Slashdot Mirror
Valve Announces Massive Steam Server Intrusion
SKYMTL writes "Valve has revealed that hackers have gained access to the Steam database and have pulled a variety of information. A statement from Gabe Newell reads in part: 'Dear Steam Users and Steam Forum Users, Our Steam forums were defaced on the evening of Sunday, November 6. We began investigating and found that the intrusion goes beyond the Steam forums. We learned that intruders obtained access to a Steam database in addition to the forums. This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information. We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked. We are still investigating.
We don’t have evidence of credit card misuse at this time. Nonetheless you should watch your credit card activity and statements closely."
As a show of good will, how about something extra? We trusted steam, now they have our encrypted credit card info and billing addresses. Origin looks mighty tempting right about now.. with BF3 and all... =)
Awesome. Sounds like they were doing things right.
Valve gets hacked, account details likely stolen, account information hashed and salted, Gabe still praised.
Sony gets hacked, accounts details stolen, account information hashed and salted, Sony ran through the ringer.
Love to see the hivemind at work.
Your hair look like poop, Bob! - Wanker.
and I just joined Steam recently.. damn.
Sounds a bit quicker (once they discovered the problem) and sincere from what I remember of Sony's 'efforts' when PSN got hacked.
Thank god I had to sign up to STEAM and give out my personal information to play a game I had already purchased otherwise I might never have become a victim of identity theft...
Funny that I had to read about this on Slashdot. You think they could send out a mass email to everyone with a Steam account, especially when credit card numbers are involved (even if they're encrypted). I hate inbox clutter as much as the next guy, but Gabe himself says to watch your credit cards for suspicious activity (which is never a bad idea), but how are Steam users supposed to know to do so if we don't read the Steam forums, or read Slashdot? Seems like they kinda dropped the ball on the whole communication thing here...
"To confine our attention to terrestrial matters would be to limit the human spirit." -Stephen Hawking
Cause the encryption key would also have to be on the server?
I'm not worried about my Steam password, I can go change it when I get home, it was fairly complex, and it's not a reused password anywhere else, but how hard would it be to crack these?
For those of us who aren't cryptography experts, does cracking one of the easy passwords (love, password, money) then help crack the more complex ones (m4sT3rm!nd)? I'm guessing this is crypto 101 stuff.
I am glad I no longer store credit card information with steam, and only used PayPal (and have an authentication card attached to my PP account.)
I hate you too.
Secretly stabbed in the back, huh Valve? See Spies are overpowered and DO indeed, SUCK. Jerkwads.
The Kruger Dunning explains most post on
You could learn about bias confirmation and statistics,. Then you would realize that the vast majority won't do something like that.
The Kruger Dunning explains most post on
I'm a fan of Steam but I am a mad as hell that they let this happen. It is not as if they weren't an obvious target given the number of game companies that have been hit before.This is Valve's fault. They screwed up big time and a limp apology from Gabe Newell doesn't make me feel any better.
well, technically it could be on a separate server to the database server or the webserver, but generally once one has access to one of the three they have enough access to the other two if they were segregated.
Why does Valve store Credit Card numbers? I thought this was a big no-no.
Before you respond, credit card profiles (name, address, cc#) can be stored by the secure merchant gateway rather than your local database. You only store a unique key like a GUID that can only be used by your merchant account.
I (no sarcasm) love Steam, and didn't expect a large-scale intrusion like this, but after the fun and games around the PSN intrusions, I removed my CC details from my Steam account.
It was so easy to buy games with a couple of clicks, and I do miss that, but I must admit a little smugness now over my decision...
I just hope Paypal is on top of their security, because by design they're more heavily linked into people's finance.
Because it's highly impractical if you want your audit logs to be in any way useful (also if you don't want your key rotation to take months). It's also pointless overhead when it comes to non-sensitive data. Get a name and city, and there's a good chances you can get phone number, full street address, and more from whitepages.com (and similar sites). Several years ago, people got this same info from things called phone books.
I'm disappointed to hear this happened, but assuming they're correct in their belief that the encryption keys were not compromised I'm not worried. I don't think anything was compromised that isn't about four seconds worth of Googling away, with the exception of the list of games I've bought (oh, no!)
How are sites slashdotted when nobody reads TFAs?
Today's daily deal on Steam is: Day of Defeat.
Couldn't have made a better choice myself.
I refuse to use
SQL Injection? Come on Valve. Get your Database Specialist some training.
Where are you getting SQL injection from? Database access != SQL injection.
In this thread, bias confirmation and statistics prove that people are good. Don't hate them!
Its either that or you have antiquated schemes from the likes of EA where you still (in this day in age) keep the disc in the drive for the entire time playing the game. I'd hate doing that today and I'm pretty bad at jumping between games in a given sitdown.
Bye!
And this incident hasn't added to that count at all! Unless you know something we don't, a) steam accounts weren't compromised, b) CC numbers weren't compromised, and c) pretty much everything important that was compromised was either hashed and salted (forum passwords only, separate from Steam accounts) or encrypted.
Of course, if someone did break into your house and steal your game collection, you would have nearly zero chance of getting it back. With Steam, you almost certainly could.
"None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton
Good thing I just followed the e-mail that just arrived and changed my password then! I'm fortunate to have found it in my junk mail. Weird that Steam is requiring social security numbers to change passwords now.
I trust no company to hold my data on the internet, plain and simple. I hope I'm not alone in stating that quality and security on the Net took a back seat long ago to IP law, and profit margins. If you put it on the Interwebtube, expect that a bad guy has it. It's a sad reality, but still a reality.
And yes, shame on Steam for not notifying users the day they discovered the problem. Finding out 4 days later, from an external company is not excusable. I'm sure they will blame a 3rd party for the break in claiming it's not their code or design that's the problem too.
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
Then how do they manage the credit card numbers ?
They cannot simply hash them, they need access to the actual cleartext data at some point.
My bet is on one or several servers containing one or several decryption keys.
So the question remains. Why not encrypt EVERYTHING ?
Segmentation Fault in "Life, Universe and Everything" at line 42. Don't Panic.
Like most other "too big to obey rules" companies Valve just ignores PCI standards of keeping credit card information. PCI standards require that adherents not keep credit card information in a digital format, making it impossible to steel. Of course Valve can't be bothered to allow the annoyance of filling out a credit card form to break the urge to buy their [another persons] software. Now if you've ever used steam your credit card data is most likely compromised.
It sounds to me like they don't have a clue how many servers were compromised so I'll just go ahead and assume the hackers have the encryption key for the CC data and salt for the hashes. Now a simple rainbow table is required and then the hackers have your password/email - hope you don't use the same password on your banking site! Valves way of saying "thanks for using Steam".
I reiterate for posterity: I will never buy any game that requires Steam or any other DRM that prevents me from installing it twenty years from now or forces me to give up personally identifying information (especially CC numbers).
Do I get a hat for having to go through this?
-- botsex is {grep;touch;strip;unzip;head;mount}
I'd rather use the disks
I wonder how long this will delay the release of Half-Life 3? Or Half-Life 2 Episode 3? Left 4 Dead 3? Portal 3?
/oblig game delay post
Hmm, thats alot of 3 games Valve could be working on....
SQL Injection? Come on Valve. Get your Database Specialist some training.
And you know it was an SQL injection because ... ?
I won't have to worry about my credit card information being stolen, since my credit card has already been compromised since the last time I used Stream!
...
Twice.
Hooray for the credit card system! And the dependency on stupid companies to maintain this information!
(And no, I don't shop around on "suspicious" websites or anything. But, because they'll never tell me who compromised my information, I can't determine which merchants to no longer use.)
I really love Steam. I can't recount the number of times someone broke into my house, stole my entire game library, AND my credit card, and then used my credit card to buy tons of other games on it,
Are you saying thats happened? The article doesnt mention that. They mention an intrusion where nothing seems to have been taken, things were properly salted and encrypted, and the issue was noticed quickly.
If you have contrary evidence, Im sure it would make a good news story, you should probably report it.
You might have thought that getting burned badly once already might have lead to a renewed emphasis on security and a commitment to best practices in securing important data. Huh. I guess the "can't happen here" clock must have reset already (as well it might have, since I only see one other comment here on Slashdot, of all places, indicating that anyone else remembered the kerfuffle over the Half-Life 2 source theft).
No relation to Happy Monkey
Actually, now EA makes you use their version of steam, plus have to go through a web browser to play single player or multiplayer (BF3)
The only thing necessary for evil to triumph is for it to be pitted against a slightly greater evil
with the exception of the list of games I've bought (oh, no!)
Not even a google away (it's only a guess) : http://steamcommunity.com/id/firehed/games/?tab=all
Yeah, and the list of games is about 2 seconds away on steam anyways. Wait, less than 2 seconds. Lets hope Valve is right that their encryption is secure (also, it sounds like they think the hackers might not have gotten a chance to download the information.)
"None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton
All you need to see about EA's security is how they deal with "lost passwords"
Last time I did a lost password request with EA, they happily sent me my password in email. No, not a "password reset request", but my actual password.
This tells me that:
a) They're dumb enough to send passwords in plaintext via email
b) They're dumb enough to store plaintext-retrievable passwords instead of doing a hash comparison.
FAIL!
There are many companies that allow you to save your card for later use. I personally find this dumb and avoid doing such as a rule, but I'd imagine that if they have the ability to do so, there must be some rule which allows them to do so under certain conditions.
Or they could just... not do any of that.
Filthy, filthy copyrapists!
Got hit with this one!
On the morning of Nov 7th I started getting e-mails from Steam Support with confirmation codes when someone was trying to change my password and e-mail. Reinstalled Steam after a year or more of non-usage only to find that someone has been playing TeamFortress 2 on it, the same day. Changed my passwords. That evening received a number of angry e-mails from a Russian guy ( [www.crazy_denis@mail.ru]) demanding that I put the passwords back so he can use the account he bought and paid for. Used Google Translate into Russian sometimes Ukrainian to string him along through 12 short e-mails and got him to reveal and confirm that he actually had my username and password in clear text. Opened up a support case with Steam and forwarded the entire e-mail chain to them to start investigating. Got a form letter back, replied again asking them to check their systems for intrusion... today Slashdot story breaks about Steam being compromised. I wasn't the only one I guess!
PasswordMaker - Storage-less and per-site unique hash based password scheme
Changing all my passwords now to a PasswordMaker scheme for unique passwords for every single site based on a storege-less system that uses a master password + URL + other info you choose -> MD5 sum -> alpha-numeric symbols -> length limit to generate a unique password for every site and account based off your own single or multiple master passwords. You have to remember your own password and the settings you used and generate the same password every time that is unique and there is no secret data file to steal from you or for you to lose on a USB disk or upload to the net. This way your password is already hashed when you submit it to a site, it is unique per site, you don't have to store a list of passwords in any file, and you can regenerate your password on any browser, mobile phone, programming language since this app has been ported to practically everything.
I was thinking of something simpler such as "echo MyPassword69! slashdot.org|md5sum" and then "aaa53a64cbb02f01d79e6aa05f0027ba" using that as my password since many sites will take 32-character long passwords or they will truncate for you. More generalized than PasswordMaker and easier to access but no alpha-num+symbol translation and only (32) 0-9af characters but that should be random enough, or you can do sha1sum instead for a little longer hash string.
Here's the conversation for all of you.
How do we know this is Gabe? It could be that the hackers took over again and wrote it like they were Gabe. Maybe Valve never even regained control of the forums! They could still be in control at this instant!
Valve gets hacked, account details likely stolen, account information hashed and salted, Gabe still praised.
Sony gets hacked, accounts details stolen, account information hashed and salted, Sony ran through the ringer.
Valve = Valuable contributor to healthy, competitive market. Cares about customers.
Sony = Anticompetitive lockdown ensures that a great many games are unplayable as they take a month to sort out the problem. Doesn't give a shit about customers.
Why is the concept that people will treat companies in the same way that those companies treat them such a strange and unusual concept to some people?
Calling someone a "hater" only means you can not rationally rebut their argument.
This is breaking news so the details are not all there. What if they also got to the databases that push updates? I would like to know the definitive answer to that because Steam is one of the few things that I allow to send me automatic updates. I sure would hate to get a virus via steam. Fortunately, Steam runs as a non-administrative user but it still has write access to all the binaries in my steam folder, so that is still a lot of potential damage.
OR they could just stop being tossers about it at all.
But that would require admitting that three decades' plus of copy protections/DRM schemes were a complete waste of resources, so yeah, I agree with parent. At least with the ancient "disc required" I know I can reinstall the damn game on my new laptop, or a few years down the line after a system crash, or whatever.
Until Valve either takes out the "we can close your account whenever the fuck we want" clause from the T&Cs, or changes the "option" to "guarantee" that they will provide standalone copies of purchased software, Steam can rot and they can blow me. I don't care if they're everyone's darling compared to EA (not saying much). "They wouldn't do that" doesn't hold much credibility as long as they feel the need to keep the ability to "do that" in reserve.
Good thing my Steam password is unique to my Steam account, and the credit card associated won't work because I changed banks...
Furries make the internet go.
Since I never understood the need for Steam in the first place, maybe I'm not worthy of a notification.
Sorry, but gray text on gray background is making my eyes bleed.
Performance. If you encrypt everything, you have to decrypt on every web page request to their forums. That is going to take a lot of CPU type if it's a decent algorithm. Most likely it wouldn't be in order to make it work at all.
Also, if you encrypt everything, it's impossible to search. You would have to decrypt ALL THE DATA to do a search or it would have to be stored unencrypted in an index. It just doesn't make sense.
Finally, as you pointed out the server would have to have the decryption key. If they root the web server, they can get access to the key and then use it to decrypt everything anyway.
MidnightBSD: The BSD for Everyone
This comment makes absolutely no sense. Let's say it was SQL injection, then it would be a programmer's fault.
MidnightBSD: The BSD for Everyone
Or steal your money when you buy rehashed pork
Here is a gem - http://www.youtube.com/watch?v=b5dsOn06w1s
EA is weird
Not sure if this is a coincidence, but the credit card that I had on file with Steam got billed with a fraudulent charge on Nov 6. Any other steam users experiencing anything like this?
At the times when Half-Life 2 source was leaked, the cracker said that along spectating the development process he actually made some small changes to the code. Is it possible that some of these made their way to the final product or if there is even some hidden malicious code included? Paranoid, but interesting.
Probably perfectly fine because anyone who purchases Skyrim in shops doesn't need to enter any personally identifiable information in order to create a Steam account. The only requirement is a throwaway email address.
I received a notification just fine when launching steam.
You've always had the ability to not store credit card numbers on Steam, or remove stored ones. You've also always had the possibility to pay by things like Paypal etc.
That is not true. Credit card companies offer a token, a hashed edition of your credit card number, that can be used for subscriptions or stored credit cards at their servers. The hash is combined with the merchant id making it useless outside of the single merchant. Encryption cabbot ptevent credit card numbers from being copied, Hashing does.
EA hands you that glass of purple kool-aid and you just drink it without a second thought?
Given what these corporations have done in the past you HAVE GOT to be drinking the kool-aid to believe they won't sell any information they get, to third parties. They may even do so illegally.
"The illegal we do immediately; the unconstitutional takes a little longer." - Henry Kissinger. And it applies to Corporations, too.
Never, ever give sensitive information to anyone you do not trust. Always monitor every app you use and know fully what information it transmits. Paranoia? Hardly. It's the most basic law of survival.
--- Grow a pair, liberals... stop letting the Republicans bully you!
I don't know how things work in other countries but all banks in Portugal allow you to link your account to a service called MBNet, which allows you to create a virtual CC number with the balance that you need to make a purchase and it expires in 2 days or after it's used.
Ever since I got to know about it, I don't use anything else and I don't know why someone would. You don't even need a CC, it's linked to your bank account.
So every time you need to make a purchase, you create a CC number on the fly, with the spending limit of the purchase you want to make and this CC information will be useless after you complete the purchase.
That's all hackers will ever get from me, a bunch of useless CC numbers.
This has been annoying the shit out of me. I've been meaning to check the forums to see if other people have problems running SEGA Genesis & Mega Drive Classics, and I simply can't. Forums are always the quickest and easiest ways to solve these kinds of problems, but I guess I'll just contact SEGA support or whatever.
Thanks, intruders.
I am not devoid of humor.
Interesting how we have drm on the games to protect game rights / data, but when it comes to consumer data there isn't much concern for our information's protection.
Valve say that passwords were salted and hashed in the db and CC info was encrypted. It sounds like they followed best practices in storing this info. Can we at least give them some kudos for doing this? It would be a lot easier for them to store that info in clear text, so it seems like the least we can do is thank them for taking appropriate security precautions.
The difference is that EA would have hidden it, and unlike Sony they would have been successful in doing so. Then they'd probably lock down their forums after banning anyone questioning such actions.
Well, so far we have Valve's word. And while I don't question their word on principle, I'll hold my kudos 'til some audit came and went and confirms that.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.