Forgot your password?
typodupeerror
Security Games

Valve Announces Massive Steam Server Intrusion 434

Posted by samzenpus
from the save-my-game dept.
SKYMTL writes "Valve has revealed that hackers have gained access to the Steam database and have pulled a variety of information. A statement from Gabe Newell reads in part: 'Dear Steam Users and Steam Forum Users, Our Steam forums were defaced on the evening of Sunday, November 6. We began investigating and found that the intrusion goes beyond the Steam forums. We learned that intruders obtained access to a Steam database in addition to the forums. This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information. We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked. We are still investigating. We don’t have evidence of credit card misuse at this time. Nonetheless you should watch your credit card activity and statements closely."
This discussion has been archived. No new comments can be posted.

Valve Announces Massive Steam Server Intrusion

Comments Filter:
  • Hey gabe (Score:4, Interesting)

    by Anonymous Coward on Thursday November 10, 2011 @08:04PM (#38017918)
    As a show of good will, how about something extra? We trusted steam, now they have our encrypted credit card info and billing addresses. Origin looks mighty tempting right about now.. with BF3 and all... =)
  • by Anonymous Coward on Thursday November 10, 2011 @08:05PM (#38017922)

    Awesome. Sounds like they were doing things right.

  • Hilarity (Score:2, Insightful)

    by OverlordQ (264228)

    Valve gets hacked, account details likely stolen, account information hashed and salted, Gabe still praised.
    Sony gets hacked, accounts details stolen, account information hashed and salted, Sony ran through the ringer.

    Love to see the hivemind at work.

    • Re:Hilarity (Score:5, Insightful)

      by Anonymous Coward on Thursday November 10, 2011 @08:10PM (#38017974)

      The difference is in part due to how the attacks were handled by the respective companies, and in part due to the fact that Sony is run by gigantic cocks while Valve isn't.

      • Re: (Score:2, Insightful)

        by Gravatron (716477)
        Sony announced it rather quickly, brought the network down till it was fixed, and gave everyone free games and a year of ID theft protection. What, exactly, was Sony's major problem in how they handled things?
        • Re:Hilarity (Score:5, Insightful)

          by ewanm89 (1052822) on Thursday November 10, 2011 @08:16PM (#38018042) Homepage
          Shall we go into how they fired their whole network security team the week before, or the fact the attacks on Sony were orchestrated as a retaliatory strike on them for certain lawsuits (I'm not saying it's right) just there were lots more factors to those specific attacks than just "we were hacked".
        • Re:Hilarity (Score:5, Interesting)

          by Moheeheeko (1682914) on Thursday November 10, 2011 @08:19PM (#38018076)
          The fact that all evidence suggests that all credit card info was unencrypted on the Sony server. And no, Sony didnt announce shit until the network had been down for 2 weeks, up until that point they just claimed "matinence"
          • by Gravatron (716477)
            Citation needed? I remember them saying the CC info was indeed encrypted. And they announced it sooner then that I believe.
            • Re: (Score:3, Interesting)

              Be warned, the following is only hearsay:

              The CC info was encrypted in the database, and Sony used a separate internal-facing server to handle credit card transactions. The problem is, the transaction server wasn't configured properly; unencrypted credit card numbers and billing information were being recorded in Apache logs.

              • Re:Hilarity (Score:4, Informative)

                by tomstockmail (2056752) on Thursday November 10, 2011 @10:26PM (#38019050)
                Then screw heresy, here's the actual source [playstation.com].

                One other point to clarify is from this weekend’s press conference. While the passwords that were stored were not “encrypted,” they were transformed using a cryptographic hash function. There is a difference between these two types of security measures which is why we said the passwords had not been encrypted. But I want to be very clear that the passwords were not stored in our database in cleartext form. For a description of the difference between encryption and hashing, follow this link.

        • Re:Hilarity (Score:5, Informative)

          by Cyberllama (113628) on Thursday November 10, 2011 @08:33PM (#38018232)

          Well, let's start with the fact that PSN intrusion was just one of 23 separate incidents for Sony within a time frame of just a couple of months.

      • by wjousts (1529427)

        in part due to the fact that Sony is run by gigantic cocks while Valve isn't.

        So Valve is run by tiny cocks? I feel sorry for Gabe's wife.

    • Re:Hilarity (Score:5, Insightful)

      by mr_da3m0n (887821) on Thursday November 10, 2011 @08:11PM (#38017988) Homepage
      I think it may have to do with Gabe being honest about it and immediatly going "Yeah it happened, here's what they got, terribly sorry about that :(" Also given the man's track record, I'd personally be more forgiving, when comparing to Sony's track record.
    • Re:Hilarity (Score:5, Informative)

      by ewanm89 (1052822) on Thursday November 10, 2011 @08:12PM (#38017998) Homepage
      Well steam fundamentally different from sony:
      1. No-one told you you had to store credit card details in steam, they support paypal which prevents this being an issue.
      2. At least they told their users in a prompt manner.
      3. It sounds like the information was properly encrypted and stored, this did not sound true with Sony.
    • Re:Hilarity (Score:5, Informative)

      by gman003 (1693318) on Thursday November 10, 2011 @08:13PM (#38018016)

      There was much miscommunication last time - a Sony executive said the credit card info was unencrypted. Which immediately launched a massive wave of "WTF?" from everyone with even a passing knowledge of security.

      There's also the fact that the intrusion targeted the Steam forums, which have distinct accounts from Steam itself. People probably use the same password on both (I think I might've), but it's still slightly better.

      And you can't forget the main difference - people can still play their games. During the Sony hacks, people were locked out of online play for quite some time. And people (being stupid) care more about getting their CoD on than not getting their credit cards stolen.

      Still not unforgivable, but the fact that Valve is immediately going "we fucked up, we're trying to fix it, here's exactly what's going on" rather than Sony's "We are aware of outages but won't even say that we got hacked for several days". Honesty counts for a lot.

      • by Gravatron (716477)
        CC info was indeed encrypted on Sony's end, it was personal details like address that was not.
        • by gman003 (1693318)

          Yes - but some Sony exec stated otherwise, which caused no end of confusion even after they corrected the statement.

          • by Gravatron (716477)
            Who cares? A exec misspeaking doesn't suddenly mean it was all in clear text.
      • by ewanm89 (1052822)
        The forum account password and the steam account password are linked.
        • Re: (Score:3, Informative)

          by Kenja (541830)
          Unless you disabled the security checks, you can not log into steam from an untrusted computer. If you try to do so, you will be asked to enter a code that is emailed to the account holder.
        • by Baloroth (2370816)
          Ummm, no? Unless you mean something weird by "linked", forum and Steam accounts are separate.
    • Re:Hilarity (Score:5, Interesting)

      by Anonymous Coward on Thursday November 10, 2011 @08:22PM (#38018124)

      Couple of big differences in this case and the Sony case, though. So far, Valve is far ahead of Sony. In order to be on Sony's level, Valve would have to:

      1. Completely shut down the service for a week with no explanation.
      2. Keep the service offline for an additional month after admitting that they had been compromised.
      3. Claim that passwords were stored unencrypted, then when called on that, claim that they meant hashed. But not salted.
      4. Allow unencrypted credit card data to be stolen. (PSN users reported suspicious activity on their cards, and I know my bank sent me a new card due to the breech.)
      5. In order to make up for the outage, offer a "free month" of "premium" service that A) is a limited time offer and B) requires a subscription fee to continue to use any content accessed during that time.
      6. Later have it determined that the vulnerability was caused by an Apache server that was left unpatched for over two years.

      I think that about covers the differences.

    • Re:Hilarity (Score:5, Insightful)

      by Sitnalta (1051230) on Thursday November 10, 2011 @08:51PM (#38018404)

      Yes, but Sony stored customer data as PLAIN TEXT. Their security was a joke and they deserved all the bad press they got.

      Valve on the other hand had all sensitive data encrypted. Which means that the hackers likely got nothing but useless gobbledygook.

    • Re:Hilarity (Score:5, Insightful)

      by Charliemopps (1157495) on Thursday November 10, 2011 @09:17PM (#38018618)
      It's amazing what being generally nice to your customers, delivering what you promise and not trying to ass-rape them at every turn can get you when you finally do screw up isn't it?
    • Valve gets hacked, account details likely stolen, account information hashed and salted, Gabe still praised.
      Sony gets hacked, accounts details stolen, account information hashed and salted, Sony ran through the ringer.

      Valve = Valuable contributor to healthy, competitive market. Cares about customers.
      Sony = Anticompetitive lockdown ensures that a great many games are unplayable as they take a month to sort out the problem. Doesn't give a shit about customers.

      Why is the concept that people will treat companies in the same way that those companies treat them such a strange and unusual concept to some people?

  • DRM rocks! (Score:4, Insightful)

    by Anonymous Coward on Thursday November 10, 2011 @08:08PM (#38017952)

    Thank god I had to sign up to STEAM and give out my personal information to play a game I had already purchased otherwise I might never have become a victim of identity theft...

    • Re:DRM rocks! (Score:5, Insightful)

      by Spad (470073) <slashdot@nOspaM.spad.co.uk> on Thursday November 10, 2011 @08:27PM (#38018160) Homepage

      As opposed to Xbox Live? GFWL? The Rockstar Social Club? Origin? Any MMO ever? Any website you've ever purchased anything from? etc.

      Let's face it, there's no shortage of places that have some, part or all of your personal information these days; Steam is just one of many.

  • by feidaykin (158035) on Thursday November 10, 2011 @08:09PM (#38017964) Journal
    Funny that I had to read about this on Slashdot. You think they could send out a mass email to everyone with a Steam account, especially when credit card numbers are involved (even if they're encrypted). I hate inbox clutter as much as the next guy, but Gabe himself says to watch your credit cards for suspicious activity (which is never a bad idea), but how are Steam users supposed to know to do so if we don't read the Steam forums, or read Slashdot? Seems like they kinda dropped the ball on the whole communication thing here...
    • The funny thing is the HACKERS sent out a mass e-mail to everyone with a steam forums account, advertising some steam hacks (either they are stupid and were advertising themselves or they were framing another group). Also I never actually got Gabe's email, I only read about THAT on Joystiq first.
    • No kidding. I didn't get any email about this. Posting it on the forums is half-assed at best. Still better than Sony's no-ass attempt though.
    • Re: (Score:2, Interesting)

      by Anonymous Coward

      Funny you should say that - I just logged into steam and had that message pop up as the first thing it did, good luck getting any cash out of my account though - I max it the day I get paid :-D

    • by Rockoon (1252108)
      My guess is that they are sending out emails, but since they literally have tens of millions of regular users (and certainly tens of millions of users that havent connected in a long time), that might takes some time.
    • by cstdenis (1118589) on Thursday November 10, 2011 @08:20PM (#38018106)

      It sounds like they are. The article says "...below is the full email from Gabe Newell to Steam members."

      Keep in mind Steam has a hell of a lot of members. It can easily take several hours to send out that many emails.

    • by Ihmhi (1206036)

      Steam has the ability to push out news to everyone, as well as updates. I am well aware of this as every time I close out a Steam game I am bombarded with a multi-page post of the latest deals and new releases. I'm also notified when the client has to update.

      I'm pretty sure that they have a way to push out a notice to everyone - I'm just wondering why they haven't done it yet.

    • by IICV (652597) on Thursday November 10, 2011 @08:25PM (#38018144)

      The announcement also pops up after you stop playing a Steam game. Normally there's some ads when you do that, but currently the first thing that shows up is the text that Slashdot posted here. It's actually quite effective, because normally you get pictures and ads and things instead of a wall of text, so it stands out.

    • by captjc (453680)

      It is also interesting to note that the daily deal on Steam today is "Day of Defeat." Coincidence or message?

  • by Galaga88 (148206) on Thursday November 10, 2011 @08:16PM (#38018048)

    I'm not worried about my Steam password, I can go change it when I get home, it was fairly complex, and it's not a reused password anywhere else, but how hard would it be to crack these?

    For those of us who aren't cryptography experts, does cracking one of the easy passwords (love, password, money) then help crack the more complex ones (m4sT3rm!nd)? I'm guessing this is crypto 101 stuff.

    I am glad I no longer store credit card information with steam, and only used PayPal (and have an authentication card attached to my PP account.)

    • by Beryllium Sphere(tm) (193358) on Thursday November 10, 2011 @08:31PM (#38018210) Homepage Journal

      No, each one is an independent problem.

      None of the weaknesses that have been discovered in common hashes allow reversing them (which is in general impossible anyway since an infinite number of inputs could lead to the same hash, it's just infeasible to find them).

      The "crack" is just high-speed testing of possible passwords. Modern cracking software is actually fairly sophisticated about trying substitutions on dictionary words.

      Use a passphrase unless there's some stupid limit on password length.

    • by Spad (470073)

      General rules are: Mixed case/numbers/symbols all make them hard to crack but not as much as making them longer.
      Cracking simple encrypted passwords will not help you crack any more complex ones unless Valve have done something horribly wrong in terms of encrypting them.

    • by alcourt (198386)

      Knowing one password does not materially help attacks on other passwords. However, depending on the algorithm used, it may be possible to brute force the password. For example, if the old Unix crypt(3c) algorithm is used, then most passwords can be brute forced in reasonable time now. Recent advances have led to use of the graphics card on your system to perform those attacks.

      Longer hashes like MD-5 are significantly harder as they support a much longer search space, but few people use a password over tw

  • hah (Score:5, Funny)

    by geekoid (135745) <dadinportland@@@yahoo...com> on Thursday November 10, 2011 @08:25PM (#38018152) Homepage Journal

    Secretly stabbed in the back, huh Valve? See Spies are overpowered and DO indeed, SUCK. Jerkwads.

    • Re:hah (Score:4, Funny)

      by Bobfrankly1 (1043848) on Thursday November 10, 2011 @08:44PM (#38018358)

      Secretly stabbed in the back, huh Valve? See Spies are overpowered and DO indeed, SUCK. Jerkwads.

      You're just upset *backstab* because you have difficulty *MEDIC!!!! backstab* spy-checking as a *backstab, cloak* pyro. Perhaps if you stopped standing in one place *backstab, backstab, miss, backstab* and developed your pyro techniques, you would find spies to be *sapper, backstab, die from being on fire* easy prey.

  • I'm a fan of Steam but I am a mad as hell that they let this happen. It is not as if they weren't an obvious target given the number of game companies that have been hit before.This is Valve's fault. They screwed up big time and a limp apology from Gabe Newell doesn't make me feel any better.

    • by Ihmhi (1206036)

      To be fair, they could be the best company in the world and it would still take time for them to figure out what exactly happened and how they are going to remedy it. Give them some time. Accidents happen, mistakes happen, and there's really no way of knowing what the end result will be until they've had time to investigate further and decide on a solution. The fact that Steam got this information out so quickly is a good sign in my eyes.

    • by Spad (470073) <slashdot@nOspaM.spad.co.uk> on Thursday November 10, 2011 @08:43PM (#38018342) Homepage

      Until we have real information about how they were hit, it's difficult to make any assumptions about how badly Valve may have screwed up.

  • by Shillo (64681) on Thursday November 10, 2011 @08:32PM (#38018226)

    Today's daily deal on Steam is: Day of Defeat.

    Couldn't have made a better choice myself.

  • Whew! (Score:5, Funny)

    by Bobfrankly1 (1043848) on Thursday November 10, 2011 @08:37PM (#38018286)
    Good thing I just followed the e-mail that just arrived and changed my password then! I'm fortunate to have found it in my junk mail. Weird that Steam is requiring social security numbers to change passwords now.
  • Steaming pile (Score:3, Insightful)

    by Culture20 (968837) on Thursday November 10, 2011 @08:42PM (#38018334)
    I reiterate for posterity: I will never buy any game that requires Steam or any other DRM that prevents me from installing it twenty years from now or forces me to give up personally identifying information (especially CC numbers).
    • Re:Steaming pile (Score:5, Insightful)

      by artor3 (1344997) on Thursday November 10, 2011 @10:03PM (#38018946)

      You don't need to give up your CC number (or any personal information) unless you are buying a game with your CC. How, exactly, do you think they should handle credit card purchases?

      • by Ash-Fox (726320)

        How, exactly, do you think they should handle credit card purchases?

        They should be using a laser and an artificial satellite.

  • Hat? (Score:5, Funny)

    by jjshoe (410772) on Thursday November 10, 2011 @08:47PM (#38018378) Homepage

    Do I get a hat for having to go through this?

  • by dstyle5 (702493) on Thursday November 10, 2011 @08:54PM (#38018424)
    I wonder how long this will delay the release of Half-Life 3? Or Half-Life 2 Episode 3? Left 4 Dead 3? Portal 3?

    /oblig game delay post

    Hmm, thats alot of 3 games Valve could be working on....
  • by JakFrost (139885) on Thursday November 10, 2011 @10:26PM (#38019052)

    Got hit with this one!

    On the morning of Nov 7th I started getting e-mails from Steam Support with confirmation codes when someone was trying to change my password and e-mail. Reinstalled Steam after a year or more of non-usage only to find that someone has been playing TeamFortress 2 on it, the same day. Changed my passwords. That evening received a number of angry e-mails from a Russian guy ( [www.crazy_denis@mail.ru]) demanding that I put the passwords back so he can use the account he bought and paid for. Used Google Translate into Russian sometimes Ukrainian to string him along through 12 short e-mails and got him to reveal and confirm that he actually had my username and password in clear text. Opened up a support case with Steam and forwarded the entire e-mail chain to them to start investigating. Got a form letter back, replied again asking them to check their systems for intrusion... today Slashdot story breaks about Steam being compromised. I wasn't the only one I guess!

    PasswordMaker - Storage-less and per-site unique hash based password scheme

    Changing all my passwords now to a PasswordMaker [passwordmaker.org] scheme for unique passwords for every single site based on a storege-less system that uses a master password + URL + other info you choose -> MD5 sum -> alpha-numeric symbols -> length limit to generate a unique password for every site and account based off your own single or multiple master passwords. You have to remember your own password and the settings you used and generate the same password every time that is unique and there is no secret data file to steal from you or for you to lose on a USB disk or upload to the net. This way your password is already hashed when you submit it to a site, it is unique per site, you don't have to store a list of passwords in any file, and you can regenerate your password on any browser, mobile phone, programming language since this app has been ported to practically everything.

    I was thinking of something simpler such as "echo MyPassword69! slashdot.org|md5sum" and then "aaa53a64cbb02f01d79e6aa05f0027ba" using that as my password since many sites will take 32-character long passwords or they will truncate for you. More generalized than PasswordMaker and easier to access but no alpha-num+symbol translation and only (32) 0-9af characters but that should be random enough, or you can do sha1sum instead for a little longer hash string.

    Here's the conversation for all of you.

    From: [mailto:www.crazy_denis@mail.ru]
    Sent: Monday, November 07, 2011 11:03 PM

    Crazy Denis: You bitch Give me my account is steam which I bought yesterday! will not come back you will have problems moshenik fucking

    JakFrost: I would kindly suggest you go and get another account from the source before you lose more than just money. To understand each.

    Crazy Denis: How do I get another account?

    JakFrost: Ask a guy who you got this one and get another one. This account is off limits.

    Crazy Denis: I wrote to him he was going to do nothing to write tehpoderzhku said there had already written an answer waiting for 24 hours
    damn well bring back pliz account you do what it's worth it

    JakFrost: What's the password for that account so that I could find one for you?

    Crazy Denis: Login: MyUsername Password: ********

    JakFrost: (No Reply)

    Crazy Denis: Well, I found?

    JakFrost: That is correct user name and password, but that account is currently blocked by Steam support of a security breach. I can not use it either, so it ruined for us both.

    Crazy Denis: Yes, all right there!, Today began to go wrong is led pishel password or an account is not suschustvuet

    JakFrost: I do not know, I get an error that the password is incorrect or the account has not been found.

    Crazy Denis: A registered on your soap the same account?

    JakFrost: No, it does not work.

    Crazy Denis: clear, damn well feel sorry for you and I were left wi

  • by gregrah (1605707) on Friday November 11, 2011 @02:05AM (#38020214)
    Not sure if this is a coincidence, but the credit card that I had on file with Steam got billed with a fraudulent charge on Nov 6. Any other steam users experiencing anything like this?
  • by jones_supa (887896) on Friday November 11, 2011 @03:19AM (#38020554)
    At the times when Half-Life 2 source was leaked, the cracker said that along spectating the development process he actually made some small changes to the code. Is it possible that some of these made their way to the final product or if there is even some hidden malicious code included? Paranoid, but interesting.

If a subordinate asks you a pertinent question, look at him as if he had lost his senses. When he looks down, paraphrase the question back at him.

Working...