XI
you are not logged in
News

Steam Hacked, Database Accessed

Gabe is "truly sorry".

Steam users will find a message from Gabe Newell when they next sign into the service.

“Our Steam forums were defaced on the evening of Sunday, November 6,” begins the message. “We began investigating and found that the intrusion goes beyond the Steam forums.”

It appears intruders got access to a Steam database in addition to the forums.  The database contained “user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information.”

Valve claim that whilst they don’t have any evidence that the card numbers or personal information were taken, they are “still investigating” and suggest you “watch your credit card activity and statements closely.”

All Steam forum users will have to change their passwords the next time they log in.  “If you have used your Steam forum password on other accounts you should change those passwords as well,” advises the message.

We remind all users to ensure passwords are unique for every site and service.

Read more: #
56 Comments
  1. Burgess_101
    Member
    Since: May 2009

    your welcome ;) but on a serious note this is really worrying yet another one bites the dust :/

    Comment posted on 10/11/2011 at 23:25.
  2. zb100
    Member
    Since: Aug 2008

    Nightmare!

    Comment posted on 10/11/2011 at 23:27.
  3. IAmJacksMedullaOblongata
    Member
    Since: Nov 2011

    What the hell is a “salted” password?

    Comment posted on 10/11/2011 at 23:28.
    • gazzagb
      Master of speling mitakse
      Since: Feb 2009
    • zb100
      Member
      Since: Aug 2008

      An encrypted password.

      Comment posted on 10/11/2011 at 23:43.
      • zb100
        Member
        Since: Aug 2008

        Just wait until they start factoring in layers of deniable plausibility to passwords…

        Comment posted on 10/11/2011 at 23:44.
      • zb100
        Member
        Since: Aug 2008

        Oops, I meant deniable encryption!
        http://en.wikipedia.org/wiki/Deniable_encryption

        Comment posted on 10/11/2011 at 23:56.
      • Uhyve
        Member
        Since: Sep 2008

        Hmmm, yes and no, it’s still a hashed password. It’s just makes it a whole lot harder to crack a whole database of passwords. The salt is a sort of modifier for the hashing algorithm, so that every password can essentially have it’s own hashing pattern.

        Salting is really just a way to make passwords more effort than they’re worth. Don’t worry about the CC info though, that’s actually encrypted, unless the hackers have access to a quantum computer, you’re pretty much safe…

        Comment posted on 11/11/2011 at 02:05.
      • cc_star
        Team TSA: Writer
        Since: Forever

        Depending on a) the level of encryption b) how quickly the key for it is generated by chance by their software/script, although unlikely it could happen.

        Name, address, DoB etc is still useful for identify theft though.

        Will be interesting to see how Valve differ from Sony in the aftermath

        Comment posted on 11/11/2011 at 10:36.
      • plambey
        Member
        Since: Nov 2009

        welcome back packs all round

        Comment posted on 11/11/2011 at 11:33.
      • Bladesteel
        Member
        Since: Sep 2008

        “hashed and salted passwords”

        This is already more information than we got out of Sony. They never said if the passwords were salted or not, which makes me believe they were not.

        Now can we please have the details of the encryption too?

        Salting does not make brute force attacking a single password significantly harder.

        If you have a list of, lets say, 10000 unsalted passwords. You could do a brute force attack against the list and in about 1/10000th of the time you would have a match on a random. (Because you could compare that hash of “hunter2″ to all the hashed passwords)

        Salting means that the attacker would have to calculate the hash with the salt for all the passwords, making it no faster than attacking a single password. (because the hash of “hunter2″ would be different for all the different salts).

        @zb100
        Hashing isn’t encryption, because encryption is intended to be reversble if you have the key. Hashing has no key, all you can do is hash whatever you think the plaintext may be, and then compare.

        Comment posted on 12/11/2011 at 09:36.
  4. colmshan1990
    Member
    Since: Apr 2009

    I wonder how the internet will treat this, after the reaction to Sony’s breach earlier in the year.
    I smell another dose of internet hypocrisy around the corner.

    When will people learn, it is the hackers, not the company hacked, that is at fault when a company gets hacked?

    Comment posted on 10/11/2011 at 23:28.
    • zb100
      Member
      Since: Aug 2008

      On the flipside though, given the preference developers have these days for “online passes” & “online DRM” – surely this is an argument against promoting online only play?

      Comment posted on 10/11/2011 at 23:37.
      • zb100
        Member
        Since: Aug 2008

        PS I agree with your point though, it’s not Steam’s fault that they’ve been targeted.

        Just highlighting that they won’t be the only ones & with more developers agressively pushing online play, they are in turn making themselves targets…

        Comment posted on 10/11/2011 at 23:39.
      • colmshan1990
        Member
        Since: Apr 2009

        To be honest, I’m not sure we could go back to the days of no online play.
        Now we’ve had it, and it’s been successful, it’d be like closing Pandora’s Box.

        Although I wish it didn’t have to kill my glorious local multiplayer… :(

        Comment posted on 10/11/2011 at 23:56.
      • zb100
        Member
        Since: Aug 2008

        True on both counts.

        Just hoping this might stem the flow of single-player online only activations & DRM.

        Comment posted on 11/11/2011 at 00:10.
    • teflon
      Community Team
      Since: May 2009

      It took them a few days to investigate, but Gabe’s come out, been frank, clear, and reassured everyone. On face value, then, this is a much smaller and less significant breach compared to the PSN hack.

      Firstly, everything has been encrypted to a higher degree. Secondly, Steam Guard is a simple system, by which you authenticate your account being accessed on new devices via email, along with account changes. So a hacker has to hope you’ve used the same password for both the Steam forums, Steam and your email account. Lastly, card details were encrypted too.

      So on the face of it, change your passwords, and then just be aware of what’s going out of your bank account. Business as usual, then.

      Comment posted on 11/11/2011 at 01:06.
      • Uhyve
        Member
        Since: Sep 2008

        I’m fairly certain that the thing that worried most people in the PSN hack was that they wouldn’t confirm that anything was encrypted for such a long time. Seriously, go back and look at the original PSN hack release, no word of encryption. According to Google, that news came in a blog post about one week later.

        Comment posted on 11/11/2011 at 02:12.
      • Uhyve
        Member
        Since: Sep 2008

        After some Googling, I was remembering slightly wrong, there was only a two day gap between the press release and the blog post. I assumed that the press release would’ve been released sooner than that. Apparently it went:

        Hacked: 17th April
        PSN Down: 20th April
        ‘Some stuff may have been leaked’ release: 26th April
        Blog post: 28th April
        ‘Yeah, definitely got some stuff’ release: 4th May
        PSN fully back: 15th May

        Comment posted on 11/11/2011 at 02:36.
      • JesseDeya
        Member
        Since: Jan 2010

        I’m sorry teflon but I don’t get how this is any different to what Sony did – yet they coped an absolute earful from gamers around the world.

        - Sony took 3 days to advise of the intrusion, Valve took 3 days to advise of the intrusion.
        - Sony had credit card information encrypted, Valve had credit card information encrypted.
        - Sony had passwords hashed, Valve had passwords hashed.
        - Sony had 77 million accounts, although many duplicates so likely < 1/2 that number of real accounts. Steam had 25 million user accounts at the start of this year and is growing at 25% per year, so should be around 30+ million by now.

        Explain to me how "this is a much smaller or less significant than the PSN hack"?

        Explain to me how "everything has been encrypted to a higher degree"?

        Steam Guard doesn't do anything to stop hackers from using the information they have accessed directly, it just means the probably won't be able to activate your account on their computer. If they are after personal information for ID theft they don't need to activate your account, they already have that data from this intrusion.

        You're right, Newell has been clear and frank – but you would hope they would learn SOMETHING from Sony's confusing initial communication problems, because clearly they didn't learn about security.

        Comment posted on 11/11/2011 at 03:28.
      • KeRaSh
        Member
        Since: Nov 2009

        If Uhyve’s info is accurate then it took Sony 9 days to release a statement that something was actually taken and then another two to confirm that CC info was encrypted. I’d say the Steam hack was communicated much better than the PSN one. At least that is how I feel about it.

        Comment posted on 11/11/2011 at 07:21.
      • JesseDeya
        Member
        Since: Jan 2010

        Most people didn’t get the timeline right even back then, so it’s going to be even more ‘conveniently’ exaggerated as time goes on.

        Sony detected on or around the 19th that there had been intrusion attempts between the 17th and 19th. They took the PSN down immediately and on the 20th they posted on their blog that there was problems with the PSN and it was down for maintenance.

        At the same time, they were investigating to see what had occurred. On the 21st April they said:

        “As you are no doubt aware, the current emergency outage is continuing this afternoon and all Sony Online Network services remain unavailable. Our support teams are investigating the cause of the problem, including the possibility of targeted behaviour by an outside party. If the reported Network problems are indeed caused by such acts, we would like to once again thank our customers who have borne the brunt of the attack through interrupted service.
        Our engineers are continuing to work to restore and maintain the services, and we appreciate our customers’ continued support. For further information, please refer to updates on PlayStation.com, here on PlayStation.Blog and via our @PlayStationEU twitter feed.”

        Further updates occurred daily on the blog, this on the 23rd:

        “An external intrusion on our system has affected our PlayStation Network and Qriocity services, In order to conduct a thorough investigation and to verify the smooth and secure operation of our network services going forward, we turned off PlayStation Network & Qriocity services on the evening of Wednesday, April 20th. Providing quality entertainment services to our customers and partners is our utmost priority.

        “We are doing all we can to resolve this situation quickly, and we once again thank you for your patience. We will continue to update you promptly as we have additional information to share.”

        On the 26th they made a clear statement that was overly cautious (as it turns out) but warned everyone that they couldn’t yet rule out what had and hadn’t been accessed.

        http://blog.eu.playstation.com/2011/04/26/psnqriocity-service-update/

        Yes, it could have been handled better – but Sony was the first of the big gaming giants to be hit, and they learnt the hard way what to do and not to do. Overall I thought they handled it ok, despite coming under massive public and governmental scrutiny.

        As for Valve, with the benefit of hindsight and seeing all these other companies get targeted, is -how- did they allow this to happen and -why- did they still take 3 days to either detect it or get the message out? It’s almost like every single company assumes it won’t happen to them, until it does.

        I wonder, will the US Government get involved here as they did with Sony? I doubt it – hypocrites.

        Comment posted on 11/11/2011 at 09:04.
      • Tuffcub
        On the naughty step.
        Since: Dec 2008

        I agree with JesseDeya, pretty much identical to PS3 hack in terms of time and what was stolen, its certainly not a “smaller and less significant breach”

        Comment posted on 11/11/2011 at 09:04.
      • KeRaSh
        Member
        Since: Nov 2009

        I don’t know what the fact that Sony was the first big gaming company that got targeted by hackers has to do with anything. Companies, no matter what their business is, got targeted in the past. By that logic every company except the first one should be smart enough to secure their systems sufficiently. With the Sony hack ist just took too long to get the relevant data out. Was the data encrypted or not? No matter if they knew what was accessed and what wasn’t. This was something that they were certain about and people wanted to know. There was a lot of PR talk and not enough hard facts. Valve came forward after 3 days and flat out confirmed that the CC info was encrypted wheter it was accessed or not. Now I don’t have to check my bank account twice a day.

        Comment posted on 11/11/2011 at 09:32.
      • JesseDeya
        Member
        Since: Jan 2010

        I don’t buy it KeRaSh, all the concern over encryption is largely moot.

        For starters, it’s a legal requirement for them to store CC details encrypted. Sony do it and Valve do it, when the Sony PSN story hit I (like all the smart people in the world) assumed the CC details would have been encrypted. I also knew that I’m protected against credit card fraud, and that my bank would most likely block any suspicious activity and notify me (which they do regularly even when I make legit purchases overseas).

        The ONLY reason people got their knickers in a knot about Sony not explicitly stating the CC details were encrypted straight up was because some -expletive- hacker wannabes were pushing around bogus chat logs that suggested CC details were sent and store in plain text by the PS3. This turned out to be complete horse manure (as we now know).

        You’re absolutely right that Sony wasn’t the first big company to be hacked – a point that was apparently lost on the world’s media at the time – but the numbers (77 million accounts) made it one of the worst breaches in history. Here is Steam, with ~30million accounts and no one seems to be bothered looking up from their toast and morning paper.

        My final point is that in the PSN hack, and in this one, CC details should be the least of people’s concerns (for the reasons mentioned above). It’s your other details that will be used for ID theft or phishing scams in future – and they weren’t encrypted.

        Comment posted on 11/11/2011 at 09:51.
      • KeRaSh
        Member
        Since: Nov 2009

        I know that it is a requirement for companies to encrypt CC details but after not getting confirmation from sony for over a week you should understand that people got nervous especially since there were rumors that regular user data was stored in plain text. I don’t want to bash Sony or anything. The PSN hack is a thing of the past and nothing happened to me personally, but I’m sure I’m not the only one who thinks that the Valve hack has been handled much better in terms of communicating with the media than the PSN hack.

        Comment posted on 11/11/2011 at 11:17.
      • Scythegpd
        Member
        Since: Jul 2010

        Another thing I found amusing about the PSN hack and the reaction of a lot of people and media outlets:

        77m user accounts existing ==> No way have Sony sold 77m PS3′s, I have x accounts myself, not to mention the PS3′s that aren’t on online and the ones for broken/sold machines, probably half, at best, of those accounts are active, PS3 is a failure

        77m user accounts hacked ==~> OMFG the world is about to explode, 77m individual people have had their details stolen, every single account must be active and have up to date details, aaargh MELTDOWN!!!! PS3 is a failure.

        Just seems to be the “one rule for one, one rule for another” approach that’s been consistantly applied in many mainstream media outlets pretty much since the start.

        Comment posted on 11/11/2011 at 11:51.
    • Kaminari
      Member
      Since: Jan 2010

      No. The company you entrust your personal details with STILL has an obligation of security, and clearly Steam failed in that regard as much as Sony did.

      In terms of online security, there is no such thing as fatality. Hackers will hack, sure. But whether they operate from their garage or for the mafia, it doesn’t matter. Technologies and procedures DO exist in order to efficiently prevent these thefts. Companies which don’t apply them are lazy and irresponsible.

      Comment posted on 11/11/2011 at 17:27.
  5. TheDemocrodile
    Member
    Since: May 2010

    yet another password change for me….bastards

    Comment posted on 10/11/2011 at 23:29.
  6. gazzagb
    Master of speling mitakse
    Since: Feb 2009

    Changed my password, luckily only my old card details were stored.

    Comment posted on 10/11/2011 at 23:43.
    • zb100
      Member
      Since: Aug 2008

      It’s a good argument to use PayPal rather than storing any card details at all.

      “Paypal users will find a message from…”
      NOOOOOOOOOOOOOOOOOOO!!!

      Comment posted on 10/11/2011 at 23:51.
      • KeRaSh
        Member
        Since: Nov 2009

        I only used Paypal once when it started gaining popularity and my account got hacked within a few days and the hacker tried to access around 3000€ from my bank account which wasn’t possible because back then I couldn’t go below 0 but it was still scary and took three weeks to get it sorted with Paypal support. I used a strong unique password…
        I’m not going near that service ever again.

        Comment posted on 11/11/2011 at 07:25.
      • stonyk
        Member
        Since: Dec 2009

        @KeRaSh
        Me too. I was screwed over by Paypal and had to pay up for it. They then emailed me a few weeks later to say “we noticed you had an unfortunate incident recently with you account. Why not pay x amount monthly to get protected”….
        Never using it again. At least when money was taken unauthorised from my bank account they paid it back.

        Comment posted on 11/11/2011 at 08:59.
      • zb100
        Member
        Since: Aug 2008

        Yikes. I thought PP was pretty safe.
        Thanks for letting me know otherwise!

        Comment posted on 11/11/2011 at 09:45.
  7. Sympozium
    Member
    Since: Aug 2009

    Well time to change my name to Bob McBobbett, I feared this from the start so freaking sad

    I’m sure that I signed to the forums but that was years ago.

    Comment posted on 10/11/2011 at 23:48.
  8. bacon_nuts
    Member
    Since: Mar 2011

    No! Steam :( takes the piss. If I only knew the hackers…

    Comment posted on 11/11/2011 at 00:16.
    • bacon_nuts
      Member
      Since: Mar 2011

      p.s. Just booted up and nothing special appeared..!?

      Comment posted on 11/11/2011 at 00:19.
      • scavenga
        Member
        Since: Jul 2009

        Not on my end either, and I can’t even find where to change my password.

        Comment posted on 11/11/2011 at 07:45.
      • scavenga
        Member
        Since: Jul 2009

        Oh, there it is – in the application menu, and not in the app itself. Sorry.
        Didn’t receive any heads up about the hack any other place than on the forum sign in page, though

        Comment posted on 11/11/2011 at 07:50.
  9. MayContainEvil
    Member
    Since: Feb 2011

    Oh cock. Well I guess it’s a good thing there’s almost no money on my debit card at the moment. To think I was complaining about being poor just the other day…

    Comment posted on 11/11/2011 at 00:50.
  10. D-Nichol
    Member
    Since: Dec 2008

    bastards…not cool. ive got that many passwords these days its impossible to remember them all

    Comment posted on 11/11/2011 at 00:55.
    • teflon
      Community Team
      Since: May 2009

      There’s quite a few password lockers out there. They’ll hook into your web browser, letting you auto-fill log in forms, and tend to offer incredibly strong encryption on your end too. Then you just need to use the one password to unlock the locker, and log in to whatever website.

      They’re also useful, in that many will generate randomised passwords for you too.

      Comment posted on 11/11/2011 at 01:10.

Leave a Reply

You must be logged in to post a comment.

Latest Comments

TSA Meets

  • None today