Steam hacking went beyond the forums

P

_PixelNinja

[H]ard|Gawd
Joined
Feb 12, 2011
Messages
1,460
Dear Steam Users and Steam Forum Users,

Our Steam forums were defaced on the evening of Sunday, November 6. We began investigating and found that the intrusion goes beyond the Steam forums.

We learned that intruders obtained access to a Steam database in addition to the forums. This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information. We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked. We are still investigating.

We don’t have evidence of credit card misuse at this time. Nonetheless you should watch your credit card activity and statements closely.

While we only know of a few forum accounts that have been compromised, all forum users will be required to change their passwords the next time they login. If you have used your Steam forum password on other accounts you should change those passwords as well.

We do not know of any compromised Steam accounts, so we are not planning to force a change of Steam account passwords (which are separate from forum passwords). However, it wouldn’t be a bad idea to change that as well, especially if it is the same as your Steam forum account password.

We will reopen the forums as soon as we can.

I am truly sorry this happened, and I apologize for the inconvenience.

Gabe.
Click to expand...

Source.
 
changed my password...thank god I removed my CC info a few months ago. my primary funding is done via PayPal now...
 
mtbush said:
changed my password...thank god I removed my CC info a few months ago. my primary funding is done via PayPal now...
Click to expand...

i'd still keep an eye on your credit cards. who knows what past payment forms were stored in their database.
 
But, isnt that steam guard shit still up and running..

So even if they have someones pass, wont they need to login into said persons email to get the code..

YEAH! Steam!!!
 
It's not about just your password, they have your personal info too. That sets you up for possible ID theft. It says they stole the user database, they don't need your password to steal your ID.
 
Gnasher said:
It's not about just your password, they have your personal info too. That sets you up for possible ID theft. It says they stole the user database, they don't need your password to steal your ID.
Click to expand...

I guess this will be the second time this year...and believe me the last...where I may as well go ahead and cancel the CC, pay $20 to overnight the new one, and put a 90 day watch on my credit report again.

Wonderful. :rolleyes:
 
ya, pulled my info out and use paypal only now. there were too many incidents of people complaining their accts got hacked, hats were bought then resold for cash, transactions reversed, account locked out. Steam eventually gott on the ball with steamguard, but I don't see any reason to put cc info back in there.
 
I haven't had a CC attached to steam in many many months. So I should be good, right? I'll still watch the accounts but I think you shouldn't have much to worry about. Steam Guard should protect you in most cases.
 
Appa said:
I haven't had a CC attached to steam in many many months. So I should be good, right? I'll still watch the accounts but I think you shouldn't have much to worry about. Steam Guard should protect you in most cases.
Click to expand...

Yeah, but for grins you may want to change your password and that sort of thing.
 
but you wont see the backlash to steam that sony got for not protecting it's users data :rolleyes:

password_strength.png
 
Last edited:
jonneymendoza said:
U CANT CHANGE PASSWORD ON STEAM WEBSITE FUCK!!!
Click to expand...

Got to do it through Steam itself. Right there in settings. I did it last night with no issues.

I changed everything. Email, password, secret question. Next is me hitting the kill button on my CC if I get a bad feeling although several people explained to me the encryption security differences and such.

In other words, this wasn't a bunch of easy text files that got ripped a la Sony.
 
MrGuvernment said:
but you wont see the backlash to steam that sony got for not protecting it's users data :rolleyes:

password_strength.png
Click to expand...
That's not quite true (id say they're both on par), using words in a dictionary is bad practise full stop (English has a set number of patterns e.g. at least 1 vowel in each word). At least throw in some mixed case and symbols to make it exponentially more complex and not just replacing (a to @, A to 4 and s to 5 ect).

I reckon someone at valve installed origin...
 
Gabe has written via e-mail that the CC# were encripted in 256bit AES. He also wrote that Valve will be handing out 'some free copies of DoTA2 and Portal 2' (I posted the screenshot in the other thread from the Front Page News section).
 
Wiseguy2001 said:
That's not quite true (id say they're both on par), using words in a dictionary is bad practise full stop (English has a set number of patterns e.g. at least 1 vowel in each word). At least throw in some mixed case and symbols to make it exponentially more complex and not just replacing (a to @, A to 4 and s to 5 ect).

I reckon someone at valve installed origin...
Click to expand...

Using words from a dictionary is bad if it's a one word password, that is vulnerable to a dictionary attack. A four word passphrase still has to be guessed with all four being right at once all while any automatic lockout policies are preventing mass amounts of combinations from being tried anyway. Especially if all four words are unrelated like the xkcd example...it's not that unsecure.
 
Changed my email/password. I hope that's all that's the only inconvenience I have to deal with.
 
J W said:
Changed my email/password. I hope that's all that's the only inconvenience I have to deal with.
Click to expand...

Same here. I feel more confident here thanks to German Muscle, mas, and some others explaining to me exactly what went on here.
 
Changed my password and cancelled the credit card number. New one in in 2 days, so no big inconvenience. Sucks though.
 
Q-BZ said:
I guess this will be the second time this year...and believe me the last...where I may as well go ahead and cancel the CC, pay $20 to overnight the new one, and put a 90 day watch on my credit report again.

Wonderful. :rolleyes:
Click to expand...

Yep, second time this year for me too. No more CC info for Steam now either.
 
I had the bank call today about a suspicious charge...





They flagged my indie royale purchase hurr
 
why no authentication usb key service yet?

People can have thousands of dollars of games on their steam accs but they are only protected by a simple password. Great.
 
I'm betting Valve will be giving all the steam users a "cookie" on Steam after all this is fixed (I am guessing).

Maybe a free game on everyone's Steam account? :D
 
flegg said:
why no authentication usb key service yet?

People can have thousands of dollars of games on their steam accs but they are only protected by a simple password. Great.
Click to expand...

THIS. ANd they could make a killing by selling them!
Shoot, I'd buy it.
 
You must log in or register to reply here.
Back
Top