OH FOOOK! Steam has been hacked.

kearneybobs

This is not looking good. Kotaku is reporting that Steam has been hack with Valve looking into the possibility that credit card data has also been taken.
http://kotaku.com/5858473/steam-hacked-valve-investigating-possible-credit-card-theft

Steam Hacked, Valve Investigating Possible Credit Card Theft

A message sent just now from Valve Corporation head Gabe Newell says credit card numbers and other personal information were inside a database compromised during a defacement attack on the Steam forums this Sunday.
Valve is advising all of its Steam customers to keep close eye on their credit card activity, as those numbers were inside a database the hackers penetrated during the larger attack, Newell wrote. The Steam Forums are currently closed. Steam itself is operating.
"We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked. We are still investigating," Newell wrote. "We don't have evidence of credit card misuse at this time. Nonetheless you should watch your credit card activity and statements closely."
The database exposed during the attack "contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information," Newell said in the statement.
The Steam Forums are currently offline as Valve continues its investigation and recovers from the attack. When the forums return, all users will be required to change their passwords. Users who used the same password on the Steam Forums as they did on other sites are advised to change those passwords as well.
"We do not know of any compromised Steam accounts, so we are not planning to force a change of Steam account passwords (which are separate from forum passwords). However, it wouldn't be a bad idea to change that as well, especially if it is the same as your Steam forum account password." Newell wrote.
"I am truly sorry this happened, and I apologize for the inconvenience," he said.

Valve Press Release:

Dear Steam Users and Steam Forum Users,

Our Steam forums were defaced on the evening of Sunday, November 6. We began investigating and found that the intrusion goes beyond the Steam forums.
We learned that intruders obtained access to a Steam database in addition to the forums. This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information. We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked. We are still investigating.

We don't have evidence of credit card misuse at this time. Nonetheless you should watch your credit card activity and statements closely.
While we only know of a few forum accounts that have been compromised, all forum users will be required to change their passwords the next time they login. If you have used your Steam forum password on other accounts you should change those passwords as well.

We do not know of any compromised Steam accounts, so we are not planning to force a change of Steam account passwords (which are separate from forum passwords). However, it wouldn't be a bad idea to change that as well, especially if it is the same as your Steam forum account password.
We will reopen the forums as soon as we can.

I am truly sorry this happened, and I apologize for the inconvenience.
Gabe.

Sarky

F*ck yeah 3V cards.

B0X

Well... hopefully nothing comes of it and they give us some free games. Better keep an eye on the card though.

DarkJager

Sickener for those affected, but this doesn't paint a very pretty picture for services like steam and origin. Download off these and you have your personal details and cc details stored online where they can be accessed. You buy a physical copy in a shop and all that changes hands is a bank note.

Sierra Oscar

Statement up on the Steam Forums - http://forums.steampowered.com/forums/index.php

Mantel

If the majority of people use steam guard then the impact will be low.

If you don't have steam guard on and you have the same password for your email account... You have yourself to blame. Some peoples steam accounts have more worth in them than their bank accounts.

cherryghost

FFS. And why wasn't this mentioned days ago when instead some people's credit card details have been sitting idly be in the possible hands of a hacker.

Sick of this ****.

Headshot

Newbie question

If iv bought stuff on steam with my credit card, do steam save that information?

titan18

Headshot wrote: »

Newbie question

If iv bought stuff on steam with my credit card, do steam save that information?

There's a checkbox asking you do you want to save credit card information. It's set to off as default I think

Headshot

titan18 wrote: »

There's a checkbox asking you do you want to save credit card information. It's set to off as default I think

Thanks titan, its along time since I used steam so couldnt remember the ins and out of it

Yap im 90% sure i didnt save the information, is there away to know for certain?

titan18

Headshot wrote: »

Thanks titan, its along time since I used steam so couldnt remember the ins and out of it

Yap im 90% sure i didnt save the information, is there away to know for certain?

Try to buy something, you won't need to enter in your credit card details when you do.Don't know of any other way.

kearneybobs

titan18 wrote: »

There's a checkbox asking you do you want to save credit card information. It's set to off as default I think

Damn, I just ticked that box the other day . :mad::(

Mantel

Headshot wrote: »

Thanks titan, its along time since I used steam so couldnt remember the ins and out of it

Yap im 90% sure i didnt save the information, is there away to know for certain?

Add a game to your cart and go through the purchase process, you'll see

Payment method:
Visa ending in

If you have a card stored along with a link to change it. Not sure how to remove it fully.

titan18

kearneybobs wrote: »

Damn, I just ticked that box the other day . :mad::(

Happened last weekend so should be ok if it was this week

Headshot

titan18 wrote: »

Try to buy something, you won't need to enter in your credit card details when you do.Don't know of any other way.

nice one

Thanks Titan

kearneybobs

titan18 wrote: »

Happened last weekend so should be ok if it was this week

Nah, it was about two weeks ago. Oh well, suppose I just gotta play the waiting game.

ressem

If you open the steam client, in the top right of the window it'll have "your username's account" as a hyperlink.

Click on it.
On the next screen, on the right of the screen under the 'Your Steam Account' panel, it'll list the last 4 digits of your credit card if it's set to store the payment details.
You can remove the card from here.

titan18

When you open up Steam,next to the minimise button, it should say your account name, credit card info appears in there to delete if it's saved. Also has store transactions and steam wallet funds so can check if anything bad is happening

As above with ressem

Gummy Panda

I always used paypal. Phew!!

Sierra Oscar

The information from the Steam Forums itself should be safe as the passwords are salted and hashed - still waiting for information on how secure the other information was. Obviously you should change your passwords as a precaution though.

super_furry

I demand free hats as compensation!

Sierra Oscar

super_furry wrote: »

I demand free hats as compensation!

I can imagine it now - "I survived the great hacking of 2011".

kearneybobs

Sierra Oscar wrote: »

I can imagine it now - "I survived the great hacking of 2011" and all I got was this awesome hat!

fyp

Moon54

First Sony and now this,
they're obviously not taking security as seriously as their bottom line,
but they should!

Overheal

Moon54 wrote: »

First Sony and now this,

Theres a big difference between the level of security Steam had in place and what the PSN had in place. The PSN security was patently antiquated. You need to route through your email account just to update your password. that is security. Nobody can get your steam password and run off with the account.

It's a delusion to think Steam doesn't take security seriously because it was hacked. The loss of the user tables hasn't actually compromised most accounts. If you setup Steamguard correctly and don't use a single password, this will affect you minimally. In addition even in the boards.ie hack it was still a considerable amount of time (a couple days) before people reported the first 'hackings' implying it took time for the tables to be decrypted. And I will wager, Steam being billionaires and all, have a much more complicated level of encryption on the tables. but all the same you and I have plenty of time to change our steam passwords and report our card numbers as stolen. Im not too worried.

As it stands, the Passwords I have on my steam account and steam forum were seperate, my card is indeed stored on there but I'm not too worried about it. Not sure about Ireland but in the US banks are technically liable for reimbursing you for fraudulent charges.

...And they didn't take my 3 sitting gift games, so they havent been here :pac:

Icyseanfitz

and this is why i use paypal with everything

String

titan18 wrote: »

There's a checkbox asking you do you want to save credit card information. It's set to off as default I think

That is just for the users convenience and lets steam remember the details for you. If you bought through steam with a credit card in the past then it has been compromised as it is stored within a database, although they said it is encrypted but that doesnt mean its secure.

Tyrant^

You'd think all these corporations and governments being hit by hackers would collaborate and come up with with a solution by now !

Doctor_Socks

Tyrant^ wrote: »

You'd think all these corporations and governments being hit by hackers would collaborate and come up with with a solution by now !

The amount of research that's going on in the area of encryption is phenomenal! The reason so many things are able to be hacked so much faster now is due to graphics cards becoming so much cheaper in the last few years and you can accelerate decryption algorithms by a enormous factor on a GPU as opposed to a standard CPU.

Is there any other way to change your password rather then having to go through steam? I'm in college for the day and steam access is blocked by the college firewall so no way of accessing it until after 6. I know that there's pretty much no chance that i'm affected by this but i'd still like to change a few things on my account to feel secure.

SeantheMan

So much steam bashing.
Everyone and everysite is open to hacking, there is nothing or noone that is really immune whilst online .

I still love steam , their service and they are still the best thibg to happen to pc gaming in the last 5 years. I'll contact my credit card company later and tell them about the situation

First world problems eh ?

Stev_o

After all the talk about Steam being unhackable and oh look it gets hacked. Come on Gabe you should of known that the best defence is not proclaiming that you can hack our system.

witnessmenow

Doctor_Socks wrote: »

The amount of research that's going on in the area of encryption is phenomenal! The reason so many things are able to be hacked so much faster now is due to graphics cards becoming so much cheaper in the last few years and you can accelerate decryption algorithms by a enormous factor on a GPU as opposed to a standard CPU.

Is there any other way to change your password rather then having to go through steam? I'm in college for the day and steam access is blocked by the college firewall so no way of accessing it until after 6. I know that there's pretty much no chance that i'm affected by this but i'd still like to change a few things on my account to feel secure.

Got to the IT department

Overheal

Stev_o wrote: »

After all the talk about Steam being unhackable

lol, where?

Every computer system imaginable is inevitably open to being hacked. The difference is how the data was handled, and again, Steam does a pretty good job of compartmentalizing it's data. That is, your forum and account are seperate, and account security changes require a third account - your email account - to access. That was the entire point of Steamguard. So even if they know your forum account, and your game account, they cant really do **** except make a few purchases at worst, they cant 'steal' the account because they can't change any of the security on it without also hacking into the email account. So if you have 3 uniquely different passwords for each account, they aren't going to do ****.

But again, who ever said the password information itself was uncrackable? The difference is how useful the data is.

kearneybobs

Overheal wrote: »

lol, where?

Every computer system imaginable is inevitably open to being hacked. The difference is how the data was handled, and again, Steam does a pretty good job of compartmentalizing it's data. That is, your forum and account are seperate, and account security changes require a third account - your email account - to access. That was the entire point of Steamguard. So even if they know your forum account, and your game account, they cant really do **** except make a few purchases at worst, they cant 'steal' the account because they can't change any of the security on it without also hacking into the email account. So if you have 3 uniquely different passwords for each account, they aren't going to do ****.

But again, who ever said the password information itself was uncrackable? The difference is how useful the data is.

I doubt it very much that Gabe Newell had said anything of the like. I too would like to see a source.

Magill

LOL, Sony and now Steam... ****ing hackers... nerds that don't like computer games.... go figure.

Mindkiller

Well I'm 'protected' by steam guard. What does that mean, exactly?

kearneybobs

Mindkiller wrote: »

Well I'm 'protected' by steam guard. What does that mean, exactly?

Overheal explains it pretty well a few posts up.

Overheal

Mindkiller wrote: »

Well I'm 'protected' by steam guard. What does that mean, exactly?

Steamguard means you opted to require your email account in order to make any changes to your steam account. That is, every time you want to change your password, you must first type in your existing password, log into your separate email account to retrieve a confirmation code, insert this code into Steam, and then create a new password. The same goes for changing your security questions, and even changing your email address in your account settings.

It basically means nobody can 'control' your steam account without also having access to your email account. So long as you keep both your email account and your steam account on separate passwords there's really not much way that knowing your steam password will allow a hacker to take over your email account, and thus its extremely difficult or impossible (without further hacking of the email server) to take over your steam account. It's basically lowjack for your Steam account.

Expect that after this hack they will upgrade this to all you to include requiring a proxy through your email in order to make Steam purchases.

marco_polo

Overheal wrote: »

Mindkiller wrote: »

Well I'm 'protected' by steam guard. What does that mean, exactly?

Steamguard means you opted to require your email account in order to make any changes to your steam account. That is, every time you want to change your password, you must first type in your existing password, log into your separate email account to retrieve a confirmation code, insert this code into Steam, and then create a new password. The same goes for changing your security questions, and even changing your email address in your account settings.

It basically means nobody can 'control' your steam account without also having access to your email account. So long as you keep both your email account and your steam account on separate passwords there's really not much way that knowing your steam password will allow a hacker to take over your email account, and thus its extremely difficult or impossible (without further hacking of the email server) to take over your steam account. It's basically lowjack for your Steam account.

Expect that after this hack they will upgrade this to all you to include requiring a proxy through your email in order to make Steam purchases.

Just to add to this a hacker can't even access the account from a computer that you haven't used before without an authentication code.

Overheal

Yes I forgot that one

daveyboy_1ie

Just keep an eye on your credit card transactions and take the appropriate action if you see anything unusual. This is common sense really, I log into my online banking most days as a matter of checking everything and it takes a minute or so. I might sound like I am being condescending but seriously I think it’s a good habit to get into.

Always hated Steam anyway, so no surprise they were compromised in some way.

ionapaul

I *think* I've steamguard in place (changed my password recently and had to get an email with a code before I could, I also need a code via email everytime I log onto Steam from a new computer) but regardless, I don't think I've ever posted on the Steam forums, I've just bought games from Steam and my credit card info is stored. Am I safe, if I don't have a Steam forums account?

Auvers

thank fcuk I only ever buy keys off those cheap sites

Overheal

daveyboy_1ie wrote: »

Just keep an eye on your credit card transactions and take the appropriate action if you see anything unusual. This is common sense really, I log into my online banking most days as a matter of checking everything and it takes a minute or so. I might sound like I am being condescending but seriously I think it’s a good habit to get into.

Always hated Steam anyway, so no surprise they were compromised in some way.

Naturally. Im prepared for the possibility that my debit card is in the wild.

Dyr

When I went home yesterday my house alarm was going off...does that mean that my steam account has ben hacked?

seyeM

Insert generic steam sucks comment here

GIVE US NEWS ON HL3 TO MAKE AMENDS GABE

Varik

****e like this happens and laws get past the world over that will probably be more far reaching and hash that deserved, in this case anything done to the hackers will be too lenient (crowbar to the face).

marco_polo

daveyboy_1ie wrote: »

Always hated Steam anyway, so no surprise they were compromised in some way.

I hope you feel at least a little bit guilty that your personal distain towards Steam was the primary motivating factor for the hackers. :pac:

seyeM

So this happens on the 6th, but Valve say nothing until both Modern Warfare 3 (8th) and Skyrim (11th) are released. Might they have held back on this crucial information to avoid any adverse effects to sales figures?

They should put a larger percentage of the money they're currently rolling in into network security.

Nody

Bambi wrote: »

When I went home yesterday my house alarm was going off...does that mean that my steam account has ben hacked?

No, your house alarm only goes off if your MS Live account was hacked; if your stem account was hacked it would leave the water running in the kitchen instead.

seyeM wrote: »

So this happens on the 6th, but Valve say nothing until both Modern Warfare 3 (8th) and Skyrim (11th) are released. Might they have held back on this crucial information to avoid any adverse effects to sales figures?

They should put a larger percentage of the money they're currently rolling in into network security.

They could have had 10 people watching network traffic (actually I'm quite sure there are more then that but anyway) and it would still get through.

The point of a hack is to get through a unknown weakness; ergo you can't watch for it as it is unknown (and not in a G. Bush kind of known unknown...) and no matter how much money you throw after it still goes through. All you can do is ensure appropiate seperation of data and encryption (all of which it appears Steam has done) for when it happens and appropiate follow up to avoid that specific issue in the future (which I'm quite certain will happen).

Amalgam

Sarky wrote: »

F*ck yeah 3V cards.

My Steam linked 'virtual Mastercard' is coming up as 'invalid' this morning. I had about €70 left on it. Last purchase was on Steam, Sunday morning.

I used the card for all sorts of purchases. Amazon book order last week etc.. same card.

Using the same brand of card for about two years now, never ever had any issues. I was a 3V user before that, again, no log in or invalid issues.

The coincidence is a bit troubling. I've emailed the card support.