken into that uses a random string of even more then 5 characters. Because to break such a password takes extra time, and more likely to be detected. Usually to warrant such extra effort they would be trying to break into a Steam database, rather than attempting to break into some random account which is potentially going to get them no reward whatsoever.

    • Reefpirate says:

      Secret Service protects the President and other politicians, yes… But they also have other duties. For example they handle counterfeit operations on behalf of the Treasury I think.

    • Jason Moyer says:

      Kaira – the Secret Service used to handle identify theft and similar cases. I think that area of law enforcement is actually part of Homeland Security now (not sure, last time I dealt with them was in 03, and it was still handled by the Secret Service).

    • MadTinkerer says:

      “I have never had anything broken into that uses a random string of even more then 5 characters. Because to break such a password takes extra time, and more likely to be detected.”

      Indeed. If you have a character limit or otherwise can’t use the tons-of-characters method, I recommend using words that are not in any dictionary. They’re a bit tougher to remember (because you’re making up or deriving words that you better remember how to spell), so try to invent a “keychain” of unique words that only you know and use. If you want to go even more advanced, try to remember a short string of nonsense symbols to go along with it, such as @23% or m00# that might have some significance to you but don’t mean anything.

      Of all my internet accounts, only one has been hacked, and that’s because it was a six character plain English word that I never changed since 1997.

    • snv says:

      That xkcd comic is amusing (as usually) but wrong. Dictionary attacks are a very old refinement of the brute force approach.

    • LionsPhil says:

      The XKCD comic allows for dictionary attacks. Note that the number of bits of entropy assigned to each word are way way lower than the number of bits required to represent the sequence of characters which comrpise the word.

    • stahlwerk says:

      Biometrics are a thoroughly unsafe authentication method, trumped by social engineering, intimidation, exploits of faulty scanning devices and if all else fails, sharp knives. The good thing about passwords is that they are hidden inside a vault that can not be externally decrypted without destroying it (your brain).

      And the xkcd method is sound, but only if the cracker can not know if parts of the password he tries are correct. If there’s no feedback from the system about that, then it’s as safe as a randomized string of the same length.

    • PoulWrist says:

      The only way you can leverage a GPU against a password is when you have the database like this. Otherwise it’s not possible.

    • coldvvvave says:

      best xkcd comic strip

      http://xkcd.com/538/

    • noxxit says:

      Usage of more than one language (type a word into Google Translator if you don’t know anything besides Schnitzel) and non-standard delimiters (e.g. Apple+Nashi=Schnitzel) is sufficient imo.

    • Carr0t says:

      R.E: Dictionary attacks and the XKCD comic: Not quite true.

      How many possible characters are there on your keyboard for password use? 26 letters, both cases, 10 numbers, 35 or so other characters? So maybe 100 different usable characters, tops? So an 8 character utterly random password has 100^8 different combinations that it could be (very roughly), so about 10^16.

      Now look at the XKCD example. He’s using full words, so even if you only have 4 words in your password your search space for attempting a dictionary attack is dictionary size^4. The OED has about 170’000 words. That’s a *much* bigger search space. Sure, in reality that’s a lot lower. Say that you expect people to only use words that are individually 8 characters or fewer. Most people don’t know anything like all those words in the dictionary. A quick almost completely unscientific google search finding an article on the BBC and a few others with similar figures suggests that people have a vocabulary of something like 40-50’000 words in their native tongue. So take 1/2 of that as the number of words people know with 8 characters or less (and it’s probably actually more than that). Now you’re looking at 20’000^4 as your search space to do a dictionary attack. That’s still a larger search space. You’re talking about an exponent of 10^16 for the 8 character random password and 10^17 for the 4 words. Of course this argument falls down completely if that BBC article is wrong and most people only have a vocabulary of 2000 words, or only normally combine 2 words instead of 4+, or only use words of 5 characters or less, or something ;)

      I think this is very much a case of different strokes for different folks. If you would normally have a 10+ character random password that is completely random and isn’t just a word with common substitutions such as o->0 and a->4 then you’re probably better off sticking with that. If you normally have a 6 or 8 character password that’s a word with 2 or 3 common substitutions because you can’t reliably remember anything different then you’re probably better off with the 4 random words route.

    • BULArmy says:

      I use mainly 8 digit passwords, but sometimes I use letters that are the same in Latin and Cyrilic I am from Bulgaria and even if the pass is breached it will give an error, because it must use the cyrilic letter instead of the Latin.

    • Xan says:

      This whole “secure password” conversation is pointless if the system allows for a “lock out” after 2-3 failed attempts and then forces a password reset or a captcha. Can’t brute force that.

    • slpk says:

      About that xkcd comic: The caps, symbols and numbers are there for a reason, they make your password harder to break because you’re increasing the size of you alphabet. That said, you don’t need to go crazy with it like the first example. “Correct.horse.battery.staple0″, for example, would be much better.

    • Nixitur says:

      No, Xan, you don’t get it. The database is compromised, meaning that the hackers now have the database at hand. There is absolutely no server involved at all. They hack the database, not the server.

      Also, the xkcd password strength is calculated on having 11 entropy bits per word which means that you’re choosing from a 2^11 list of words.
      Even if hackers know that you are using a 4-word combination as a password and even if they have the wordlist you used for generating that password, it’s still (2^11)^4=17592186044416.
      Even if they can use 100 billion guesses per second, it still takes about 3 minutes to crack that password.

      Not safe enough for you? Well, how about instead of putting spaces in between the words, you put in some random punctuation. Like, instead of “correct horse battery stable”, you’d use “correct§horse4battery%stable” which increases the searchspace significantly, even if the hackers know you’re using that method.

    • Starky says:

      To those saying that hackers need to get your password from the website database (well the hashed password) you are correct – you can’t brute force at the point of input (because of lockouts).

      But in situations like this where someone manages to get the encrypted passwords, it might be days, weeks even months before the trespass is discovered by the server admin – and in that time any 8 digit or less alphanumeric password can be broken by a single ATI 5770 GPU in 2 seconds, so they won’t need to brute force a login, they can just type the password correctly.
      9 Digits in about 2 hours, 10 in about 20 hours.

      A 4 digit number is secure if they have to manually guess it at the point of input (on the website like a user, or for example as a pin number for a bank card) but no hacker would ever bother with that, they’d be locked out after a few incorrect attempts. No they hack the database get the hashed password and then brute force the hash.

      Basically brute forcing the password is done locally, nothing is entered into the website they wish to access.
      Say the hash is “b18450a4854617620e942d439eb8a6a0″, there is no mathematical way to calculate the password from that hash, but you CAN calculate a hash from a password.
      So these programs use the GPU to hash every single possible letter, number and symbol combination, then compare the result to the original hash, and once they get “b18450a4854617620e942d439eb8a6a0″ they know what the correct password is.
      They can then simply enter that password like a legitimate user.

      So again, 8 digit fully random symbol passwords such as:
      u”`/>HI8
      W0qhOhD#
      ;P*EP”_*
      wne%GQ&t
      QA`BMF:!
      c*T2.h/x
      y}udZ9aT
      All randomly generated using every key available on a common English keyboard can be brute forced in about an hour (letters and numbers only is 2 seconds) on a mid range GPU (5770). Which can manage about 3 billion password checks per second.

      Simply put small weak passwords give them a large window of opportunity, from when they manage to get the password database, and crack the password – to when/if the server admin of the website in question discover the breech – which again might be days to weeks.
      Long passwords don’t – it takes too long to de-hash them.

    • Melf_Himself says:

      And to temper Starky’s fear-mongering:

      http://www.shamusyoung.com/twentysidedtale/?p=11523

      Salted, hashed passwords take a long time to crack.

      This is why current best security practice seems to be “change your password every few months”, not “every few minutes” :S

    • Starky says:

      That link gets some very fundamental things wrong – I’m no crypto expert, but it’s clear that neither is he.

      Salting doesn’t increase the time to brute force an individual password (well not much anyway – because the hacker knows the salt) – it slows them down by requiring them to decrypt each hash 1 user at a time rather than running a single pass and comparing every entry in the database at the same time (or even decrypting them based on known hash values), because every salt is different for every user.
      It’s quite easy to discover how the salt is added (at the end, at the start (some even add it every other character or other such patterns) by simply brute forcing a known password.

      Simply put less complex (passwords that can only be lowercase and numbers for example that some bad sites still use) will still be brute forced in minutes if not seconds (using new GPU software such as ighashgpu) with or without salt.

      Proof: http://mytechencounters.wordpress.com/2011/04/03/gpu-password-cracking-crack-a-windows-password-using-a-graphic-card/

    • Xan says:

      @Nixitur I should have been more clear. What I meant was password strength is irrelevant if someone is trying to brute force it to get into your account. When someone already has the database with passwords it’s again irrelevant because what matters then is how the passwords were encrypted.

      Starky started with telling people to use safer passwords, why? If someone has the whole database it won’t matter how safe your password is, all that matters is how the database was encrypted.

    • Starky says:

      Xan, That is utterly, utterly wrong.

      It totally does matter. password strength is EVERYTHING (the only defence) against a brute force decrypt.

      Brute forcing works by trying every possible combination of characters, hashing them, then comparing the results to the hash from the stolen database. The hacker KNOWS the encryption – it is publicly available information – anyone can easily hash any string they wish. What stops it been useless is the fact that there is no mathematical way to de-hash a value back to the original string.
      You can only calculate every possible hash value then compare to the stolen hash, and when you get a match you have the password.

      Starting at whatever the minimum is for the password length of the site (say 6 characters) using the same rules the site enforces (so if it is lower case and numbers only maximum of 10 characters the hacker knows brute forcing any password will be fairly easy).

      Even if the hacker knows the length of the original password, a more complex password will still take longer to de-hash, simply due to the fact that there are more combinations that must be tried.

      Again a 5770 can compare at the rate of 3 billion per second – so it can chew through simple passwords (even up to 9 or 10 digits) in a mater of seconds to hours. Complex ascii passwords up that to days and weeks.

      So once again it is utterly wrong that password strength does not matter if a hacker accesses a table of hashed and salted passwords.
      In fact it is the utter opposite, password strength is the ONLY defence.

  2. Mitthrawn says:

    Aaand password changed. Pity- i had just memorized my 17 digit random alphanumeric password.

    (My steam account is worth more than my bank account (sadly/gladly?)

    • cafe says:

      gladly

    • space_ghost says:

      “(My steam account is worth more than my bank account (sadly/gladly?)”

      Wow I just realised the same thing! Not sure if I’m sad or happy. It’s a confusing emotion.

    • Quxxy says:

      My Steam password is more complex than my bank password because my bank doesn’t allow for long, complex passwords.

      After all, the security of my bank account is their top priority, so it only makes sense, right?

    • Lowbrow says:

      Relevant XKCD might save you some time memorizing:

      http://xkcd.com/936/

    • Stupoider says:

      http://imgs.xkcd.com/comics/password_strength.png

      Get it together Mitthrawn!

    • NieA7 says:

      I use KeyPass Portable for all my passwords, lets me use different stupidly long passwords of random gibberish for every site and so long as I remember my USB stick I can log in from any Windows machine.

    • LionsPhil says:

      If you’re sticking your password keychain in “any Windows machine”, it’s not the most secure thing in the world.

      This is the future. Surely you people have smartphone apps that can do this for you by now. (Along with remote wiping so you can reduce the risk of a theif sitting there brute-forcing the master.)

    • Mitthrawn says:

      I like that XKCD comic- but doesn’t not using numbers/grammatical keys reduce the time it would take to hack it? I guess you could just put a comma on the end or something to throw the infernal machines off.

    • NieA7 says:

      @ LionsPhil

      Well I only use it on machines that I’m prepared to log into anything on, which is to say “not most of them”. My point was more that by having it on a USB stick it gives you greater freedom than a local install. It’s also a lot more convenient to be able to copy and paste your 20 character gibberish password than type them in off a smart phone.

  3. Mike says:

    In before “I TOLD YOU. THEY CALLED ME MAD WHEN I REFUSED TO GO DIGITAL. MAD. WELL WHO’S MAD NOW.”

    Although obviously this is a shame.

    • johnpeat says:

      You’ve gone digital – you’re here – you’re as open as anyone :)

    • Mike says:

      I have nearly all my games on Steam these days, I wasn’t talking about me. :P

    • DigitalSignalX says:

      I was digital before it was sexy. In fact, I MADE it sexy, and I still don’t have a facebook or twitter account.

    • FataMorganaPseudonym says:

      In after lame “In before” comment.

    • The Dark One says:

      As that text is in all caps and related to video games, I’m assuming you’re quoting the Devil.

      I personally blame the cephalopods.

  4. ResonanceCascade says:

    Well shit. How long before the Half-Life 3 source code winds up on a torrent site?

    I kid, Valve. I kid.

    • MadTinkerer says:

      They might have defaced the forums because they were mad that the game development stuff is too secure to hack.

      Making Half Life 3 100% unhackable is easy for Valve: set up an internal network and cut off all internet connections to and from that network (except maybe one gateway if you really need offsite backups, but as long as those backups are properly encrypted they’ll be useless). That only leaves physical connections, and employee loyalty will prevent problems in that area.

      I work for a bank, so I’m required to take security consciousness training regularly. The two biggest concerns for my department are fraud / money laundering (which doesn’t matter because I don’t interact with customers myself) and privacy violations that can only occur by employees abusing access to privileged information. Basically it boils down to: If someone is fired, don’t let them in a restricted area even if they’re lovely, friendly people, who the customer is sending a check to is nobody’s business, and never let anyone plug a USB into anything else without permission. Hacking is a non-concern because of secure intranets*. Some computers have limited internet access (which has firewalls and such), but all the customer information is kept physically separate.

      *This is a technical term, not a misspelling.

    • diamondmx says:

      Well, if the hackers touch it up a bit, we might have Episode 3 sooner than we thought :D

  5. Teronfel says:

    But…my steam account is different from the forum one.How can they have my password?

  6. d34thm0nk3y says:

    Thank god for Steamguard, eh? :P

    • johnpeat says:

      THAT

      If you didn’t already have it activated, do so and you’re safe and sound (your account is – someone may be able to post to the forums as you but as they’re forcing password changes there, they can’t).

      Note: The only catch is if you use the same password for other accounts (with the same email address) – or god forbid, you use the same password FOR your email address (which is mind numbingly stupid).

      Thing is tho – someone defaced the Steam Forums – how could they tell? That’s like mad graffiti appearing in a madhouse surely? :)

    • Network Crayon says:

      Seems like this is set as standard.

      I’d never heard of steam guard until now.

      Also, using Paypal to pay for content must help a lot?

    • Eclipse says:

      they have our credit card info (even if encrypted) there’s no need for Steamguard to stole us money…

      I really hope they’ll get those lamers and kick their stupid asses to jail. A jail with a lot of showers and soap bars.

    • Phantoon says:

      Gaben’s UNBLINKING EYE OF JUSTICE can tell the difference, always.

    • VelvetFistIronGlove says:

      So watch your credit card statement carefully. If you see purchases you didn’t make, contact your bank’s fraud department. They will refund the charges and issue you a new card.

      If you’re really paranoid, call your bank now and ask for a new card.

      Credit cards fail nicely. I’m not worried about my credit card being compromised, because I know I can get it sorted out easily.

    • lurkalisk says:

      Why is it that when hackers are brought up on a game related site, someone always mentions/alludes to prison rape?

    • spedcor666 says:

      I always assume it’s because some people get off thinking about that sort of thing. Whatever turns them on I suppose.

    • manintheshack says:

      @lurkalisk: No, I’m pretty sure Eclipse is just implying that they are naughty, smelly criminals.

    • Zenicetus says:

      @ VelvetFistIronGlove: “Credit cards fail nicely”

      Well, not that nicely, depending on the situation.

      I’ve had my bank catch CC fraud right away with automatic flagging of suspicious activity, before the statement was even sent for that month. Which is nice, but then they want to cancel the old card and issue a new one. I have a bunch of household stuff on CC auto-pay, like the internet connection, storage rental, and other stuff. Every time I have to enable a new card — and I’ve had to do it a few times due to fraud — it’s a major pain in the ass to track down all my auto-pay billing utility accounts, and inform them of the new CC details.

      Yeah, I know… get a separate card for the high-risk stuff, like gaming accounts. But multiple CC accounts will bleed you dry with fees. If anyone wants to know why some of us prefer to use something like Steam for almost all of our game purchases instead of “supporting Indie developers” or whatever… well, that’s why. It’s a drag that Steam was hacked, but that could happen anywhere. Sticking to one main digital distribution outlet minimizes the risk.

    • dragonhunter21 says:

      I’ve got Steam Guard set to email to my Gmail account, which itself is set to not allow you in unless you have a random six-digit passcode that’s re-generated every ten seconds on my phone. Saved my ass when Mt.Gox got hacked, I’ll say that.

    • VelvetFistIronGlove says:

      @Zenicetus Yes, it’d be a huge inconvenience, but no great financial loss.

  7. mrwonko says:

    “I am truly sorry this happened, and I apologize for the inconvenience.

    Gabe.”

    Somehow this part calmed me.

    • HexagonalBolts says:

      Aww, Gabe! Give us a hug big fella

    • siegarettes says:

      This was a very classy, and sincere way to handle the compromise.
      Sony could learn something from this.

    • President Weasel says:

      I agree. It’s a classy statement and a far, far better response than Sony’s.

    • sneetch says:

      Yeah, I’m truly sorry they waited 5 days to tell us it was hacked. I mean I appreciate that they needed to investigate it but “the bad men” (theoretically) have a 5 day lead now.

  8. applecup says:

    Oh shit.

  9. _frog says:

    If the passwords are hashed and salted as they say, there’s no way for the hackers to find the user’s actual password from that info. So really there’s no need to change passwords.

    • Brumisator says:

      What does salting a password mean?

      All these encryption words recycling culinary terminology make me hungry.

    • mrwonko says:

      I think it means that instead of hashing the original password, you add something random at the end of the password, then encrypt it. So 123 gets turned into 123[randomgibberish], is then hashed. [randomgibberish] is of course saved, too, otherwise you couldn’t check the password later on.

      The advantage is that you can’t just compare the hash to a list of hashes of common passwords, you have to actually add the salt – which is different for each user – to the passwords and hash the result, then compare. That’s a lot slower, thus common passwords are harder to crack.

      Oh, regarding hashing: That’s a function for encrypting the password in a way that it cannot be decrypted again. For example you could save if the password’s length is odd. You wouldn’t be able to tell the original password based on that information, but of course you could easily find a different one that returns the same value when hashed, which would work as well, so the actual hashing functions are more complex.

    • Chufty says:

      Hurrah for someone talking sense. If passwords are hashed and salted, then noone has your password. Not even Valve. But you should be changing your passwords regularly anyway, so now’s a good a time as any, right?

      Hashing is a one-way process to secure passwords (there’s literally no way of getting the original text back). Salting just ensures that your hash doesn’t match someone else’s who has the same password as you.

    • iucounu says:

      Salting is good. An unsalted password hash is findable on rainbow tables. It’s how Anonymous hacked HBGary a while back. Here’s an awesome article over at Ars Technica on how they did it, with much interesting stuff about salts, SQL injection, and the like. http://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.ars

    • fleabait says:

      Since the passwords are hashed, hackers would be unable to get the passwords so long as they are sufficiently strong. However, inevitably some users will always choose weak passwords. All it takes is for an attacker to brute-force hash many weak passwords looking for a match in the database, which indicates that a password was discovered.

      Salting is when a little extra (known) data is added to the password before it is hashed, which doesn’t improve protection for an individual user, since the data is known, but it makes an attacker’s job much harder because it means they can only brute-force one account at a time instead of all at once. It also gives protection against rainbow tables (which is just a huge lookup table which matches inputs to every possible hash output), but Valve was probably using a hashing algorithm which produces large enough digests so that rainbow tables wouldn’t be practical.

    • Roarster says:

      Salting doesn’t make it impossible to retrieve a password since the hackers will have the salt as well (it’ll be stored in the database along with the password). What it does mean is that they’ll have to decrypt one password at a time and they wont be able to use a rainbow table to decrypt massive amounts of passwords at once.

      Basically it makes your password a lot safer but not completely safe,

    • ShatteredStone says:

      Salting hashes does not make your passwords invulnerable. It merely makes it take a little longer to find them, if they are “weak” enough to find (and many, if not most, are). The attacker simply won’t have the benefit of using rainbow tables or just one attempt per password.

      Many, many people choose “weak” passwords either out of ignorance, comfort, or carelessness. Many use the same password on their email account or on other gaming services. Many use variations on the same “base” (Steam password = hunter2, Desura password = hunter3, email-password = hunter4).

      Change your password(s). It’s the only way to be sure. And just hope that Valve implemented the CC-Crypto well enough.

    • AlexMax says:

      If you’re handling passwords in your web application, you should be doing all of the following things:

      * Secure your systems to the best of your ability. Keep up with bugfix releases of your favorite CMS, blog, framework, web server, database, operating system, and so on so you don’t get embarrassed by some six month old exploit.
      * Account for both short 8-symbol passwords with random symbols and long passphrases without said requirements. If my password is “RPS is the best blog in the world”, don’t limit me to 20 characters or force me to throw a $ in there when there’s tons of entropy in that password that is easy to remember and hard to crack.
      * Use a slow hash like PBKDF2 or bcrypt. Hashes like a single pass of md5, sha1 and all of the sha2 variants are designed to be fast to compute, which is precisely the opposite what you want.
      * If you’re using PHP and want to use bcrypt, be extra careful that you’re using the correct incantation of crypt(), fucking it up has the potential to revert to some very insecure hashing defaults without giving you so much as a warning. In fact, just use the phpass library and save yourself the trouble.
      * Use a per-password salt, called a nonce. People have discussed salts before in this thread, but I’ve heard a lot of grief from developers who are scared to store the salt in the same place as the hash itself, since they think that storing the one-time salt in a config file makes them safer somehow. *rolls eyes*
      * If an intrusion happens, detect it early and preferably force your users to change their passwords on next successful login. Remember, it’s already game over, and you want to make sure that whatever passwords they get out of that database are useless. Of course if you took the rest of my of advice it will probably take them at least a few years to get a single password, but better to be safe than sorry.

    • TillEulenspiegel says:

      Use a slow hash like PBKDF2 or bcrypt. Hashes like a single pass of md5, sha1 and all of the sha2 variants are designed to be fast to compute, which is precisely the opposite what you want.

      Bears repeating. A few extra CPU cycles is well worth the massive, massive increase in security should the worst happen.

      Unfortunately, MD5 and SHA1 still seem to be by far the most common.

    • LionsPhil says:

      This seems like a good time to point out BozoCrack. Salt is important.

  10. johnpeat says:

    It’s worth noting that this is – for now – a problem with the Steam FORUMS and not the Steam client.

    If you used the same password for both – DOH! DUH! DIM! – change them both and make them different.

    I don’t have a CC on Steam (I use PayPal) so that’s not a problem.

    “Purchase History” – is publically available anyway

    Did I miss anything?

    • dsi1 says:

      Yes, yes you did, apparently SPUF and Steam/Valve’s databases are linked somehow, enough for someone to get into them and (possibly) take encrypted (thankfully) credit card info.

  11. pakoito says:

    Even though it’s a fucking shame, at least this guys look legit. Salted, hashed and encrypted info and 3 days delay on informing and asking for passwords.

    • applecup says:

      Hey, it’s still miles better than Sony’s “yeah, let’s transmit passwords and credit car details unencrypted, and wait a week or two before we tell everyone their accounts have been compromised”.

  12. roBurky says:

    Oh.

    I’m not even sure if I have a Steam forum account.

    Edit: After a few failed attempts to log in, it seems I probably don’t. Phew.

    • CMaster says:

      “found that the intrusion goes beyond the Steam forums.

      We learned that intruders obtained access to a Steam database in addition to the forums. This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information. We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked. We are still investigating.”

      So if you have a Steam account of any form, you need to be worried.

  13. caddyB says:

    What a shame.

  14. ts061282 says:

    Whatever happens, I’m sure there’s a TF2 hat in this somewhere.

    • johnpeat says:

      I WOZ HACKED Hats – available soon to anyone who has their account trashed by random lunatics(*)

      (*) evidence that you have a PSN or XBL account (which has almost certainly been hacked or robbed) will cover this.

    • Phantoon says:

      Xbox Live IS robbery.

  15. Wulf says:

    SteamGuard and the fact that the passwords were hashed and salted removes any care that I could have had about this. Sony could learn from these guys. Yeah, they were hacked, but the damage is minimal. Even if someone DID figure out your password, your Steam account is still linked to your computer.

    • johnpeat says:

      It’s always surprised me that they used an ‘off the shelf’ forum package (Blizzard do too) because if there’s a security hole to be found, it will be in one of those fuckers…

    • Magnetude says:

      Reassured that I had to go to my emails to get a code to put in when I went to the website to try and change my password, discovered you can’t do it through the site, loaded up my Steam client and was prompted for another emailed code before it’d consider a change password request. They seem to understand what security’s about.

    • Saiko Kila says:

      I don’t think SteamGuard work for forums. The forum is offline now, but you can still log into it. It doesn’t ask me for code on a new machine (or old, actually changing the motherboard is enough for it) when accessing forums. It asks only when accessing steam account. Which uses separate password.

    • Wulf says:

      Who cares about the forums, really? Do you? Do I?

      Oh no, someone is running around parading as me and pretending to be me. Unless they’re incredibly fucking talented, they’d have a hard time emulating me. I’ve seen people try, it’s just not doable because there’s a fairly unique signature to the way I write. A bunch of people tried it once and we were swapping names, I was the obvious one every time.

      So I’m not bothered by that. If someone did steal my online identity (oh no!) then the people who know me will have figured that out within a matter of sentences. I don’t know why, mind you, but this has always been a thing. So I’m really not bothered by that.

      What am I bothered by?

      I’m bothered by the thought of losing my Steam games or my credit card details. If this was Sony, I’d be pissed, because Sony have proven time, and time, and time again that they haven’t the first clue what this “security” thing is, or how to put it to good use. But Valve? Just look at the example above. It’s Valve. Valve understand security, we’re not going to get fucked over by them.

      People wonder why I swear by Steam. See? This is why. Valve was hacked, but the damage was minimal. You won’t need to panic, you won’t need to cancel your credit/debit card, you won’t need to worry about all your games being stolen from you. Because Valve gets security.

      Heavily encrypted databases get discovered all the time, it’s fairly common, you don’t hear about it, but it does. Keeping them out of the hands of other people isn’t important because you may have some jerk working for you that may just leak them anyway. You have to assume worst case scenario, you have to encrypt them, heavily. To the point where it would be damn near impossible to crack them.

      You can bet Valve did.

      And yeah, I’m not surprised that the hackers got in through a probably horridly coded third party forum solution. Valve should have written up their own, really. At the very least, they’ll probably go over this with a fine tooth comb, now.

      But yeah, I’ll still stand by Valve, because they understand security, they understand worst case scenarios. If this had been GoG, or Gamer’s Gate… would they be quite so prepared? I’m not sure if my answer would be yes. :P I’ve never revealed all of my reasons for standing with Steam as I do, but ridiculous security is one of them. SteamGuard wasn’t the beginning of it, it was just a really nice step up and evolution from what they already had.

    • Muzman says:

      This post is far too short for a Wulf second post.
      Impostor!

    • mod the world says:

      A reference to GW2 superiority is also missing. Someone probably hacked his account.

  16. Fumarole says:

    I changed my password several days ago when I learned this happened.

    • Meusli says:

      When did you find out about it?, seems a bit late for Steam to be telling us now.

    • Fumarole says:

      It was mentioned in one of RPS’ threads or article comments. I forget where exactly.

    • Andy_Panthro says:

      I first heard about it on Twitter on Monday I think, someone had noticed that the forums were odd.

    • bill says:

      I asked why RPS hadn’t mentioned it yet in one of the comment threads yesterday, and there was a (surprisingly mostly ignored) post in the forums before that.

      But the general gist was up on Joystiq, Kotaku, etc… 3-4 days ago.

  17. Velvetmeds says:

    “If you have used your Steam forum password on other accounts you should change those passwords as well. ”

    Well damn. There’s one problem. I don’t remember what my password for the forums was >_>

    Steam forums are still down right?

    • johnpeat says:

      LastPass.com – never use the same password twice again – never have to remember one either…

    • Brumisator says:

      So instead of having separate passwords to protect all your accounts separately, you have one big password which would give hackers complete access to everything…yeah, I’ll pass.

    • Velvetmeds says:

      Well mighty thanks man

      Looks like i’ve got something to entertain myself with until Skyrim is unlocked in 45 minutes

    • Magnetude says:

      What Brumisator said… Surely LastPass only works until someone steals your laptop?

      Y’all need to get a formula, beats remembering/writing down individual passwords. I’ve got about fourty different passwords, don’t need to remember any of them – just need about 10 seconds to work it out if it’s one I haven’t used in a while.

      Which itself only works until a particularly clever person finds two of my passwords to compare (or one in a nightmare scenario) and cracks all my passwords simultaneously. Ho-hum.

    • Velvetmeds says:

      What laptop? And you don’t save the “master” password, only you know it.

    • Magnetude says:

      Well played. I’ll take my leave now, but I ask only that you consider this recommendation from the LastPass homepage:

      “It’s so easy – FOX News”

    • Velvetmeds says:

      Oh damn. That “so easy” might even be a reference to hacking lastpass!!!!!

    • Starky says:

      Keepass is a much better solution imo.

      Stores passwords locally under a master password fully encrypted, is open source – so you can be fairly sure there’s no dodgy code in their spying or broadcasting data, and no malicious security holes or improper encryption implementation (if their was it would be quickly flagged).

      Obviously the only real flaw in the system is the master password – as it is stored (encrypted) where keepass is (locally or like me, on a sUSB stick)
      But then in order to break your passwords not only would a hacker need to have accessed your actual computer files, but then break (what should be) a complex password.

    • Wulf says:

      There is a lesson for everyone, here.

      Use throwaway passwords for forums. That is all. Yes, including for RPS. If it’s nothing to do with money or valuable data, you should just use throaway passwords for it, because it’s eventually going to be hacked anyway, and then people are going to use that to figure out how you go about passwording things, then they’re going to use that information to steal from you. If they can.

      Seriously…

      This site;
      Every site like it;
      Gaming sites;
      Forums;
      Comic sites;
      Every unimportant site…

      USE A THROWAWAY PASSWORD.

      Being paranoid helps. 8D

    • Starky says:

      Oh and !!!WARNING!!!

      8 Digits IS NOT ENOUGH!

      Hell 10 digits isn’t – but 8 is a joke.

      Any standard “human” password (As in not random ascii; a few letters [1 or 2 upper case], a couple of numbers and 1 or 2 common punctuations [fullstop is the most common]) can be broken in 2 seconds.

      Yes, 2 seconds based on GPU driven brute forcing software and an average GPU.

      hell even fully random 8 char gibberish passwords can be GPU broken in hours or days rather than the years a CPU would take.

      12 will give you years, but faster GPUs are quickly (frighteningly quickly) making even 12 alphanumeric passwords useless.

      I’d highly recommend everyone to use 1 highly complex master password (a complex mnemonic of at least 15 characters with at least 3-4 numbers and 3-4 punctuation)
      Say something like:

      I WANT ten BIG apple pies for my (50th) birthday (remembering the capitals by stressing the words)
      iW10Ba3.14sfm(50th)bd

      Easy phrase to remember (with some practice), solid 21 digit alphanumeric (+) password.

      Then use that with a password manager – hell a 256 bit AES encrypted 7-zip with a text file in works in a pinch.

      Edit:
      Like Wulf though I also use a standard “who gives a fuck if they hack it” password (9 digit) for sites that never contain any personal data that can’t easily be found by a quick google of my real name.

      Anything with any sensitive data whoever (email, shopping, banking, paypal, steam, business contacts, names/addresses etc, etc… has a complex long (20-40 character, depending on the limit of the site in question) randomly generated password hidden behind a complex master password, stored on a USB drive on my keyring.

    • stupid_mcgee says:

      Gotta agree with Starky on KeePass. Great little program. Recommended to me by an admin on MajorGeeks, and I trust that site pretty highly.

    • Maktaka says:

      “Y’all need to get a formula, beats remembering/writing down individual passwords. I’ve got about fourty different passwords, don’t need to remember any of them – just need about 10 seconds to work it out if it’s one I haven’t used in a while.” So very much this. It’s strong, it’s easy, and you’ll never have repeat passwords for anything. Take the name of what you’re logging into, alter it in some way, and salt it with an extra phrase that you use everywhere. For example, if you’re logging into RPS:

      Rock Paper Shotgun
      shotgun
      nugtohs
      nugtohsB1rd (because you’re a hipster, so you put a bird on it)

      Quick, easy, and you’ll always know your password for everything. Gmail would be “liamgB1rd”, Steam would be “maetsB1rd”, and so on.

  18. Post-Internet Syndrome says:

    Turning on that steam guard feature now. And guess I’ll have to change the password too.

  19. Demiath says:

    Don’t destroy my hope for a digital-only future, you Anonymous Internet Hacker Scum. The next stage in human evolution will be tweeted, damn it…

  20. Xocrates says:

    Here’s to hoping Steam Guard works then.

  21. johnpeat says:

    Dear Gabe,

    Thanks for your concern and quick actions – I’ve changed my password, now any chance of Skyrim for £10 off? :)

    • mmiasmostati says:

      Surely Half-Life 2 would be more appropriate?

    • Thermal Ions says:

      Surely you can’t want us to believe there’s someone with a Steam account that still doesn’t have HL2?

  22. CommanderZx2 says:

    Attention grabbing headline “Steam Hacked?”…

    When in truth it was just the forums and so people should stop worrying.

    • Post-Internet Syndrome says:

      Did you read it at all? Gabe said himself that they got access to a database separate from the forums, containing all sorts of goodies.

    • DickSocrates says:

      “We learned that intruders obtained access to a Steam database in addition to the forums. This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information.”

      So yeah.

      I when I try to change my password, it says to me ‘Steam cannot currently process your request’

      Does this mean it’s down or that I’m enterting the wrong existing password? I can’t offhand remember what it is, but have a combination fo things it might be, so I’m not sure what the problem in this case is.

      EDIT: It gives that error message when you enter the wrong password, I finally figured out what my actual password is and it worked. I have a password system with variables and the last time I had to log into Steam was a year ago!

    • Durkonkell says:

      SERIOUSLY READ THE DAMN TEXT.

      “We learned that intruders obtained access to a Steam database in addition to the forums”

      SERIOUSLY.

    • PleasingFungus says:

      “We learned that intruders obtained access to a Steam database in addition to the forums. This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information.”

      Read the post again.

      EDIT: in the time it took me to post this, three other people posted the same thing.

      Go team RPS commenters, I guess!

    • LTK says:

      Maybe you should try reading beyond the headline.

      Wow, that was some quick correcting. Five replies before I even saw one.

    • CommanderZx2 says:

      Try reading it again yourself:
      user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information. We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked.

      So they got user names, names of games you purchased, maybe email addresses and billing address. The rest is encrypted and unreadable to them. Big deal I am sure we can get your email addresses off facebook or some other sites, also mailing addresses are available all over the place such as election registry.

      I am sure our own government sells most of this personal information to third partys for money already anyway.

    • Durkonkell says:

      How serious the threat is is irrelevant to this discussion. You were complaining about RPS using “Steam Hacked?” (which has now changed) as their headline saying that it was “just the forums” when in the first line it says “the intrusion goes beyond the Steam forums”.

      You didn’t read the article!

  23. kud13 says:

    ger. I made a Steam forums account last week, to inquire why my Cossacks Art of War wasn’t launching properly.

    shoulda waited a few weeks.

  24. Nathan says:

    I hope someone from Valve will read this, but it’d be reassuring to know in what way our passwords were hashed and salted.

    • Saldek says:

      In what way were they hashed and salted? Well, I’d assume they were cut into small pieces and recooked (probably with potatoes) and salted to taste. There’s really not much to it. I’d rather find out how they poach their eggs.

    • VelvetFistIronGlove says:

      Saldek wins RPS today.

    • Loopy says:

      Haha, brilliant Saldek. :D

    • TillEulenspiegel says:

      Assume it’s not bcrypt and act accordingly*. Because it probably isn’t.

      * If you used a reasonable password (not based on a dictionary word, 8+ characters alphanumeric) you should be changing any other accounts which used the same password within the next couple weeks.

      If it’s a crappy password that you also used on other important stuff, panic and change everything now now now.

  25. asshibbitty says:

    When Sony got haxxord I was like “aint gonna happen to Valve or MS cuz they know their shit and aren’t a completely dysfunctional outfit to boot” :/

    • ResonanceCascade says:

      It’s not getting hacked that’s the problem — almost ANYONE can be hacked, regardless of security efforts — it’s having the important information locked down correctly that matters. And it appears that Valve did everything right in that regard.

    • asshibbitty says:

      The right thing to do would be to automail every user telling them to change the password Not to slip a note to a blog what is this, put that pie down JESUS

    • Delusibeta says:

      They did. http://i.imgur.com/3Qjir.png

      The problem is that you need to turn ads on.

    • ResonanceCascade says:

      You can turn off ads?

      My incompetence saves me yet again!

    • asshibbitty says:

      That’s the thing that pops up when you quit a game, right? Yeah that’s not how you do it. At least most people won’t disable it since it’s worded like “want to disable update notifications, DLC notifications and uh want some pie? also ads”.

    • ShatteredStone says:

      Any (yes, ANY) bigger website can be “hacked”. The question is how you deal with such attacks and whether you even notice them if they succeed. Valve are not gods, their systems are fallible. They did it right though; passwords hashed/salted, cc info encrypted, SteamGuard, user notification in spite of having no evidence of actual account break-ins due to this, etc.

      Sucks that it happened. May happen again. But at least they don’t screw up so very royally as certain other “vendors” do.

    • asshibbitty says:

      BRB hacking Google.

  26. Leelad says:

    Comes from a Chinese URL shortener….I would avoid!

  27. Tachanka says:

    well, they arnt letting me change my password at the moment

    • DickSocrates says:

      You sure you’re putting in the correct existing password? The message it gives for an incorrect password when trying to change it makes it sound like the service is down, but it isn’t.

  28. Aemony says:

    Steam Guard should be sufficient protection against my Steam account, so the only precautions I’m taking is changing my e-mail password, as that is the main key in the whole environment. Without access to the e-mail they won’t be able to circumvent Steam Guard and as such, they will be unable to access it.

    <3 Steam Guard.

    • jezcentral says:

      Whilst I agree that Steamguard will protect your games, I don’t think the hackers give two hoots about using your account to purchase games for free. They want your credit card details, so they can waltz off into the sun and spent it on more frivolous things.

  29. Zarunil says:

    Covered by Steam Guard, so I won’t be affected by this (hopefully).

    Doesn’t matter if my forum account got stolen, as I don’t use that password for other sites (I think).

  30. Siimon says:

    “This database contained information including [...] email addresses, billing addresses.”
    sort of contradicts
    “We do not have evidence that [...] personally identifying information were taken by the intruders”

    Also, why was personally identifying information, such as billing address, not encrypted? They only say CC#’s were.

    Or am I reading this wrong?

    PS. Jamestown DLC is out <3

    • Soundish says:

      The way I’m reading it it looks like, Gabe is saying the database was accessed but they don’t know if anything was taken

    • Siimon says:

      Thats what I read.. But if they had access to the database I’m assuming they downloaded it, which means they have the info. I doubt there are all too many hackers that would deface and do nothing else; even if its not a criminal hacker that did this I’m sure even scriptkiddies would download the data and sit on it…

    • Soundish says:

      Plus unlike Sony, Valve actually encrypted the CC info

    • Veracity says:

      Jamestown DLC is only new craft/characters; not sure I see the sense in that when most people have surely already settled on what works for them and don’t use anything else (and that it’s gunner, because everything else is relatively crap, or maybe beam if they just want something easy to manage and don’t care about scoring or how hard Croatoa will be). I would’ve thought more challenge events would have more value, but maybe most people don’t pay much attention to those. It is silly cheap like the torrent of absolute tat that got puked all over Magicka, to be fair. I’m still having it because the powder keg thing looks like it might be what the exploding shot ship no one uses ought to’ve been, so I want to give that a go.

  31. oceanclub says:

    Steamguard is definitely reassuring; I’ve been using it for a while.

    While, if the passwords are hashed, there’s no need to change your password, I’d still change it anyway. There’s _always_ a small chance that it was recorded in plaintext at some point; better safe than sorry.

    P.

  32. pupsikaso says:

    They might not have evidence that the CC# encryption had been cracked, but if they got the numbers it’s only a matter of time until they figure out how to crack it. And it’s already been 4 days. So I suggest that anyone that had used a credit card with steam (I’m not sure if it should be everyone or just the ones that used the checkbox to store the credit card info with steam) should call their bank and change the credit card. You’ll have to wait a a few days for them to mail you the new card, but I think that’s a small price to pay for your financial security.

  33. BurningPet says:

    I am really not a steam fanboy, but damn, something about gabe just transmits calmness and fairness directly into my brain!

  34. Kaira- says:

    Um, wasn’t this hacking of the forums known for… two or three days? If so, quite slow action telling to people, but still better than certain services I could mention.

    • zeroskill says:

      Yeah there has been a post on Facepunch for 3 days now saying the Steam Forums got hacked. Nobody seems to know when Valve them selfs found out that other information has been compromised. They could just have done it like others and kept quiet about it.

    • stupid_mcgee says:

      They knew the forums had been hacked, but not the database. My guess is that they were looking into the forum fiasco and then found out about the DB, wanted to assess what was going on and what potential damage might have been done, and then said something about it. It’s not like they’ve been sitting on this for weeks on end. SPUF went down on the 7th. That’s pretty good communication. I’m sure they’re also having to deal with both FBI and Secret Service right now as well.

  35. James G says:

    Bugger. Changed Steam password, which was unique anyway. Annoyed that I had credit card info associated with the account, I removed it when Sony was hacked, but it slipped back on there. They say its all encrypted though, which is good. Can’t get onto the forums to change that password yet, but again, unique.

    Actually, a question about stored credit card data. Do they actually store the numbers, or just a token? Obviously some places will do things the wrong way, but if storing tokens is a possibility then it would make security a hell of a lot better.

    Edit: Hah, just realised my card expires at the end of this month anyway. I can’t see the encryption being broken before then. Will keep an eye on it though.

  36. rocketman71 says:

    Well, that requires a big FUUUUUUUUUUUUUUUUUUUUUUUUUUUCK.

  37. Ultra-Humanite says:

    Never registered on the forums and with Steam Guard, it’s a non-issue for me.

    • Reikon says:

      Whether you have a forum account or not doesn’t seem to matter. It sounds like they were able to access the main Steam database.

    • Ultra-Humanite says:

      Except the key word there is seem to because you don’t really know. And regardless, it’s a non-issue anyway. You can either panic like chicken little and go through needless hassle or you can be vigilant like you should have been anyway and not need to worry.

  38. Spinoza says:

    Whatever, Gabe.
    Now ,where is the Thanksgiving Sale ? (holding wallet ready)

  39. man-eater chimp says:

    Well its usually good policy to change passwords semi-regularly anyway (apparently) so I did my Steam one just in case. Steam Guard now seems like a good idea!

    • Lowbrow says:

      That’s more of a high-level security procedure, spy stuff. Changing your password doesn’t prevent you from being compromised so much as stop the access of someone who is silently accessing a compromised account.

  40. Delusibeta says:

    My Steam account password is an old password that I’ve stopped using elsewhere, plus SteamGuard means that should be safe. My Steam forums password has been leaked before (Nexus forum hacking), so not a big deal. More worrying is the fact that they might have encrypted credit card details. Thankfully, I’ve never saved my billing address and credit card details, and my last Steam purchase was the Halloween sale, so *hopefully* they’ve disposed of the details.

  41. Electricfox says:

    It was only a matter of time really, the sharks have probably been circling for a while, looking for a weakness. Kudos to Gabe and team for dealing with it quickly once the scope of it was realised.

  42. Veracity says:

    But I don’t remember what my account password is. Steam does, which is the only reason I’ve been able to connect to it for a while. I suppose I should try to get that fixed at some point.

  43. Monkeh says:

    It’s the end of world I tell you!

  44. bit_crusherrr says:

    Wheres my free games gabe.

  45. ilurker says:

    Salting doesn’t make weak passwords invulnerable, as xkcd demonstrated amusingly.

    • diamondmx says:

      The comic you reference has nothing to do with Salting passwords. It has to do with alphanumerics/symbols being used in a password vs having a long password.

  46. wazups2x says:

    I only use PayPal. I’m safe. :)

    • pupsikaso says:

      Lol, I hope you’re being very sarcastic.

    • johnpeat says:

      He’s safe from any intrusion into Steam’s system as he wouldn’t be so daft as to use the same password on PayPal and Steam…

    • wazups2x says:

      Nope, being very serious. :)

      And yep, I use a different password for almost everything.

  47. Buemba says:

    Thankfully I got a free year of identity theft protection out of the PSN hullabaloo, so now I guess we’ll see how effective that is.

    Also, any recommendations for a password manager?

    • ShatteredStone says:

      KeePass does what it advertises and runs on practically everything.

      If you think LastPass is a good idea, you are beyond help.

      If you want distributed/shared copies of your passwords, consider KeePass+DropBox (or any similar service).

    • James G says:

      How is Lastpass any less secure than keypass + dropbox?

    • purdz says:

      LOL!

      You mean the same dropbox that earlier this year let anyone into anyone’s account with just a username and no password required??

      Lastpass is pretty damn secure. especially if you use it with Google authenticator or a Yubikey and also an email address that is set up purely as your last pass account name and doesn’t get used for anything or sent to anyone.

      Everything sent to lastpass is encrypted and decrypted LOCALLY ON YOUR COMPUTER meaning lastpass only store the encrypted data which means even they can’t access it. So if you lose access to your email account and lose your password you lose your lastpass account as they can’t reset it.

    • Kaira- says:

      I’d argue against using Dropbox for storing sensitive data, since it’s not really secure. http://www.wired.com/threatlevel/2011/05/dropbox-ftc/

    • johnpeat says:

      I like Dropbox but I don’t – even for a second – consider it a ‘secure’ solution – and I’d not store passwords or anything like that within a million miles of it.

      LastPass is pretty excellent I reckon – their recent adoption of Google Authenticator codes makes them even more secure – in fact I’d say they were about as secure as it’s possible to get without landmines and laserbeans…

    • Lord Custard Smingleigh says:

      Dropbox stores all my passwords. I don’t really mind its insecurity, my password file is encrypted. I wrote the encryption myself after reading papers on current techniques, and I’ll rewrite it if weaknesses are found, so I trust that security. Otherwise, go nuts trying to guess my 43 character password with letters, numbers, and punctuation. Hint: Does not use euro signs.

    • TillEulenspiegel says:

      LastPass does all the encryption client-side with the magic of Javascript. It’s good stuff – if you lose your master password, you’re probably screwed. (“If at this point you have failed to remember your password, your account hint didn’t jog your memory, and you’ve tried the password recovery on every machine you’ve logged into, your only recourse is to delete your account and start over.”)

    • JagRoss says:

      You’d be even more screwed it you forgot your KeePass password though.

  48. Velvetmeds says:

    Lol steam is going nuts. 2 “false” daily deals on the news page. Happened before i know

    I’d jump on that EYE 50% off deal like a shark. if only it were true.

  49. kyrieee says:

    “Salting doesn’t make it impossible to retrieve a password since the hackers will have the salt as well (it’ll be stored in the database along with the password).”

    Exactl, but if you have a good password it probably won’t be broken.
    I wonder how the CC details are stored though.

    edit: fail reply, goddammit

  50. Donkeyfumbler says:

    Lastpass is great but I wouldn’t trust it with my passwords to anything important. All those forum and website passwords fine – anything to do with Google, email, digital distribution (like Steam) or anywhere that holds my financial info is in my noggin.