Valve Announces Massive Steam Server Intrusion

SKYMTL writes "Valve has revealed that hackers have gained access to the Steam database and have pulled a variety of information. A statement from Gabe Newell reads in part: 'Dear Steam Users and Steam Forum Users, Our Steam forums were defaced on the evening of Sunday, November 6. We began investigating and found that the intrusion goes beyond the Steam forums. We learned that intruders obtained access to a Steam database in addition to the forums. This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information. We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked. We are still investigating. We don’t have evidence of credit card misuse at this time. Nonetheless you should watch your credit card activity and statements closely."

Hey gabe

[Anonymous Coward]

As a show of good will, how about something extra? We trusted steam, now they have our encrypted credit card info and billing addresses. Origin looks mighty tempting right about now.. with BF3 and all... =)

Re:Hey gabe

[kelemvor4]

Origin looks mighty tempting right about now.. with BF3 and all...

Sure, if you don't mind handing over an inventory of everything on your PC and letting origin do what they want with the information... http://decryptedtech.com/index.php?option=com_k2&view=item&id=257:eas-origin-may-be-a-little-too-intrusive&Itemid=138 [decryptedtech.com]

Re:Hey gabe

[ludomancer]

You're just being stupid for the sake of comedy right?

Amazon.com looks good right now.
Fuck, even Best Buy looks good right now.

Origin looks like the exact same crap, but with a much less trustworthy company in charge of it. EA would sell all that personal information straight to the hackers if it meant they could turn a profit.

Re:Hey gabe

[Mashiki]

Even after this, I still trust Valve more than I trust EA. Hell Valve could kill kittens and use their blood to fuel their servers, and I'd still trust them more than EA. One only needs to look into the past and see how much EA has treated not only their customers as dirt, but their employees.

Re:

[rahvin112]

The could require a ritual human sacrifice every time I start a game and I would STILL trust them more than EA.

It would be better if they didn't have the database but encrypted info isn't much value as long as they didn't get the salt values or private keys with the data.

Re:Hey gabe

[Ant P.]

Yeah, so far Valve's credit card database has been stolen, but EA customers are the ones getting money stolen from their bank accounts [reddit.com].

Unencrypted passwords

[phorm]

All you need to see about EA's security is how they deal with "lost passwords"

Last time I did a lost password request with EA, they happily sent me my password in email. No, not a "password reset request", but my actual password.
This tells me that:
a) They're dumb enough to send passwords in plaintext via email
b) They're dumb enough to store plaintext-retrievable passwords instead of doing a hash comparison.

FAIL!

Re:Hey gabe

[rapidreload]

Hell Valve could kill kittens and use their blood to fuel their servers

Wait... are you saying kitteh sacrifices are NOT part of standard server administration? Shit, I'm not quite sure what my boss is going to say when he finds out how I run things...

Proper back end hashing and encryption?

[Anonymous Coward]

Awesome. Sounds like they were doing things right.

Re:Proper back end hashing and encryption?

[ackthpt]

Awesome. Sounds like they were doing things right.

Yeah, sounds like they did better than most businesses *cough* Sony *cough* who probably kept everything in a big ol' text file.

which was named readme.txt

Re:Proper back end hashing and encryption?

[pixelpusher220]

please, they aren't that stupid.

They called it 'dontreadme.txt'

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Canazza]

yes, but with gabe you can use portals to fling him.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:Proper back end hashing and encryption?

[icebraining]

Uh, no. Sony stored over 1M password in cleartext.

http://www.troyhunt.com/2011/06/brief-sony-password-analysis.html [troyhunt.com]

Re:Proper back end hashing and encryption?

[MagusSlurpy]

Don't forget the 12,700 credit card numbers stored in cleartext. But that's no biggie, because only a thousand of them were still active Sony customers.

Re:Proper back end hashing and encryption?

[muon-catalyzed]

..until some external auditor confirms this better start the identity theft ritual (credit cards pull etc.)

Re:

[X0563511]

All my cards already got compromised. Whee. I think some merchant somewhere was doing exactly what the PCI-DSS council [pcisecuritystandards.org] says not to do.

Fortunately they all have 'zero liability' - wonder how long that will last? In my case, the best the hackers got were deactivated card numbers and a password that just became useless.

Re:

[X0563511]

Didn't have any trouble myself.

Sounds silly, but try changing your download location first in the settings, you might have better luck connecting via a different 'path'

Hilarity

[OverlordQ]

Valve gets hacked, account details likely stolen, account information hashed and salted, Gabe still praised.
Sony gets hacked, accounts details stolen, account information hashed and salted, Sony ran through the ringer.

Love to see the hivemind at work.

Re:Hilarity

[Anonymous Coward]

The difference is in part due to how the attacks were handled by the respective companies, and in part due to the fact that Sony is run by gigantic cocks while Valve isn't.

Re:

[Gravatron]

Sony announced it rather quickly, brought the network down till it was fixed, and gave everyone free games and a year of ID theft protection. What, exactly, was Sony's major problem in how they handled things?

Re:Hilarity

[ewanm89]

Shall we go into how they fired their whole network security team the week before, or the fact the attacks on Sony were orchestrated as a retaliatory strike on them for certain lawsuits (I'm not saying it's right) just there were lots more factors to those specific attacks than just "we were hacked".

Re:Hilarity

[Moheeheeko]

The fact that all evidence suggests that all credit card info was unencrypted on the Sony server. And no, Sony didnt announce shit until the network had been down for 2 weeks, up until that point they just claimed "matinence"

Re:

[Gravatron]

Citation needed? I remember them saying the CC info was indeed encrypted. And they announced it sooner then that I believe.

Re:

[Unoriginal_Nickname]

Be warned, the following is only hearsay:

The CC info was encrypted in the database, and Sony used a separate internal-facing server to handle credit card transactions. The problem is, the transaction server wasn't configured properly; unencrypted credit card numbers and billing information were being recorded in Apache logs.

Re:Hilarity

[tomstockmail]

Then screw heresy, here's the actual source [playstation.com].

One other point to clarify is from this weekend’s press conference. While the passwords that were stored were not “encrypted,” they were transformed using a cryptographic hash function. There is a difference between these two types of security measures which is why we said the passwords had not been encrypted. But I want to be very clear that the passwords were not stored in our database in cleartext form. For a description of the difference between encryption and hashing, follow this link.

Re:Hilarity

[Kalriath]

Not entirely true - some credit card merchant gateways permit you to tokenize the credit card info and re-charge them without ever re-sending (or storing) the details. In these cases, the merchant only ever sees your details once - when they send them in to be tokenized. And the token is also usable only by the original merchant - so the worst a hacker could do with it is forcibly give your money to the merchant.

Re:Hilarity

[Cyberllama]

Well, let's start with the fact that PSN intrusion was just one of 23 separate incidents for Sony within a time frame of just a couple of months.

Re:

[wjousts]

in part due to the fact that Sony is run by gigantic cocks while Valve isn't.

So Valve is run by tiny cocks? I feel sorry for Gabe's wife.

Re:Hilarity

[mr_da3m0n]

I think it may have to do with Gabe being honest about it and immediatly going "Yeah it happened, here's what they got, terribly sorry about that :(" Also given the man's track record, I'd personally be more forgiving, when comparing to Sony's track record.

Re:

[Local ID10T]

The guy has just admitted they stuffed up. they had a responsibility to protect your data that they force you to provide. This is the equivalent of being raped in a police station and then being happy that the cops admitted it happened and are very sorry about it.

If you think this situation is anything like being raped -you do not know what rape is...

Re:Hilarity

[Anonymous Coward]

Yeah... it's more like getting roofied, and then being told about it 4 days later.

Re:

[Joehonkie]

Yes, this is exactly like being raped. At a police station. Exactly the same.

Re:

[X0563511]

Ignoring the rape comparison, I would be happy they admitted it. Would you prefer they pretend it didn't happen, and go "la la la la we didn't see it"?

Re:Hilarity

[ewanm89]

Well steam fundamentally different from sony:
1. No-one told you you had to store credit card details in steam, they support paypal which prevents this being an issue.
2. At least they told their users in a prompt manner.
3. It sounds like the information was properly encrypted and stored, this did not sound true with Sony.

Re:

[somersault]

No-one told you you had to store credit card details in steam

Did somebody tell you to store your credit card details on PSN?

Re:Hilarity

[DarwinSurvivor]

Our family plays on PSN regularly and we have NEVER given Sony any CC numbers. We even bought a couple games later on, also without cc (7-11 gift certificate).

Re:Hilarity

[gman003]

There was much miscommunication last time - a Sony executive said the credit card info was unencrypted. Which immediately launched a massive wave of "WTF?" from everyone with even a passing knowledge of security.

There's also the fact that the intrusion targeted the Steam forums, which have distinct accounts from Steam itself. People probably use the same password on both (I think I might've), but it's still slightly better.

And you can't forget the main difference - people can still play their games. During the Sony hacks, people were locked out of online play for quite some time. And people (being stupid) care more about getting their CoD on than not getting their credit cards stolen.

Still not unforgivable, but the fact that Valve is immediately going "we fucked up, we're trying to fix it, here's exactly what's going on" rather than Sony's "We are aware of outages but won't even say that we got hacked for several days". Honesty counts for a lot.

Re:

[Gravatron]

CC info was indeed encrypted on Sony's end, it was personal details like address that was not.

Re:

[gman003]

Yes - but some Sony exec stated otherwise, which caused no end of confusion even after they corrected the statement.

Re:

[Gravatron]

Who cares? A exec misspeaking doesn't suddenly mean it was all in clear text.

Re:Hilarity

[Daetrin]

It took about 5-10 minutes of searching to find the exact reference, but here you go. [gamingunion.net]

So technically speaking the passwords _weren't_ encrypted. I remember when that bit of news came my friends and i were all very curious to know what kind of salt (if any) they were using, but we're all geeks at a software company so we're a bit more clued in about such things. In fact i don't remember if the salt question ever got answered.

As for why it keeps getting brought up, especially in this thread, it's because people keep asking why Sony was treated more harshly than Valve seems to be getting treated now. The answer is that Sony took forever to say anything about what was going on [wikipedia.org] and the made a habit of releasing partial bits of information, some of which were confusing or misleading. The encryption issue is just one of those bits the handling of which upset people.

PSN was hacked between April 17th and 19th. It took a day or three before they shut down the servers without saying a word. It was three more days [slashdot.org] before they admitted there had been a data intrusion, and another three days [slashdot.org] before they admitted that user data had been compromised and days more before they admitted that personally identifiable information had been compromised.

If Valve starts dribbling out more bits of previously unrevealed information over the next few weeks (not just details on the aspects they've already confirmed) then the amount of goodwill currently being displayed will erode very fast.

Most of us don't feel that it's possible to prevent all security intrusions, but it is possible for companies to be responsible and forthright about it when it happens.

Re:

[ewanm89]

The forum account password and the steam account password are linked.

Re:

[Kenja]

Unless you disabled the security checks, you can not log into steam from an untrusted computer. If you try to do so, you will be asked to enter a code that is emailed to the account holder.

Re:Hilarity

[Baloroth]

In fact, this is why I have decided not to change my Steam password. If I get a notification that someone tried to access it, I know the password were compromised, and can act accordingly.

Re:

[Baloroth]

Ummm, no? Unless you mean something weird by "linked", forum and Steam accounts are separate.

Re:Hilarity

[Anonymous Coward]

Couple of big differences in this case and the Sony case, though. So far, Valve is far ahead of Sony. In order to be on Sony's level, Valve would have to:

1. Completely shut down the service for a week with no explanation.
2. Keep the service offline for an additional month after admitting that they had been compromised.
3. Claim that passwords were stored unencrypted, then when called on that, claim that they meant hashed. But not salted.
4. Allow unencrypted credit card data to be stolen. (PSN users reported suspicious activity on their cards, and I know my bank sent me a new card due to the breech.)
5. In order to make up for the outage, offer a "free month" of "premium" service that A) is a limited time offer and B) requires a subscription fee to continue to use any content accessed during that time.
6. Later have it determined that the vulnerability was caused by an Apache server that was left unpatched for over two years.

I think that about covers the differences.

Re:Hilarity

[Sitnalta]

Yes, but Sony stored customer data as PLAIN TEXT. Their security was a joke and they deserved all the bad press they got.

Valve on the other hand had all sensitive data encrypted. Which means that the hackers likely got nothing but useless gobbledygook.

Re:Hilarity

[Charliemopps]

It's amazing what being generally nice to your customers, delivering what you promise and not trying to ass-rape them at every turn can get you when you finally do screw up isn't it?

Do unto others...

[mjwx]

Valve gets hacked, account details likely stolen, account information hashed and salted, Gabe still praised.
Sony gets hacked, accounts details stolen, account information hashed and salted, Sony ran through the ringer.

Valve = Valuable contributor to healthy, competitive market. Cares about customers.
Sony = Anticompetitive lockdown ensures that a great many games are unplayable as they take a month to sort out the problem. Doesn't give a shit about customers.

Why is the concept that people will treat companies in the same way that those companies treat them such a strange and unusual concept to some people?

DRM rocks!

[Anonymous Coward]

Thank god I had to sign up to STEAM and give out my personal information to play a game I had already purchased otherwise I might never have become a victim of identity theft...

Re:DRM rocks!

[Spad]

As opposed to Xbox Live? GFWL? The Rockstar Social Club? Origin? Any MMO ever? Any website you've ever purchased anything from? etc.

Let's face it, there's no shortage of places that have some, part or all of your personal information these days; Steam is just one of many.

Re:

[Baloroth]

Because these days it seems like it's either Steam or Securom (or *shudder* worse). I'll take Steam, TYVM.

Re:DRM rocks!

[artor3]

Liar. If you try to start Steam without an internet connection, it pops up a window with two options "Retry" and "Start in Offline Mode". You absolutely do not need to go into offline mode ahead of time. Did you really think no one would catch that lie?

Re:DRM rocks!

[zigmeister]

No he's probably not lying. I've had the exact same problem. I'll explain it as best I can (I don't know why it happens):

Your computer is connected to the 'net with steam running. You shut down steam, disconnect from the internet completely, then restart steam. Then steam does all kinds of weird shit like it claims it's updating itself or "connecting"... after a while it finally pops up and says I can't connect to to a steam server what would you like to do? 1) Retry 2) Start in Offline Mode. Select option 2 (obviously) then steam says it's "connecting" (sigh) again, then it says something like could not connect to a steam server at this time. The only option is to close the window.

As far as I can tell the workaround to play in offline depends on the game. For all games this was required: start steam with a working internet connection, select go/restart into offline mode while connected to the internet, then quit steam, then disconnect from the internet completely, then start steam in offline mode normally at your leisure. That worked for most games but it was also incredibly annoying; the buddies I LAN with don't have a 'net connection and I forgot to go through this process before going over once or twice.

For some games (The Orange Box falls into this category) I had to have the game updated, then start the game while connected to the internet IF it had been updated since it was last played, then go through all the normal stuff I listed above. If I didn't do all of this the game would not start in offline mode even if steam would. Yet more games completely refused to start and I never figured out how to workaround that (none of the above worked.)

For the GPs sake: I managed to fix the issue by uninstalling steam then nuking the contents of the steam folder on the drive. But it still does some weird shit but w/e. Also I haven't bothered reporting or complaining because I have heard that Valve ignores complaints about offline mode not working so...

Re:

[Squiddie]

You still have to make a Steam account if you buy some retail games. It's just DRM, and while less intrusive than most, it's still horrible. I can't even give my old games away, which is crap, since I have friends that would usually take my old games, now they don't get squat.

Way to keep us informed?

[feidaykin]

Funny that I had to read about this on Slashdot. You think they could send out a mass email to everyone with a Steam account, especially when credit card numbers are involved (even if they're encrypted). I hate inbox clutter as much as the next guy, but Gabe himself says to watch your credit cards for suspicious activity (which is never a bad idea), but how are Steam users supposed to know to do so if we don't read the Steam forums, or read Slashdot? Seems like they kinda dropped the ball on the whole communication thing here...

Re:

[The MAZZTer]

The funny thing is the HACKERS sent out a mass e-mail to everyone with a steam forums account, advertising some steam hacks (either they are stupid and were advertising themselves or they were framing another group). Also I never actually got Gabe's email, I only read about THAT on Joystiq first.

Re:Way to keep us informed?

[Cl1mh4224rd]

They did? I never got that one myself.

I did. I had completely forgotten about it until I read The MAZZTer's comment. I kind of shrugged it off as the usual email spoofing, but it still seemed odd at the time that it made it through Google's spam filter.

The email, with redactions by me:

Subject: Come join [redacted], a gaming resource community
From: webmaster@steampowered.com

Ever wanted to dominate the servers you play on with guaranteed results, but you were too afraid to cheat because of ban risks? Visit [redacted]. It's safe, secure and undetected.

Along with hacks, we've also got some general discussion sections, hacking tutorials and tools, porn, free giveaways and much more. This site has been conditioned to meet all your needs in terms of resources so be sure to take a look and tell us what you think.

Thanks again,
the [redacted] team.

Re:

[Kral_Blbec]

No kidding. I didn't get any email about this. Posting it on the forums is half-assed at best. Still better than Sony's no-ass attempt though.

Re:

[Gravatron]

Sony was quite public about it, what are you talking about? I got emails about it, and they sent out press releases about it IIRC.

Re:Way to keep us informed?

[koolfy]

Of course they did.... two weeks after downing PSN claiming it was for maintenance.

They HAD to do so eventually, but the point is they went into denial mode for weeks before admitting the fuckup.

Re:Way to keep us informed?

[Anubis IV]

Sony was quite public about it, what are you talking about?

They may have been public about the fact that there was a breach, but they were incompetent in their handling of it. And based on my e-mail archives, they never fully informed their customers of the extent to which the intruders compromised their servers. Specifically, Sony only sent out two e-mails related to the PSN outage to all of their customers: one on April 28th to say that accounts had been compromised, but that there was no evidence of credit cards having been compromised at that time, and another on June 5th to announce the Welcome Back package. From what I can tell, there was NEVER a mass e-mail to inform their PSN customers that credit card information had, in fact, been stolen, nor did they ever send out a mass e-mail to announce their identity theft protection program (or maybe I just didn't get it because I signed up for it before they sent it?).

Here's a complete timeline including other announcements besides e-mails:
January or February 2011 - Sony is told by security experts specifically why their server security sucks [slashdot.org]
Early April - Various PSN outages, some because of planned Anonymous DDoS attacks
April 17th-19th - PSN compromised (source: Sony's April 28th e-mail)
April 21st - PSN goes down as Sony realizes something is up
April 23rd - Sony blames outage on external intrusion [slashdot.org]; makes no mention of compromised accounts
April 24th - Sony starts "rebuilding" PSN after attack [slashdot.org]; still no mention of compromised accounts
April 26th - Sony admits that someone may have some account information for their 77M accounts [slashdot.org]
April 27th - Sony confirms that some data was stolen [slashdot.org]
April 28th - First e-mail to customers gets sent; says there is no evidence yet of credit cards having been compromised
May 1st - Sony confirms that 10M users had credit cards compromised [slashdot.org]; promises PSN up by week's end [slashdot.org] (spoiler: it didn't happen); doesn't send an e-mail
May 2nd - SOE goes down after they realized it was compromised too [slashdot.org]
May 3rd - Sony admits 24.6M SOE accounts were compromised [slashdot.org]
May - Lots more drama as Sony makes promises to have PSN up but then reneges on them repeatedly
June 2nd - PSN finally comes back up [latimes.com]
June 5th - Second e-mail to customers gets sent; tells them that the Welcome Back package is now available; makes no mention of credit cards, identity theft, or how to sign up for their free identity theft protection program

I'd hardly call it a model to follow, and I'm still hoping that Valve will make a point of e-mailing their users in the next few days. It's fine to take a few days for something like this while you track down the details, but it does need to get done properly at some point. Sony never did it properly.

Re:

[Gravatron]

you mean 7 days. Hack occurred on the 19th and the full disclosure of what was taken was on the 26th iirc.

Re:

[Anonymous Coward]

Funny you should say that - I just logged into steam and had that message pop up as the first thing it did, good luck getting any cash out of my account though - I max it the day I get paid :-D

Re:

[Rockoon]

My guess is that they are sending out emails, but since they literally have tens of millions of regular users (and certainly tens of millions of users that havent connected in a long time), that might takes some time.

Re:Way to keep us informed?

[cstdenis]

It sounds like they are. The article says "...below is the full email from Gabe Newell to Steam members."

Keep in mind Steam has a hell of a lot of members. It can easily take several hours to send out that many emails.

Re:

[Ihmhi]

Steam has the ability to push out news to everyone, as well as updates. I am well aware of this as every time I close out a Steam game I am bombarded with a multi-page post of the latest deals and new releases. I'm also notified when the client has to update.

I'm pretty sure that they have a way to push out a notice to everyone - I'm just wondering why they haven't done it yet.

Re:Way to keep us informed?

[X0563511]

as every time I close out a Steam game I am bombarded with a multi-page post of the latest deals and new releases.

Sounds like you don't like this.
1. Steam Menu
2. Settings
3. Interface Tab
4. Uncheck the "Notify me..." box near the bottom

Re:Way to keep us informed?

[IICV]

The announcement also pops up after you stop playing a Steam game. Normally there's some ads when you do that, but currently the first thing that shows up is the text that Slashdot posted here. It's actually quite effective, because normally you get pictures and ads and things instead of a wall of text, so it stands out.

Re:

[captjc]

It is also interesting to note that the daily deal on Steam today is "Day of Defeat." Coincidence or message?

How hard are the passwords to crack?

[Galaga88]

I'm not worried about my Steam password, I can go change it when I get home, it was fairly complex, and it's not a reused password anywhere else, but how hard would it be to crack these?

For those of us who aren't cryptography experts, does cracking one of the easy passwords (love, password, money) then help crack the more complex ones (m4sT3rm!nd)? I'm guessing this is crypto 101 stuff.

I am glad I no longer store credit card information with steam, and only used PayPal (and have an authentication card attached to my PP account.)

Re:How hard are the passwords to crack?

[Beryllium Sphere(tm)]

No, each one is an independent problem.

None of the weaknesses that have been discovered in common hashes allow reversing them (which is in general impossible anyway since an infinite number of inputs could lead to the same hash, it's just infeasible to find them).

The "crack" is just high-speed testing of possible passwords. Modern cracking software is actually fairly sophisticated about trying substitutions on dictionary words.

Use a passphrase unless there's some stupid limit on password length.

Re:

[Spad]

General rules are: Mixed case/numbers/symbols all make them hard to crack but not as much as making them longer.
Cracking simple encrypted passwords will not help you crack any more complex ones unless Valve have done something horribly wrong in terms of encrypting them.

Re:

[alcourt]

Knowing one password does not materially help attacks on other passwords. However, depending on the algorithm used, it may be possible to brute force the password. For example, if the old Unix crypt(3c) algorithm is used, then most passwords can be brute forced in reasonable time now. Recent advances have led to use of the graphics card on your system to perform those attacks.

Longer hashes like MD-5 are significantly harder as they support a much longer search space, but few people use a password over tw

hah

[geekoid]

Secretly stabbed in the back, huh Valve? See Spies are overpowered and DO indeed, SUCK. Jerkwads.

Re:hah

[Bobfrankly1]

Secretly stabbed in the back, huh Valve? See Spies are overpowered and DO indeed, SUCK. Jerkwads.

You're just upset *backstab* because you have difficulty *MEDIC!!!! backstab* spy-checking as a *backstab, cloak* pyro. Perhaps if you stopped standing in one place *backstab, backstab, miss, backstab* and developed your pyro techniques, you would find spies to be *sapper, backstab, die from being on fire* easy prey.

This is Valve's fault

[Liambp]

I'm a fan of Steam but I am a mad as hell that they let this happen. It is not as if they weren't an obvious target given the number of game companies that have been hit before.This is Valve's fault. They screwed up big time and a limp apology from Gabe Newell doesn't make me feel any better.

Re:

[Ihmhi]

To be fair, they could be the best company in the world and it would still take time for them to figure out what exactly happened and how they are going to remedy it. Give them some time. Accidents happen, mistakes happen, and there's really no way of knowing what the end result will be until they've had time to investigate further and decide on a solution. The fact that Steam got this information out so quickly is a good sign in my eyes.

Re:This is Valve's fault

[Spad]

Until we have real information about how they were hit, it's difficult to make any assumptions about how badly Valve may have screwed up.

Accidental irony

[Shillo]

Today's daily deal on Steam is: Day of Defeat.

Couldn't have made a better choice myself.

Whew!

[Bobfrankly1]

Good thing I just followed the e-mail that just arrived and changed my password then! I'm fortunate to have found it in my junk mail. Weird that Steam is requiring social security numbers to change passwords now.

Steaming pile

[Culture20]

I reiterate for posterity: I will never buy any game that requires Steam or any other DRM that prevents me from installing it twenty years from now or forces me to give up personally identifying information (especially CC numbers).

Re:Steaming pile

[artor3]

You don't need to give up your CC number (or any personal information) unless you are buying a game with your CC. How, exactly, do you think they should handle credit card purchases?

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Culture20]

20 years from now there is a good chance that such an old game would be incapable with what ever computer your running it on.

I can run a full emulator on current hardware that I still need to slow down for older games. Twenty years from now, I'm betting it will be similar.

Re:

[geminidomino]

Do you spend your time today playing 20 year old games?

More time than I spend playing 2 year old or younger games, yes.

Currently replaying the original Final Fantasy using the "Duane and Brand0" party.

Hat?

[jjshoe]

Do I get a hat for having to go through this?

Oblig Half-Life 3 delay...

[dstyle5]

I wonder how long this will delay the release of Half-Life 3? Or Half-Life 2 Episode 3? Left 4 Dead 3? Portal 3?

/oblig game delay post

Hmm, thats alot of 3 games Valve could be working on....

My account was among those compromised.

[JakFrost]

Got hit with this one!

On the morning of Nov 7th I started getting e-mails from Steam Support with confirmation codes when someone was trying to change my password and e-mail. Reinstalled Steam after a year or more of non-usage only to find that someone has been playing TeamFortress 2 on it, the same day. Changed my passwords. That evening received a number of angry e-mails from a Russian guy ( [www.crazy_denis@mail.ru]) demanding that I put the passwords back so he can use the account he bought and paid for. Used Google Translate into Russian sometimes Ukrainian to string him along through 12 short e-mails and got him to reveal and confirm that he actually had my username and password in clear text. Opened up a support case with Steam and forwarded the entire e-mail chain to them to start investigating. Got a form letter back, replied again asking them to check their systems for intrusion... today Slashdot story breaks about Steam being compromised. I wasn't the only one I guess!

PasswordMaker - Storage-less and per-site unique hash based password scheme

Changing all my passwords now to a PasswordMaker [passwordmaker.org] scheme for unique passwords for every single site based on a storege-less system that uses a master password + URL + other info you choose -> MD5 sum -> alpha-numeric symbols -> length limit to generate a unique password for every site and account based off your own single or multiple master passwords. You have to remember your own password and the settings you used and generate the same password every time that is unique and there is no secret data file to steal from you or for you to lose on a USB disk or upload to the net. This way your password is already hashed when you submit it to a site, it is unique per site, you don't have to store a list of passwords in any file, and you can regenerate your password on any browser, mobile phone, programming language since this app has been ported to practically everything.

I was thinking of something simpler such as "echo MyPassword69! slashdot.org|md5sum" and then "aaa53a64cbb02f01d79e6aa05f0027ba" using that as my password since many sites will take 32-character long passwords or they will truncate for you. More generalized than PasswordMaker and easier to access but no alpha-num+symbol translation and only (32) 0-9af characters but that should be random enough, or you can do sha1sum instead for a little longer hash string.

Here's the conversation for all of you.

From: [mailto:www.crazy_denis@mail.ru]
Sent: Monday, November 07, 2011 11:03 PM

Crazy Denis: You bitch Give me my account is steam which I bought yesterday! will not come back you will have problems moshenik fucking

JakFrost: I would kindly suggest you go and get another account from the source before you lose more than just money. To understand each.

Crazy Denis: How do I get another account?

JakFrost: Ask a guy who you got this one and get another one. This account is off limits.

Crazy Denis: I wrote to him he was going to do nothing to write tehpoderzhku said there had already written an answer waiting for 24 hours
damn well bring back pliz account you do what it's worth it

JakFrost: What's the password for that account so that I could find one for you?

Crazy Denis: Login: MyUsername Password: ********

JakFrost: (No Reply)

Crazy Denis: Well, I found?

JakFrost: That is correct user name and password, but that account is currently blocked by Steam support of a security breach. I can not use it either, so it ruined for us both.

Crazy Denis: Yes, all right there!, Today began to go wrong is led pishel password or an account is not suschustvuet

JakFrost: I do not know, I get an error that the password is incorrect or the account has not been found.

Crazy Denis: A registered on your soap the same account?

JakFrost: No, it does not work.

Crazy Denis: clear, damn well feel sorry for you and I were left wi

Fraudulent transaction on my credit card

[gregrah]

Not sure if this is a coincidence, but the credit card that I had on file with Steam got billed with a fraudulent charge on Nov 6. Any other steam users experiencing anything like this?

I've been wondering...

[jones_supa]

At the times when Half-Life 2 source was leaked, the cracker said that along spectating the development process he actually made some small changes to the code. Is it possible that some of these made their way to the final product or if there is even some hidden malicious code included? Paranoid, but interesting.

Re:

[cheater512]

Cause the encryption key would also have to be on the server?

Re:

[ewanm89]

well, technically it could be on a separate server to the database server or the webserver, but generally once one has access to one of the three they have enough access to the other two if they were segregated.

Re:

[Firehed]

Because it's highly impractical if you want your audit logs to be in any way useful (also if you don't want your key rotation to take months). It's also pointless overhead when it comes to non-sensitive data. Get a name and city, and there's a good chances you can get phone number, full street address, and more from whitepages.com (and similar sites). Several years ago, people got this same info from things called phone books.

I'm disappointed to hear this happened, but assuming they're correct in their beli

Re:

[geekoid]

You could learn about bias confirmation and statistics,. Then you would realize that the vast majority won't do something like that.

Re:

[grantek]

I (no sarcasm) love Steam, and didn't expect a large-scale intrusion like this, but after the fun and games around the PSN intrusions, I removed my CC details from my Steam account.

It was so easy to buy games with a couple of clicks, and I do miss that, but I must admit a little smugness now over my decision...

I just hope Paypal is on top of their security, because by design they're more heavily linked into people's finance.

Re:

[X0563511]

Yep. That's called a reference transaction. Someone needs to go do some homework [pcisecuritystandards.org] before continuing to accept credit cards.

Re:

[alcourt]

PCI DSS does not prohibit storing the full payment account number (PAN) electronically, as long as it is encrypted. The note on PCI DSS 3.2.1 specifically talks about retaining the PAN in the normal course of business. PCI DSS 3.2.2 does prohibit storing the security code printed on the back, or the full magnetic track data. PCI DSS 3.4's requirement to render the PAN unreadable when stored makes it clear that storing that credit card number is permitted, if it is properly protected. The definition of p