Steam Hacked... Can you trust any system these days?

[gossamersolid 155]

Dear Steam Users and Steam Forum Users:

Our Steam forums were defaced on the evening of Sunday, November 6. We began investigating and found that the intrusion goes beyond the Steam forums.

We learned that intruders obtained access to a Steam database in addition to the forums. This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information. We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked. We are still investigating.

We don’t have evidence of credit card misuse at this time. Nonetheless you should watch your credit card activity and statements closely.

While we only know of a few forum accounts that have been compromised, all forum users will be required to change their passwords the next time they login. If you have used your Steam forum password on other accounts you should change those passwords as well.

We do not know of any compromised Steam accounts, so we are not planning to force a change of Steam account passwords (which are separate from forum passwords). However, it wouldn’t be a bad idea to change that as well, especially if it is the same as your Steam forum account password.

We will reopen the forums as soon as we can.

I am truly sorry this happened, and I apologize for the inconvenience.

Gabe.

Source - http://forums.steampowered.com/forums/index.php

What are your opinions on this?

[HomerPepsi 10]

A couple days a go the Steam Forums were hacked. Now it is looking to be a bigger breach than suspected.

Dear Steam Users and Steam Forum Users:

Our Steam forums were defaced on the evening of Sunday, November 6. We began investigating and found that the intrusion goes beyond the Steam forums.

We learned that intruders obtained access to a Steam database in addition to the forums. This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information. We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked. We are still investigating.

We don’t have evidence of credit card misuse at this time. Nonetheless you should watch your credit card activity and statements closely.

While we only know of a few forum accounts that have been compromised, all forum users will be required to change their passwords the next time they login. If you have used your Steam forum password on other accounts you should change those passwords as well.

We do not know of any compromised Steam accounts, so we are not planning to force a change of Steam account passwords (which are separate from forum passwords). However, it wouldn’t be a bad idea to change that as well, especially if it is the same as your Steam forum account password.

We will reopen the forums as soon as we can.

I am truly sorry this happened, and I apologize for the inconvenience.

Gabe.

Source

BE ADVISED!!

[dmarkwick 261]

If the credit card encryption remains secure - then I'm not too worried. Bit of forum hassle trying to set a new password etc, not a big deal in the scheme of things. Worse for them than it is for me.

As long as the credit card encryption remains secure. That would be a disaster for sure.

[Dwarden 1125]

STEAM used hashed and salted and hashed again database so the chance of exploited forum account is low

and the DB used for service itself has way stronger protection so the chance is even lower

yet change of password is not going hurt You anyway

[JdB 151]

Repost mate ;)

[Sniperwolf572 758]

Only thing about all this that concerns me even slightest is the possibility of CC details being compromised.

[froggyluv 2136]

I have my PayPal linked and just used it for SkyRim :(

Hopefully my account is safe. Hate you Haxors!!

[max power 21]

STEAM used hashed and salted and hashed again database so the chance of exploited forum account is low

and the DB used for service itself has way stronger protection so the chance is even lower

yet change of password is not going hurt You anyway

Mmmm. Salted hash.

I called my credit card company to discuss the situation with them. They said that the thieves would require much more information than just the credit card number, so even if they get the numbers, it would be difficult to use them.

If you are concerned, definitely discuss your credit card's security features with your credit card company.

Edited November 11, 2011 by Max Power

[SkipDialogue 10]

I'm not sure this is the best place for this, but since I know several people got ToH from Steam...

http://forums.steampowered.com/forums/index.php

[Faye 10]

Well basically I never put my CC info in my steam account. I always want it enter manually. But if my account got hacked and I left acces then it would get me worried as it is theft. No system is hack proof and I certainly dont get why hack groups attack game sites. There is hardly something to gain other then broken gamers.

But I trust valve and steam. They already pulled the forums down and investigate the whole situation. Besides nowadays I get multiple email with these statements from other site to change password etc etc.

Never a bad thing to change it ofc

[gossamersolid 155]

I'm sorry guys, I didn't realize that I posted this in the TKoH general section. Could a moderator please move it to offtopic?

EDIT: I think I did actually post it in offtopic. I see that there are at least two other threads merged into this one. Maybe it got moved by accident?

[zoog 18]

Can you trust any system these days?

No, I think you cannot and never will be. There was even this scandal a few months back here in the Netherlands with a respected company that issued the security certificates for government websites. Turned out that the company was hacked a few months before and that Iranian hackers compromised part of their certificates or their algorithm (I'm no expert). Because the company kept it's mouth shut these risk certificates were even used on official government websites to protect sensitive data about civilians (IRS information etc) and to secure online identities (most government things can be done here online with one single digital signature to identify yourself online).

[maddogx 13]

First they came for Sony, and I didn't speak out because I wasn't a Sony customer.

Then they came for Bethesda, and I didn't speak out because I wasn't a Bethesda customer...

You know how it goes. ;)

The whole time this hacking business has been going on, I've not really cared much because it always seemed to be "somewhere else". Now they've hit Steam and quite possibly stolen my user data, along with that of millions of others, and I'm finally worried. Not to mention a little pissed off.

Fortunately I only ever used PayPal via Steam, and I use a variety of passwords for different services, but I'll be making damn sure to change all my passwords anyway. You never know.

[zigzag 0]

Same for me, I thought the whole sony thing was abit funny.

Was at the bank earlier today doing some business and I asked about this and he said I should not worry to much but they would send me a new visa card just to be sure.

[Maio 293]

I got the same sum in my bank account, no transactions were made or atempted since the hack and I changed my password so it should be ok.

[batto 17]

No, I think you cannot and never will be. There was even this scandal a few months back here in the Netherlands with a respected company that issued the security certificates for government websites. Turned out that the company was hacked a few months before and that Iranian hackers compromised part of their certificates or their algorithm (I'm no expert). Because the company kept it's mouth shut these risk certificates were even used on official government websites to protect sensitive data about civilians (IRS information etc) and to secure online identities (most government things can be done here online with one single digital signature to identify yourself online).

Same guy from Iran compromised Comodo CA and issued valid certificates for Gmail, Yahoo mail, ... in march this year (he can prove himself because only he owns private keys of certificates):

http://erratasec.blogspot.com/2011/03/interview-with-comodohacker.html

https://www.eff.org/deeplinks/2011/03/iranian-hackers-obtain-fraudulent-https

Here is his message from latest attack:

http://pastebin.com/1AxH30em

In the interview (first link) he supports current regime in Iran and hates Obama...

EDIT: He claims he has control of 2 other CAs... So if it's true you can't really trust https:// anymore...

Edited November 11, 2011 by batto

[HyperU2 11]

I can trust a DVD.

[walker 0]

Hi all

A forum got hacked huh.

Bit of a non story.

Bored now. Leaving thread.

Bye

[dmarkwick 261]

Hi all

A forum got hacked huh.

Bit of a non story.

Bored now. Leaving thread.

Bye

I think I'm going to start calling you Rorschach ;)

Edited November 11, 2011 by DMarkwick

[Baff1 0]

I've never paid Steam by CC.

I buy all my games on a disc from a shop I can easily return things to.

Losing my account would be a drag, but I pretty much can hack my way into all my Steam games anyway if needs be (if I haven't already).

I expect all the credit card details will be safe.

Reseting your account password couldn't hurt.

[dm 9]

Hi all

...

Bit of a non story.

Bored now. Leaving thread.

Bye

Oh the IRONY...

[HyperU2 11]

Well he is the expert.

[ProfTournesol 956]

He's bitter because he didn't start this one. BTW, there are several ways to pay on the net without giving bank account infos.

Edited November 11, 2011 by ProfTournesol

[Tonci87 163]

oh the irony...

lol :d

[jblackrupert 14]

Use Visa and Mastercard gift cards instead.

Banks all over North America and Europe carry them.

You don't even have to have your name or address attached to them.