Valve Announces Massive Steam Server Intrusion 434
SKYMTL writes "Valve has revealed that hackers have gained access to the Steam database and have pulled a variety of information. A statement from Gabe Newell reads in part: 'Dear Steam Users and Steam Forum Users, Our Steam forums were defaced on the evening of Sunday, November 6. We began investigating and found that the intrusion goes beyond the Steam forums. We learned that intruders obtained access to a Steam database in addition to the forums. This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information. We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked. We are still investigating.
We don’t have evidence of credit card misuse at this time. Nonetheless you should watch your credit card activity and statements closely."
Hey gabe (Score:4, Interesting)
Re:Way to keep us informed? (Score:2, Interesting)
Funny you should say that - I just logged into steam and had that message pop up as the first thing it did, good luck getting any cash out of my account though - I max it the day I get paid :-D
Re:Hilarity (Score:5, Interesting)
Re:Hilarity (Score:5, Interesting)
Couple of big differences in this case and the Sony case, though. So far, Valve is far ahead of Sony. In order to be on Sony's level, Valve would have to:
1. Completely shut down the service for a week with no explanation.
2. Keep the service offline for an additional month after admitting that they had been compromised.
3. Claim that passwords were stored unencrypted, then when called on that, claim that they meant hashed. But not salted.
4. Allow unencrypted credit card data to be stolen. (PSN users reported suspicious activity on their cards, and I know my bank sent me a new card due to the breech.)
5. In order to make up for the outage, offer a "free month" of "premium" service that A) is a limited time offer and B) requires a subscription fee to continue to use any content accessed during that time.
6. Later have it determined that the vulnerability was caused by an Apache server that was left unpatched for over two years.
I think that about covers the differences.
PCI standards (Score:2, Interesting)
It sounds to me like they don't have a clue how many servers were compromised so I'll just go ahead and assume the hackers have the encryption key for the CC data and salt for the hashes. Now a simple rainbow table is required and then the hackers have your password/email - hope you don't use the same password on your banking site! Valves way of saying "thanks for using Steam".
Re:Way to keep us informed? (Score:4, Interesting)
They HAD to do so eventually, but the point is they went into denial mode for weeks before admitting the fuckup.
Re:Hilarity (Score:3, Interesting)
Be warned, the following is only hearsay:
The CC info was encrypted in the database, and Sony used a separate internal-facing server to handle credit card transactions. The problem is, the transaction server wasn't configured properly; unencrypted credit card numbers and billing information were being recorded in Apache logs.
This sounds familiar (Score:2, Interesting)
You might have thought that getting burned badly once already [cnn.com] might have lead to a renewed emphasis on security and a commitment to best practices in securing important data. Huh. I guess the "can't happen here" clock must have reset already (as well it might have, since I only see one other comment here on Slashdot, of all places, indicating that anyone else remembered the kerfuffle over the Half-Life 2 source theft).
Re:Hilarity (Score:2, Interesting)
Well, the PSN network requires you register a credit card to make any real use of it (like playing games online, for example). This card must be registered directly with Sony.
Steam, by contrast, accepts PayPal, which is a financial institution with appropriate levels of security for such storage.
So yes, they did tell you to store your credit card details with them.
Unencrypted passwords (Score:5, Interesting)
All you need to see about EA's security is how they deal with "lost passwords"
Last time I did a lost password request with EA, they happily sent me my password in email. No, not a "password reset request", but my actual password.
This tells me that:
a) They're dumb enough to send passwords in plaintext via email
b) They're dumb enough to store plaintext-retrievable passwords instead of doing a hash comparison.
FAIL!
Re:Hilarity (Score:5, Interesting)
My account was among those compromised. (Score:5, Interesting)
Got hit with this one!
On the morning of Nov 7th I started getting e-mails from Steam Support with confirmation codes when someone was trying to change my password and e-mail. Reinstalled Steam after a year or more of non-usage only to find that someone has been playing TeamFortress 2 on it, the same day. Changed my passwords. That evening received a number of angry e-mails from a Russian guy ( [www.crazy_denis@mail.ru]) demanding that I put the passwords back so he can use the account he bought and paid for. Used Google Translate into Russian sometimes Ukrainian to string him along through 12 short e-mails and got him to reveal and confirm that he actually had my username and password in clear text. Opened up a support case with Steam and forwarded the entire e-mail chain to them to start investigating. Got a form letter back, replied again asking them to check their systems for intrusion... today Slashdot story breaks about Steam being compromised. I wasn't the only one I guess!
PasswordMaker - Storage-less and per-site unique hash based password scheme
Changing all my passwords now to a PasswordMaker [passwordmaker.org] scheme for unique passwords for every single site based on a storege-less system that uses a master password + URL + other info you choose -> MD5 sum -> alpha-numeric symbols -> length limit to generate a unique password for every site and account based off your own single or multiple master passwords. You have to remember your own password and the settings you used and generate the same password every time that is unique and there is no secret data file to steal from you or for you to lose on a USB disk or upload to the net. This way your password is already hashed when you submit it to a site, it is unique per site, you don't have to store a list of passwords in any file, and you can regenerate your password on any browser, mobile phone, programming language since this app has been ported to practically everything.
I was thinking of something simpler such as "echo MyPassword69! slashdot.org|md5sum" and then "aaa53a64cbb02f01d79e6aa05f0027ba" using that as my password since many sites will take 32-character long passwords or they will truncate for you. More generalized than PasswordMaker and easier to access but no alpha-num+symbol translation and only (32) 0-9af characters but that should be random enough, or you can do sha1sum instead for a little longer hash string.
Here's the conversation for all of you.