Steam Hacked.

[Surlyboi]

Sketchy on details at the moment, but Kotaku sez Steam was hacked. This would explain why the forums have been suckful of late. Also, watch your credit cards for weird activity.

[WayAbvPar]

Ugh. Not what I wanted to see, especially while EA is trying to shove Origin down everyone's throats.

[Rasix]

Then I guess it's a good thing that I stopped having Steam save the CC details after I got my new card.   

This will make the holiday sale a bit more annoying, but I think I'll manage.

[Ingmar]

The silver lining is that apparently Valve's security isn't as brain dead as say Sony's, and all the passwords were hashed and the credit card numbers were encrypted.

[murdoc]

Dear Steam Users and Steam Forum Users,

Our Steam forums were defaced on the evening of Sunday, November 6. We began investigating and found that the intrusion goes beyond the Steam forums.

We learned that intruders obtained access to a Steam database in addition to the forums. This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information. We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked. We are still investigating.

We don’t have evidence of credit card misuse at this time. Nonetheless you should watch your credit card activity and statements closely.

While we only know of a few forum accounts that have been compromised, all forum users will be required to change their passwords the next time they login. If you have used your Steam forum password on other accounts you should change those passwords as well.

We do not know of any compromised Steam accounts, so we are not planning to force a change of Steam account passwords (which are separate from forum passwords). However, it wouldn’t be a bad idea to change that as well, especially if it is the same as your Steam forum account password.

We will reopen the forums as soon as we can.

I am truly sorry this happened, and I apologize for the inconvenience.

Gabe.

[Paelos]

Well fuck.

[MisterNoisy]

Crap.  This is the second time this year I've had to get a new AmEx number because of my gaming habit.

[Kail]

Do we need to do that?  I was under the impression that we should be okay unless they somehow break the encryption, which is unlikely.

[Ingmar]

I'm not changing my card unless I actually see a funky transaction, it is entirely too much of a pain in the ass and I've already changed numbers twice this year.

[MisterNoisy]

Do we need to do that?  I was under the impression that we should be okay unless they somehow break the encryption, which is unlikely.

Call it a habit.  It's AmEx, so they next-day FedEx a new card to you.  Gotta love their customer service.

[UnSub]

This kind of thing is one of the reasons I don't trust the cloud.

[Hawkbit]

The way of the future is not being hack-proof, it's having damage mitigation/recovery procedures in place.  It's not a question of IF your shit will get hacked, rather WHEN it will. 

Just don't ever, ever use debit cards online. 

[Tale]

"Steam only has, what, 35 million users? Somebody scored big."
- F-Secure CRO @Mikko Hypponen

"Steam user? Worried about your account? Tip: Steam => Settings => Manage Steam Guard Account Security => Deauthorize all other computers now"

[Samwise]

Just don't ever, ever use debit cards online. 

Don't most debit cards have the same fraud protection that credit cards do?  I know mine does (although it's moot because the one I use on Steam goes with an account that I'm about to close).

[Chimpy]

I never saved a CC with steam (I actually haven't done saved CC#s for non-subscription things for a long time now) so I am not overly concerned.

I did do the de-auth thing for the hell of it though.

[Hawkbit]

Just don't ever, ever use debit cards online. 

Don't most debit cards have the same fraud protection that credit cards do?  I know mine does (although it's moot because the one I use on Steam goes with an account that I'm about to close).

They don't.  With a credit card, by law you are only responsible for $50 of fraudulent activity. 

With a debit card, you may or may not only be responsible for $50 of fraudulent activity, but the whole time the investigation is transpiring you are out your cold, hard cash.  Oh, and those checks you had written?  They're all going to bounce and guess who gets to eat the fees?

Last Christmas day we got a call from the bank that three minutes prior someone used our debit card in the UK to buy some electronics.  We lived in Ohio.  Why it registered on their 'odd transactions' list, yet still processed, I have no idea.  Luckily our bank was really good about getting the cash back to us in four days and they accepted all the bounced checks without fees.  But other banks may not.

I've never used the new cards online yet.

[Thrawn]

It amazes me that people exist that need to be told to watch their CC statements for suspicious charges.  Why would you not take 30 seconds to look over your bill every month by default. 

Steam seems to be handling this really well though (so far), no Steam outage even compared to PSN being down for weeks.

[Soukyan]

"Steam user? Worried about your account? Tip: Steam => Settings => Manage Steam Guard Account Security => Deauthorize all other computers now"

Bingo. The first thing I did followed by a new password and updated security question. Never did store CC info on Steam. Entirely too dangerous to store that anywhere online.

[Amaron]

 

[Kageru]

Although storing CC details can help avoid it getting stolen by key-loggers. Remember reading one account that came out with that outcome.

Not sure how removing authorization from machines on steam helps that much. If they steal my credit card details they're probably not going to buy me games with it.

And thankfully no "plain-text data file" debacle so far.

[Engels]

You guys do realize that only the most amateur businesses would store your CC info in an unencrypted format, right? And that hacking that encrypted number would take for freakin' ever, yes? In fact, and I can't speak for Steam here, but when I worked at Amazon, the CC info wasn't even available to Amazon; the encryption was part of the CC transaction process that would be forwarded to the CC agency/bank itself; Amazon had no way of getting the raw CC number either.

[Soukyan]

You guys do realize that only the most amateur businesses would store your CC info in an unencrypted format, right? And that hacking that encrypted number would take for freakin' ever, yes? In fact, and I can't speak for Steam here, but when I worked at Amazon, the CC info wasn't even available to Amazon; the encryption was part of the CC transaction process that would be forwarded to the CC agency/bank itself; Amazon had no way of getting the raw CC number either.

This is why Amazon's system is more secure than others.

[Amaron]

And that hacking that encrypted number would take for freakin' ever, yes?

The problem is the decryption info for the CC database might of also been compromised for all we know.   If they are halfway competent it should be safe of course.

[apocrypha]

OK, I'm fed up with this shit. Time to make the switch to some kind of password management system so that I can use a different password for every single site and app and thus when something gets hacked I only have to worry about that one site.

Is KeePass good? Anyone here use it? Do I need the "Professional" version (2.x) or is the "Classic" version (1.x) sufficient?

[Tebonas]

I use 1Password since shortly after the Sony Case (I have to thank my ages old Everquest account for that).

I had to buy it, but it has clients for Windows, Linux and iOS which synch with each other.

I tried Keepass (1.x) and it worked well enough so that I wouldn't have replaced it if I had a single OS and wasn't a lazy fuck.

[Baldrake]

LastPass works well and is free.

[Ironwood]

This kind of thing is one of the reasons I don't trust the cloud.

 

[DraconianOne]

I can't see a way to find out what CC info Steam may have stored?  Anyone know how to find this out and clear it? (Not that I think any CCs of mine that might be stored are currently valid but I want to check anyway)

[Ironwood]

Wait, you can't change your password from the Web Login ?

That's annoying.

[Thrawn]

Is KeePass good? Anyone here use it? Do I need the "Professional" version (2.x) or is the "Classic" version (1.x) sufficient?

I've used Keepass + Dropbox for a while now and really like it, couldn't speak to 2.x vs 1.x though.  Used Lastpass for a while but quit trusting them after they had their own security problems.

[01101010]

Wait, you can't change your password from the Web Login ?

That's annoying.

It gets worse if you have been auto-logging into Steam and now can't recall which of the 700 passwords you used. There is no easy reset password link. I am going to have to wrestle with customer service again. 

[Fordel]

Wait, you can't change your password from the Web Login ?

That's annoying.

It gets worse if you have been auto-logging into Steam and now can't recall which of the 700 passwords you used. There is no easy reset password link. I am going to have to wrestle with customer service again. 

For what it's worth, I had forgotten my steam password awhile ago and had them reset it by the next day. Of course I didn't do this during a big security breach problem... so good luck?

[Xuri]

Anyone have any experience with http://passwordmaker.org ? I guess it's time to upgrade from my "1 password for important stuff, 1 password for less important stuff, 1 password for regular stuff and 1 throwaway password" to something more secure, and I'm not sure how to go about doing just that.

[Kageru]

Passwords in a text file protected with bcrypt or PGP works for me.

I can't see a way to find out what CC info Steam may have stored?  Anyone know how to find this out and clear it? (Not that I think any CCs of mine that might be stored are currently valid but I want to check anyway)

You could always just do an order upto the payment page and see what info it presents.

[Zetor]

At my workplace (IT security evaluation lab, so paranoia level is over 9000) we use KeePass with randomly-generated 16+char passwords; the KeePass databases themselves are stored on encrypted USB sticks. Personally I think using KeePass by itself with unique ~16-char mixed-case alphanum/special character passwords is good enough.

As an aside, this comic is cute, but it's not actually true in practice -- such passphrases are only strong if they're 20+ characters and 4+ words long, and most places on teh intarweb silently truncate your passwords at 12~14 characters, which can lead to a nasty surprise if you're using lowercase dictionary words for your passphrase. Using a long passphrase for KeePass or your encrypted USB stick is a good idea, though.