Valve Announces Massive Steam Server Intrusion

SKYMTL writes "Valve has revealed that hackers have gained access to the Steam database and have pulled a variety of information. A statement from Gabe Newell reads in part: 'Dear Steam Users and Steam Forum Users, Our Steam forums were defaced on the evening of Sunday, November 6. We began investigating and found that the intrusion goes beyond the Steam forums. We learned that intruders obtained access to a Steam database in addition to the forums. This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information. We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked. We are still investigating. We don’t have evidence of credit card misuse at this time. Nonetheless you should watch your credit card activity and statements closely."

Hey gabe

[Anonymous Coward]

As a show of good will, how about something extra? We trusted steam, now they have our encrypted credit card info and billing addresses. Origin looks mighty tempting right about now.. with BF3 and all... =)

Re:Way to keep us informed?

[Anonymous Coward]

Funny you should say that - I just logged into steam and had that message pop up as the first thing it did, good luck getting any cash out of my account though - I max it the day I get paid :-D

Re:Hilarity

[Moheeheeko]

The fact that all evidence suggests that all credit card info was unencrypted on the Sony server. And no, Sony didnt announce shit until the network had been down for 2 weeks, up until that point they just claimed "matinence"

Re:Hilarity

[Anonymous Coward]

Couple of big differences in this case and the Sony case, though. So far, Valve is far ahead of Sony. In order to be on Sony's level, Valve would have to:

1. Completely shut down the service for a week with no explanation.
2. Keep the service offline for an additional month after admitting that they had been compromised.
3. Claim that passwords were stored unencrypted, then when called on that, claim that they meant hashed. But not salted.
4. Allow unencrypted credit card data to be stolen. (PSN users reported suspicious activity on their cards, and I know my bank sent me a new card due to the breech.)
5. In order to make up for the outage, offer a "free month" of "premium" service that A) is a limited time offer and B) requires a subscription fee to continue to use any content accessed during that time.
6. Later have it determined that the vulnerability was caused by an Apache server that was left unpatched for over two years.

I think that about covers the differences.

PCI standards

[Coolhand2120]

Like most other "too big to obey rules" companies Valve just ignores PCI [pcisecuritystandards.org] standards of keeping credit card information. PCI standards require that adherents not keep credit card information in a digital format, making it impossible to steel. Of course Valve can't be bothered to allow the annoyance of filling out a credit card form to break the urge to buy their [another persons] software. Now if you've ever used steam your credit card data is most likely compromised.

It sounds to me like they don't have a clue how many servers were compromised so I'll just go ahead and assume the hackers have the encryption key for the CC data and salt for the hashes. Now a simple rainbow table is required and then the hackers have your password/email - hope you don't use the same password on your banking site! Valves way of saying "thanks for using Steam".

Re:Way to keep us informed?

[koolfy]

Of course they did.... two weeks after downing PSN claiming it was for maintenance.

They HAD to do so eventually, but the point is they went into denial mode for weeks before admitting the fuckup.

Re:Hilarity

[Unoriginal_Nickname]

Be warned, the following is only hearsay:

The CC info was encrypted in the database, and Sony used a separate internal-facing server to handle credit card transactions. The problem is, the transaction server wasn't configured properly; unencrypted credit card numbers and billing information were being recorded in Apache logs.

This sounds familiar

[ScuzzMonkey]

You might have thought that getting burned badly once already [cnn.com] might have lead to a renewed emphasis on security and a commitment to best practices in securing important data. Huh. I guess the "can't happen here" clock must have reset already (as well it might have, since I only see one other comment here on Slashdot, of all places, indicating that anyone else remembered the kerfuffle over the Half-Life 2 source theft).

Re:Hilarity

[artfulshrapnel]

Well, the PSN network requires you register a credit card to make any real use of it (like playing games online, for example). This card must be registered directly with Sony.

Steam, by contrast, accepts PayPal, which is a financial institution with appropriate levels of security for such storage.

So yes, they did tell you to store your credit card details with them.

Unencrypted passwords

[phorm]

All you need to see about EA's security is how they deal with "lost passwords"

Last time I did a lost password request with EA, they happily sent me my password in email. No, not a "password reset request", but my actual password.
This tells me that:
a) They're dumb enough to send passwords in plaintext via email
b) They're dumb enough to store plaintext-retrievable passwords instead of doing a hash comparison.

FAIL!

Re:Hilarity

[Baloroth]

In fact, this is why I have decided not to change my Steam password. If I get a notification that someone tried to access it, I know the password were compromised, and can act accordingly.

My account was among those compromised.

[JakFrost]

Got hit with this one!

On the morning of Nov 7th I started getting e-mails from Steam Support with confirmation codes when someone was trying to change my password and e-mail. Reinstalled Steam after a year or more of non-usage only to find that someone has been playing TeamFortress 2 on it, the same day. Changed my passwords. That evening received a number of angry e-mails from a Russian guy ( [www.crazy_denis@mail.ru]) demanding that I put the passwords back so he can use the account he bought and paid for. Used Google Translate into Russian sometimes Ukrainian to string him along through 12 short e-mails and got him to reveal and confirm that he actually had my username and password in clear text. Opened up a support case with Steam and forwarded the entire e-mail chain to them to start investigating. Got a form letter back, replied again asking them to check their systems for intrusion... today Slashdot story breaks about Steam being compromised. I wasn't the only one I guess!

PasswordMaker - Storage-less and per-site unique hash based password scheme

Changing all my passwords now to a PasswordMaker [passwordmaker.org] scheme for unique passwords for every single site based on a storege-less system that uses a master password + URL + other info you choose -> MD5 sum -> alpha-numeric symbols -> length limit to generate a unique password for every site and account based off your own single or multiple master passwords. You have to remember your own password and the settings you used and generate the same password every time that is unique and there is no secret data file to steal from you or for you to lose on a USB disk or upload to the net. This way your password is already hashed when you submit it to a site, it is unique per site, you don't have to store a list of passwords in any file, and you can regenerate your password on any browser, mobile phone, programming language since this app has been ported to practically everything.

I was thinking of something simpler such as "echo MyPassword69! slashdot.org|md5sum" and then "aaa53a64cbb02f01d79e6aa05f0027ba" using that as my password since many sites will take 32-character long passwords or they will truncate for you. More generalized than PasswordMaker and easier to access but no alpha-num+symbol translation and only (32) 0-9af characters but that should be random enough, or you can do sha1sum instead for a little longer hash string.

Here's the conversation for all of you.

From: [mailto:www.crazy_denis@mail.ru]
Sent: Monday, November 07, 2011 11:03 PM

Crazy Denis: You bitch Give me my account is steam which I bought yesterday! will not come back you will have problems moshenik fucking

JakFrost: I would kindly suggest you go and get another account from the source before you lose more than just money. To understand each.

Crazy Denis: How do I get another account?

JakFrost: Ask a guy who you got this one and get another one. This account is off limits.

Crazy Denis: I wrote to him he was going to do nothing to write tehpoderzhku said there had already written an answer waiting for 24 hours
damn well bring back pliz account you do what it's worth it

JakFrost: What's the password for that account so that I could find one for you?

Crazy Denis: Login: MyUsername Password: ********

JakFrost: (No Reply)

Crazy Denis: Well, I found?

JakFrost: That is correct user name and password, but that account is currently blocked by Steam support of a security breach. I can not use it either, so it ruined for us both.

Crazy Denis: Yes, all right there!, Today began to go wrong is led pishel password or an account is not suschustvuet

JakFrost: I do not know, I get an error that the password is incorrect or the account has not been found.

Crazy Denis: A registered on your soap the same account?

JakFrost: No, it does not work.

Crazy Denis: clear, damn well feel sorry for you and I were left wi