f13.net

f13.net General Forums => Steam => Topic started by: Surlyboi on November 10, 2011, 02:38:29 PM



Title: Steam Hacked.
Post by: Surlyboi on November 10, 2011, 02:38:29 PM
Sketchy on details at the moment, but Kotaku sez Steam was hacked. (http://kotaku.com/5858473/steam-hacked-valve-investigating-possible-credit-card-theft) This would explain why the forums have been suckful of late. Also, watch your credit cards for weird activity.


Title: Re: Steam Hacked.
Post by: WayAbvPar on November 10, 2011, 02:41:40 PM
Ugh. Not what I wanted to see, especially while EA is trying to shove Origin down everyone's throats.


Title: Re: Steam Hacked.
Post by: Rasix on November 10, 2011, 02:43:22 PM
Then I guess it's a good thing that I stopped having Steam save the CC details after I got my new card.   

This will make the holiday sale a bit more annoying, but I think I'll manage.


Title: Re: Steam Hacked.
Post by: Ingmar on November 10, 2011, 02:52:15 PM
The silver lining is that apparently Valve's security isn't as brain dead as say Sony's, and all the passwords were hashed and the credit card numbers were encrypted.


Title: Re: Steam Hacked.
Post by: murdoc on November 10, 2011, 03:34:19 PM
Quote
Dear Steam Users and Steam Forum Users,

Our Steam forums were defaced on the evening of Sunday, November 6. We began investigating and found that the intrusion goes beyond the Steam forums.

We learned that intruders obtained access to a Steam database in addition to the forums. This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information. We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked. We are still investigating.

We don’t have evidence of credit card misuse at this time. Nonetheless you should watch your credit card activity and statements closely.

While we only know of a few forum accounts that have been compromised, all forum users will be required to change their passwords the next time they login. If you have used your Steam forum password on other accounts you should change those passwords as well.

We do not know of any compromised Steam accounts, so we are not planning to force a change of Steam account passwords (which are separate from forum passwords). However, it wouldn’t be a bad idea to change that as well, especially if it is the same as your Steam forum account password.

We will reopen the forums as soon as we can.

I am truly sorry this happened, and I apologize for the inconvenience.

Gabe.



Title: Re: Steam Hacked.
Post by: Paelos on November 10, 2011, 03:47:57 PM
Well fuck.


Title: Re: Steam Hacked.
Post by: MisterNoisy on November 10, 2011, 04:36:49 PM
Crap.  This is the second time this year I've had to get a new AmEx number because of my gaming habit.


Title: Re: Steam Hacked.
Post by: Kail on November 10, 2011, 05:03:07 PM
Do we need to do that?  I was under the impression that we should be okay unless they somehow break the encryption, which is unlikely.


Title: Re: Steam Hacked.
Post by: Ingmar on November 10, 2011, 05:04:10 PM
I'm not changing my card unless I actually see a funky transaction, it is entirely too much of a pain in the ass and I've already changed numbers twice this year.


Title: Re: Steam Hacked.
Post by: MisterNoisy on November 10, 2011, 05:07:27 PM
Do we need to do that?  I was under the impression that we should be okay unless they somehow break the encryption, which is unlikely.

Call it a habit.  It's AmEx, so they next-day FedEx a new card to you.  Gotta love their customer service.


Title: Re: Steam Hacked.
Post by: UnSub on November 10, 2011, 05:35:12 PM
This kind of thing is one of the reasons I don't trust the cloud.


Title: Re: Steam Hacked.
Post by: Hawkbit on November 10, 2011, 05:41:02 PM
The way of the future is not being hack-proof, it's having damage mitigation/recovery procedures in place.  It's not a question of IF your shit will get hacked, rather WHEN it will. 

Just don't ever, ever use debit cards online. 


Title: Re: Steam Hacked.
Post by: Tale on November 10, 2011, 06:48:40 PM
"Steam only has, what, 35 million users? Somebody scored big."
- F-Secure CRO @Mikko (http://twitter.com/mikko) Hypponen

"Steam user? Worried about your account? Tip: Steam => Settings => Manage Steam Guard Account Security => Deauthorize all other computers now"


Title: Re: Steam Hacked.
Post by: Samwise on November 10, 2011, 07:16:42 PM
Just don't ever, ever use debit cards online. 

Don't most debit cards have the same fraud protection that credit cards do?  I know mine does (although it's moot because the one I use on Steam goes with an account that I'm about to close).


Title: Re: Steam Hacked.
Post by: Chimpy on November 10, 2011, 07:20:53 PM
I never saved a CC with steam (I actually haven't done saved CC#s for non-subscription things for a long time now) so I am not overly concerned.

I did do the de-auth thing for the hell of it though.


Title: Re: Steam Hacked.
Post by: Hawkbit on November 10, 2011, 07:29:23 PM
Just don't ever, ever use debit cards online. 

Don't most debit cards have the same fraud protection that credit cards do?  I know mine does (although it's moot because the one I use on Steam goes with an account that I'm about to close).

They don't.  With a credit card, by law you are only responsible for $50 of fraudulent activity. 

With a debit card, you may or may not only be responsible for $50 of fraudulent activity, but the whole time the investigation is transpiring you are out your cold, hard cash.  Oh, and those checks you had written?  They're all going to bounce and guess who gets to eat the fees?

Last Christmas day we got a call from the bank that three minutes prior someone used our debit card in the UK to buy some electronics.  We lived in Ohio.  Why it registered on their 'odd transactions' list, yet still processed, I have no idea.  Luckily our bank was really good about getting the cash back to us in four days and they accepted all the bounced checks without fees.  But other banks may not.

I've never used the new cards online yet.


Title: Re: Steam Hacked.
Post by: Thrawn on November 10, 2011, 07:34:23 PM
It amazes me that people exist that need to be told to watch their CC statements for suspicious charges.  Why would you not take 30 seconds to look over your bill every month by default.  :uhrr:

Steam seems to be handling this really well though (so far), no Steam outage even compared to PSN being down for weeks.


Title: Re: Steam Hacked.
Post by: Soukyan on November 10, 2011, 07:40:45 PM
"Steam user? Worried about your account? Tip: Steam => Settings => Manage Steam Guard Account Security => Deauthorize all other computers now"
Bingo. The first thing I did followed by a new password and updated security question. Never did store CC info on Steam. Entirely too dangerous to store that anywhere online.


Title: Re: Steam Hacked.
Post by: Amaron on November 10, 2011, 07:41:17 PM
 :oh_i_see:


Title: Re: Steam Hacked.
Post by: Kageru on November 10, 2011, 08:13:33 PM

Although storing CC details can help avoid it getting stolen by key-loggers. Remember reading one account that came out with that outcome.

Not sure how removing authorization from machines on steam helps that much. If they steal my credit card details they're probably not going to buy me games with it.

And thankfully no "plain-text data file" debacle so far.


Title: Re: Steam Hacked.
Post by: Engels on November 10, 2011, 08:14:39 PM
You guys do realize that only the most amateur businesses would store your CC info in an unencrypted format, right? And that hacking that encrypted number would take for freakin' ever, yes? In fact, and I can't speak for Steam here, but when I worked at Amazon, the CC info wasn't even available to Amazon; the encryption was part of the CC transaction process that would be forwarded to the CC agency/bank itself; Amazon had no way of getting the raw CC number either.


Title: Re: Steam Hacked.
Post by: Soukyan on November 10, 2011, 08:49:14 PM
You guys do realize that only the most amateur businesses would store your CC info in an unencrypted format, right? And that hacking that encrypted number would take for freakin' ever, yes? In fact, and I can't speak for Steam here, but when I worked at Amazon, the CC info wasn't even available to Amazon; the encryption was part of the CC transaction process that would be forwarded to the CC agency/bank itself; Amazon had no way of getting the raw CC number either.

This is why Amazon's system is more secure than others.


Title: Re: Steam Hacked.
Post by: Amaron on November 10, 2011, 09:38:25 PM
And that hacking that encrypted number would take for freakin' ever, yes?

The problem is the decryption info for the CC database might of also been compromised for all we know.   If they are halfway competent it should be safe of course.


Title: Re: Steam Hacked.
Post by: apocrypha on November 11, 2011, 12:46:52 AM
OK, I'm fed up with this shit. Time to make the switch to some kind of password management system so that I can use a different password for every single site and app and thus when something gets hacked I only have to worry about that one site.

Is KeePass good? Anyone here use it? Do I need the "Professional" version (2.x) or is the "Classic" version (1.x) sufficient?


Title: Re: Steam Hacked.
Post by: Tebonas on November 11, 2011, 01:17:36 AM
I use 1Password since shortly after the Sony Case (I have to thank my ages old Everquest account for that).

I had to buy it, but it has clients for Windows, Linux and iOS which synch with each other.

I tried Keepass (1.x) and it worked well enough so that I wouldn't have replaced it if I had a single OS and wasn't a lazy fuck.


Title: Re: Steam Hacked.
Post by: Baldrake on November 11, 2011, 01:42:58 AM
LastPass works well and is free.


Title: Re: Steam Hacked.
Post by: Ironwood on November 11, 2011, 01:45:48 AM
This kind of thing is one of the reasons I don't trust the cloud.

 :uhrr:


Title: Re: Steam Hacked.
Post by: DraconianOne on November 11, 2011, 01:47:13 AM
I can't see a way to find out what CC info Steam may have stored?  Anyone know how to find this out and clear it? (Not that I think any CCs of mine that might be stored are currently valid but I want to check anyway)


Title: Re: Steam Hacked.
Post by: Ironwood on November 11, 2011, 02:04:01 AM
Wait, you can't change your password from the Web Login ?

That's annoying.


Title: Re: Steam Hacked.
Post by: Thrawn on November 11, 2011, 04:42:26 AM
Is KeePass good? Anyone here use it? Do I need the "Professional" version (2.x) or is the "Classic" version (1.x) sufficient?

I've used Keepass + Dropbox for a while now and really like it, couldn't speak to 2.x vs 1.x though.  Used Lastpass for a while but quit trusting them after they had their own security problems.


Title: Re: Steam Hacked.
Post by: 01101010 on November 11, 2011, 04:46:44 AM
Wait, you can't change your password from the Web Login ?

That's annoying.


It gets worse if you have been auto-logging into Steam and now can't recall which of the 700 passwords you used. There is no easy reset password link. I am going to have to wrestle with customer service again.  :uhrr:


Title: Re: Steam Hacked.
Post by: Fordel on November 11, 2011, 01:42:36 PM
Wait, you can't change your password from the Web Login ?

That's annoying.


It gets worse if you have been auto-logging into Steam and now can't recall which of the 700 passwords you used. There is no easy reset password link. I am going to have to wrestle with customer service again.  :uhrr:


For what it's worth, I had forgotten my steam password awhile ago and had them reset it by the next day. Of course I didn't do this during a big security breach problem... so good luck?


Title: Re: Steam Hacked.
Post by: Xuri on November 11, 2011, 04:12:12 PM
Anyone have any experience with http://passwordmaker.org ? I guess it's time to upgrade from my "1 password for important stuff, 1 password for less important stuff, 1 password for regular stuff and 1 throwaway password" to something more secure, and I'm not sure how to go about doing just that.


Title: Re: Steam Hacked.
Post by: Kageru on November 11, 2011, 05:45:21 PM

Passwords in a text file protected with bcrypt or PGP works for me.

I can't see a way to find out what CC info Steam may have stored?  Anyone know how to find this out and clear it? (Not that I think any CCs of mine that might be stored are currently valid but I want to check anyway)

You could always just do an order upto the payment page and see what info it presents.


Title: Re: Steam Hacked.
Post by: Zetor on November 11, 2011, 09:32:55 PM
At my workplace (IT security evaluation lab, so paranoia level is over 9000) we use KeePass with randomly-generated 16+char passwords; the KeePass databases themselves are stored on encrypted USB sticks. Personally I think using KeePass by itself with unique ~16-char mixed-case alphanum/special character passwords is good enough.

As an aside, this comic (http://xkcd.com/936/) is cute, but it's not actually true in practice -- such passphrases are only strong if they're 20+ characters and 4+ words long, and most places on teh intarweb silently truncate your passwords at 12~14 characters, which can lead to a nasty surprise if you're using lowercase dictionary words for your passphrase. Using a long passphrase for KeePass or your encrypted USB stick is a good idea, though.


Title: Re: Steam Hacked.
Post by: apocrypha on November 11, 2011, 11:47:45 PM
I've used Keepass + Dropbox for a while now and really like it

How are you using Dropbox with KeePass? Do you store the key database on it?

I've installed KeePass, now I just need to motivate myself to spend the time setting it up with the 100s of websites and apps that need passwords.  :oh_i_see:


Title: Re: Steam Hacked.
Post by: Thrawn on November 12, 2011, 05:10:55 AM

How are you using Dropbox with KeePass? Do you store the key database on it?

I've installed KeePass, now I just need to motivate myself to spend the time setting it up with the 100s of websites and apps that need passwords.  :oh_i_see:

Yeah, that's all I meant.  So any computer I have my Dropbox on I have access to my updated KeePass stuff.


Title: Re: Steam Hacked.
Post by: Merusk on November 12, 2011, 06:52:30 AM
You guys do realize that only the most amateur businesses would store your CC info in an unencrypted format, right?

What, like Sony?

There's been too many in the last year and it's only going to get more lucrative, not less. Not storing your CC info with a company is a reasonable precaution. Not to mention having it there for "one click access" is only to the company's advantage so you don't think about those impulse purchases.


Title: Re: Steam Hacked.
Post by: Sophismata on November 12, 2011, 01:50:32 PM
It still puzzles me that people go spastic over their credit card numbers, when the personally identifying information (in particular, email + password) actually allows an aggressor to commit fraud on a much larger scale. Also, remember that the vast majority of people use the same password for everything.

But nope, it's always credit cards numbers that everyone worries about.


Title: Re: Steam Hacked.
Post by: NiX on November 15, 2011, 09:19:51 AM
It still puzzles me that people go spastic over their credit card numbers, when the personally identifying information (in particular, email + password) actually allows an aggressor to commit fraud on a much larger scale. Also, remember that the vast majority of people use the same password for everything.

But nope, it's always credit cards numbers that everyone worries about.
Yeah, it boggles my mind. I think it's because people tie way too much stuff to their credit card and rely heavily on their credit being available all the time.

I have a system of using the same password for websites that don't have any payment info associated with them (gamespot or the like) and anything important (Email, f13...etc) or holding payment information I use KeePass for.

Working out well for me so far. Not to mention both my bank and credit card company are OCD about fraud. I get a call at least once a month regarding transactions, even some that are fairly common for me. It can be annoying, but at least I know they're constantly looking out for me.


Title: Re: Steam Hacked.
Post by: Torinak on February 11, 2012, 02:00:37 PM
Turns out that encrypted credit card info was stolen during the breach, according to an announcement earlier today:

Quote
Dear Steam Users and Steam Forum Users

We continue our investigation of last year's intrusion with the help of outside security experts. In my last note about this, I described how intruders had accessed our Steam database but we found no evidence that the intruders took information from that database. That is still the case.

Recently we learned that it is probable that the intruders obtained a copy of a backup file with information about Steam transactions between 2004 and 2008. This backup file contained user names, email addresses, encrypted billing addresses and encrypted credit card information. It did not include Steam passwords.

We do not have any evidence that the encrypted credit card numbers or billing addresses have been compromised. However as I said in November it's a good idea to watch your credit card activity and statements. And of course keeping Steam Guard on is a good idea as well.

We are still investigating and working with law enforcement authorities. Some state laws require a more formal notice of this incident so some of you will get that notice, but we wanted to update everyone with this new information now.

Gabe

On the plus side, every CC I had in that time period has long since been replaced, due to data leaks at other companies and merchants.  :uhrr:


Title: Re: Steam Hacked.
Post by: Paelos on February 11, 2012, 05:51:05 PM
Haha same with mine. Go figure.


Title: Re: Steam Hacked.
Post by: Rendakor on February 11, 2012, 09:31:31 PM
Same here, and I've even moved since then so no harm, no foul.