Valve Announces Massive Steam Server Intrusion

SKYMTL writes "Valve has revealed that hackers have gained access to the Steam database and have pulled a variety of information. A statement from Gabe Newell reads in part: 'Dear Steam Users and Steam Forum Users, Our Steam forums were defaced on the evening of Sunday, November 6. We began investigating and found that the intrusion goes beyond the Steam forums. We learned that intruders obtained access to a Steam database in addition to the forums. This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information. We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked. We are still investigating. We don’t have evidence of credit card misuse at this time. Nonetheless you should watch your credit card activity and statements closely."

Re:Hilarity

[ewanm89]

Well steam fundamentally different from sony:
1. No-one told you you had to store credit card details in steam, they support paypal which prevents this being an issue.
2. At least they told their users in a prompt manner.
3. It sounds like the information was properly encrypted and stored, this did not sound true with Sony.

Re:Hilarity

[gman003]

There was much miscommunication last time - a Sony executive said the credit card info was unencrypted. Which immediately launched a massive wave of "WTF?" from everyone with even a passing knowledge of security.

There's also the fact that the intrusion targeted the Steam forums, which have distinct accounts from Steam itself. People probably use the same password on both (I think I might've), but it's still slightly better.

And you can't forget the main difference - people can still play their games. During the Sony hacks, people were locked out of online play for quite some time. And people (being stupid) care more about getting their CoD on than not getting their credit cards stolen.

Still not unforgivable, but the fact that Valve is immediately going "we fucked up, we're trying to fix it, here's exactly what's going on" rather than Sony's "We are aware of outages but won't even say that we got hacked for several days". Honesty counts for a lot.

Re:Hey gabe

[kelemvor4]

Origin looks mighty tempting right about now.. with BF3 and all...

Sure, if you don't mind handing over an inventory of everything on your PC and letting origin do what they want with the information... http://decryptedtech.com/index.php?option=com_k2&view=item&id=257:eas-origin-may-be-a-little-too-intrusive&Itemid=138 [decryptedtech.com]

Re:Way to keep us informed?

[IICV]

The announcement also pops up after you stop playing a Steam game. Normally there's some ads when you do that, but currently the first thing that shows up is the text that Slashdot posted here. It's actually quite effective, because normally you get pictures and ads and things instead of a wall of text, so it stands out.

Re:Hilarity

[Kenja]

Unless you disabled the security checks, you can not log into steam from an untrusted computer. If you try to do so, you will be asked to enter a code that is emailed to the account holder.

Re:How hard are the passwords to crack?

[Beryllium Sphere(tm)]

No, each one is an independent problem.

None of the weaknesses that have been discovered in common hashes allow reversing them (which is in general impossible anyway since an infinite number of inputs could lead to the same hash, it's just infeasible to find them).

The "crack" is just high-speed testing of possible passwords. Modern cracking software is actually fairly sophisticated about trying substitutions on dictionary words.

Use a passphrase unless there's some stupid limit on password length.

Re:Hilarity

[Cyberllama]

Well, let's start with the fact that PSN intrusion was just one of 23 separate incidents for Sony within a time frame of just a couple of months.

Re:Hilarity

[Anonymous Coward]

You see i'm a bit bitter about entitlement complexed hackers stealing my info because sony wouldn't let them pirate games.

Then you'll be pleased to know that this is not in fact what happened.

Re:Way to keep us informed?

[X0563511]

as every time I close out a Steam game I am bombarded with a multi-page post of the latest deals and new releases.

Sounds like you don't like this.
1. Steam Menu
2. Settings
3. Interface Tab
4. Uncheck the "Notify me..." box near the bottom

Re:Hilarity

[Gravatron]

Well, they stored passwords and CC info as encrypted, but so did Sony. It's just FUD that Sony stored everything in clear text.

Re:Way to keep us informed?

[Anubis IV]

Sony was quite public about it, what are you talking about?

They may have been public about the fact that there was a breach, but they were incompetent in their handling of it. And based on my e-mail archives, they never fully informed their customers of the extent to which the intruders compromised their servers. Specifically, Sony only sent out two e-mails related to the PSN outage to all of their customers: one on April 28th to say that accounts had been compromised, but that there was no evidence of credit cards having been compromised at that time, and another on June 5th to announce the Welcome Back package. From what I can tell, there was NEVER a mass e-mail to inform their PSN customers that credit card information had, in fact, been stolen, nor did they ever send out a mass e-mail to announce their identity theft protection program (or maybe I just didn't get it because I signed up for it before they sent it?).

Here's a complete timeline including other announcements besides e-mails:
January or February 2011 - Sony is told by security experts specifically why their server security sucks [slashdot.org]
Early April - Various PSN outages, some because of planned Anonymous DDoS attacks
April 17th-19th - PSN compromised (source: Sony's April 28th e-mail)
April 21st - PSN goes down as Sony realizes something is up
April 23rd - Sony blames outage on external intrusion [slashdot.org]; makes no mention of compromised accounts
April 24th - Sony starts "rebuilding" PSN after attack [slashdot.org]; still no mention of compromised accounts
April 26th - Sony admits that someone may have some account information for their 77M accounts [slashdot.org]
April 27th - Sony confirms that some data was stolen [slashdot.org]
April 28th - First e-mail to customers gets sent; says there is no evidence yet of credit cards having been compromised
May 1st - Sony confirms that 10M users had credit cards compromised [slashdot.org]; promises PSN up by week's end [slashdot.org] (spoiler: it didn't happen); doesn't send an e-mail
May 2nd - SOE goes down after they realized it was compromised too [slashdot.org]
May 3rd - Sony admits 24.6M SOE accounts were compromised [slashdot.org]
May - Lots more drama as Sony makes promises to have PSN up but then reneges on them repeatedly
June 2nd - PSN finally comes back up [latimes.com]
June 5th - Second e-mail to customers gets sent; tells them that the Welcome Back package is now available; makes no mention of credit cards, identity theft, or how to sign up for their free identity theft protection program

I'd hardly call it a model to follow, and I'm still hoping that Valve will make a point of e-mailing their users in the next few days. It's fine to take a few days for something like this while you track down the details, but it does need to get done properly at some point. Sony never did it properly.

Re:Hey gabe

[Ant P.]

Yeah, so far Valve's credit card database has been stolen, but EA customers are the ones getting money stolen from their bank accounts [reddit.com].

Re:DRM rocks!

[artor3]

Liar. If you try to start Steam without an internet connection, it pops up a window with two options "Retry" and "Start in Offline Mode". You absolutely do not need to go into offline mode ahead of time. Did you really think no one would catch that lie?

Re:How hard are the passwords to crack?

[Anonymous Coward]

The passwords are hopefully stored in one way non-reversible hashes, not encrypted. There is no decrypt, even with the salt. To compare a password, you would compare a hash of the entered data with the hash that's in the database and see if they match.

To get the password, you'd have to find a same grouping of letters that creates the same hash as the password, which takes forever as they aren't reversible (We're also assuming the passwords aren't hashed using a compromised hashing algorithm). Rainbow tables are generated to provide a quick way around this; they're basically a list that says this password = this hash. So they can just look up the hash in the table and grab the password. Adding a salt makes those common rainbow tables useless as the hashes won't match the ones in the database, so the hackers would have to generate their own tables. This is very time consuming, even if they had the salt. In addition, as a 3rd level of complexity, even if the salt was stored right next to the password in the database, but unique for each account, the hackers would need to create a rainbow table for each account to retrieve a matching hash.

Those devs aren't (always) dipshits.

Re:Proper back end hashing and encryption?

[icebraining]

Uh, no. Sony stored over 1M password in cleartext.

http://www.troyhunt.com/2011/06/brief-sony-password-analysis.html [troyhunt.com]

Re:Hilarity

[tomstockmail]

Then screw heresy, here's the actual source [playstation.com].

One other point to clarify is from this weekend’s press conference. While the passwords that were stored were not “encrypted,” they were transformed using a cryptographic hash function. There is a difference between these two types of security measures which is why we said the passwords had not been encrypted. But I want to be very clear that the passwords were not stored in our database in cleartext form. For a description of the difference between encryption and hashing, follow this link.

Re:Proper back end hashing and encryption?

[MagusSlurpy]

Don't forget the 12,700 credit card numbers stored in cleartext. But that's no biggie, because only a thousand of them were still active Sony customers.

Re:Hilarity

[DarwinSurvivor]

Our family plays on PSN regularly and we have NEVER given Sony any CC numbers. We even bought a couple games later on, also without cc (7-11 gift certificate).

Re:Way to keep us informed?

[Cl1mh4224rd]

They did? I never got that one myself.

I did. I had completely forgotten about it until I read The MAZZTer's comment. I kind of shrugged it off as the usual email spoofing, but it still seemed odd at the time that it made it through Google's spam filter.

The email, with redactions by me:

Subject: Come join [redacted], a gaming resource community
From: webmaster@steampowered.com

Ever wanted to dominate the servers you play on with guaranteed results, but you were too afraid to cheat because of ban risks? Visit [redacted]. It's safe, secure and undetected.

Along with hacks, we've also got some general discussion sections, hacking tutorials and tools, porn, free giveaways and much more. This site has been conditioned to meet all your needs in terms of resources so be sure to take a look and tell us what you think.

Thanks again,
the [redacted] team.

Re:Hilarity

[Daetrin]

It took about 5-10 minutes of searching to find the exact reference, but here you go. [gamingunion.net]

So technically speaking the passwords _weren't_ encrypted. I remember when that bit of news came my friends and i were all very curious to know what kind of salt (if any) they were using, but we're all geeks at a software company so we're a bit more clued in about such things. In fact i don't remember if the salt question ever got answered.

As for why it keeps getting brought up, especially in this thread, it's because people keep asking why Sony was treated more harshly than Valve seems to be getting treated now. The answer is that Sony took forever to say anything about what was going on [wikipedia.org] and the made a habit of releasing partial bits of information, some of which were confusing or misleading. The encryption issue is just one of those bits the handling of which upset people.

PSN was hacked between April 17th and 19th. It took a day or three before they shut down the servers without saying a word. It was three more days [slashdot.org] before they admitted there had been a data intrusion, and another three days [slashdot.org] before they admitted that user data had been compromised and days more before they admitted that personally identifiable information had been compromised.

If Valve starts dribbling out more bits of previously unrevealed information over the next few weeks (not just details on the aspects they've already confirmed) then the amount of goodwill currently being displayed will erode very fast.

Most of us don't feel that it's possible to prevent all security intrusions, but it is possible for companies to be responsible and forthright about it when it happens.

Re:Hilarity

[Kalriath]

Not entirely true - some credit card merchant gateways permit you to tokenize the credit card info and re-charge them without ever re-sending (or storing) the details. In these cases, the merchant only ever sees your details once - when they send them in to be tokenized. And the token is also usable only by the original merchant - so the worst a hacker could do with it is forcibly give your money to the merchant.

Re:DRM rocks!

[zigmeister]

No he's probably not lying. I've had the exact same problem. I'll explain it as best I can (I don't know why it happens):

Your computer is connected to the 'net with steam running. You shut down steam, disconnect from the internet completely, then restart steam. Then steam does all kinds of weird shit like it claims it's updating itself or "connecting"... after a while it finally pops up and says I can't connect to to a steam server what would you like to do? 1) Retry 2) Start in Offline Mode. Select option 2 (obviously) then steam says it's "connecting" (sigh) again, then it says something like could not connect to a steam server at this time. The only option is to close the window.

As far as I can tell the workaround to play in offline depends on the game. For all games this was required: start steam with a working internet connection, select go/restart into offline mode while connected to the internet, then quit steam, then disconnect from the internet completely, then start steam in offline mode normally at your leisure. That worked for most games but it was also incredibly annoying; the buddies I LAN with don't have a 'net connection and I forgot to go through this process before going over once or twice.

For some games (The Orange Box falls into this category) I had to have the game updated, then start the game while connected to the internet IF it had been updated since it was last played, then go through all the normal stuff I listed above. If I didn't do all of this the game would not start in offline mode even if steam would. Yet more games completely refused to start and I never figured out how to workaround that (none of the above worked.)

For the GPs sake: I managed to fix the issue by uninstalling steam then nuking the contents of the steam folder on the drive. But it still does some weird shit but w/e. Also I haven't bothered reporting or complaining because I have heard that Valve ignores complaints about offline mode not working so...

Fraudulent transaction on my credit card

[gregrah]

Not sure if this is a coincidence, but the credit card that I had on file with Steam got billed with a fraudulent charge on Nov 6. Any other steam users experiencing anything like this?