Valve Announces Massive Steam Server Intrusion

← Back to Stories (view on slashdot.org)

Valve Announces Massive Steam Server Intrusion

Posted by samzenpus on Thursday November 10, 2011 @12:02PM from the save-my-game dept.

SKYMTL writes "Valve has revealed that hackers have gained access to the Steam database and have pulled a variety of information. A statement from Gabe Newell reads in part: 'Dear Steam Users and Steam Forum Users, Our Steam forums were defaced on the evening of Sunday, November 6. We began investigating and found that the intrusion goes beyond the Steam forums. We learned that intruders obtained access to a Steam database in addition to the forums. This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information. We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked. We are still investigating. We don’t have evidence of credit card misuse at this time. Nonetheless you should watch your credit card activity and statements closely."

92 of 434 comments (clear)

Min score:

Reason:

Sort:

Hey gabe by Anonymous Coward · 2011-11-10 12:04 · Score: 4, Interesting

As a show of good will, how about something extra? We trusted steam, now they have our encrypted credit card info and billing addresses. Origin looks mighty tempting right about now.. with BF3 and all... =)
1. Re:Hey gabe by kelemvor4 · 2011-11-10 12:19 · Score: 5, Informative
  
  Origin looks mighty tempting right about now.. with BF3 and all...
  Sure, if you don't mind handing over an inventory of everything on your PC and letting origin do what they want with the information... http://decryptedtech.com/index.php?option=com_k2&view=item&id=257:eas-origin-may-be-a-little-too-intrusive&Itemid=138
2. Re:Hey gabe by ludomancer · 2011-11-10 12:28 · Score: 4, Insightful
  
  You're just being stupid for the sake of comedy right?
  Amazon.com looks good right now.
  Fuck, even Best Buy looks good right now.
  Origin looks like the exact same crap, but with a much less trustworthy company in charge of it. EA would sell all that personal information straight to the hackers if it meant they could turn a profit.
3. Re:Hey gabe by Mashiki · 2011-11-10 12:29 · Score: 5, Insightful
  
  Even after this, I still trust Valve more than I trust EA. Hell Valve could kill kittens and use their blood to fuel their servers, and I'd still trust them more than EA. One only needs to look into the past and see how much EA has treated not only their customers as dirt, but their employees.
  
  --
  Om, nomnomnom...
4. Re:Hey gabe by rahvin112 · 2011-11-10 12:51 · Score: 2
  
  The could require a ritual human sacrifice every time I start a game and I would STILL trust them more than EA.
  It would be better if they didn't have the database but encrypted info isn't much value as long as they didn't get the salt values or private keys with the data.
5. Re:Hey gabe by Ant+P. · 2011-11-10 13:31 · Score: 5, Informative
  
  Yeah, so far Valve's credit card database has been stolen, but EA customers are the ones getting money stolen from their bank accounts.
6. Re:Hey gabe by rapidreload · 2011-11-10 14:09 · Score: 5, Funny
  
  Hell Valve could kill kittens and use their blood to fuel their servers
  Wait... are you saying kitteh sacrifices are NOT part of standard server administration? Shit, I'm not quite sure what my boss is going to say when he finds out how I run things...
  
  --
  To all newcomers - people here are very close-minded and can't handle complaints about Linux. Keep this in mind.
Proper back end hashing and encryption? by Anonymous Coward · 2011-11-10 12:05 · Score: 5, Insightful

Awesome. Sounds like they were doing things right.
1. Re:Proper back end hashing and encryption? by ackthpt · 2011-11-10 12:09 · Score: 5, Funny
  
  Awesome. Sounds like they were doing things right.
  Yeah, sounds like they did better than most businesses *cough* Sony *cough* who probably kept everything in a big ol' text file.
  which was named readme.txt
  
  --
  
  A feeling of having made the same mistake before: Deja Foobar
2. Re:Proper back end hashing and encryption? by pixelpusher220 · 2011-11-10 12:20 · Score: 5, Funny
  
  please, they aren't that stupid.
  
  They called it 'dontreadme.txt'
  
  --
  People in cars cause accidents....accidents in cars cause people :-D
3. Re:Proper back end hashing and encryption? by muon-catalyzed · 2011-11-10 12:31 · Score: 5, Insightful
  
  ..until some external auditor confirms this better start the identity theft ritual (credit cards pull etc.)
4. Re:Proper back end hashing and encryption? by X0563511 · 2011-11-10 12:38 · Score: 2
  
  All my cards already got compromised. Whee. I think some merchant somewhere was doing exactly what the PCI-DSS council says not to do.
  Fortunately they all have 'zero liability' - wonder how long that will last? In my case, the best the hackers got were deactivated card numbers and a password that just became useless.
  
  --
  For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
5. Re:Proper back end hashing and encryption? by hairyfeet · 2011-11-10 13:07 · Score: 2
  
  Exactly, as long as they used good solid encryption (after all technically encryption could include ROT13 so we can't judge by simply saying its encrypted) along with salting one shouldn't have anything to worry about, although it does make me feel a little better about never having them save my CC numbers for future purchases.
  But frankly they'll have to do a lot worse to run me off, because between Steam, GOG, and Amazon I don't have to deal with irritating retail anymore which makes me VERY happy. Steam also makes it easy to just gift games to my nephews without any hassle, and frankly where else is there to go? Origin? I wouldn't trust EA any farther than I can throw their fattest CxO, looking at their EULA it pretty much reads as "We can do what we want, when we want, tough shit". The second i start seeing 'third party" in the EULAs I start backing away as IMHO the usually ends up being a code phrase for "We sell your info to anybody with a dollar". No thanks, Steam "just works".
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
6. Re:Proper back end hashing and encryption? by icebraining · 2011-11-10 14:09 · Score: 3, Informative
  
  Uh, no. Sony stored over 1M password in cleartext.
  http://www.troyhunt.com/2011/06/brief-sony-password-analysis.html
  
  --
  Dilbert RSS feed
7. Re:Proper back end hashing and encryption? by MagusSlurpy · 2011-11-10 14:45 · Score: 3, Informative
  
  Don't forget the 12,700 credit card numbers stored in cleartext. But that's no biggie, because only a thousand of them were still active Sony customers.
  
  --
  My sister opened a computer store in Hawaii. She sells C shells by the seashore.
8. Re:Proper back end hashing and encryption? by Canazza · 2011-11-10 21:05 · Score: 2
  
  yes, but with gabe you can use portals to fling him.
  
  --
  It pays to be obvious, especially if you have a reputation for being subtle.
9. Re:Proper back end hashing and encryption? by hairyfeet · 2011-11-11 00:04 · Score: 2
  
  Because Gabe strikes me as the type of guy you could go get a beer with while the CxOs at EA strike me as the kind that would skip out while you were taking a piss just to stick you with the tab.
  Call me weird but attitude and how you treat those around you counts for something with me and old Gabe has always seemed like a pretty straight shooter. Plus when Steam actually has a sale its a SALE, with EA it has always been "hey we're giving you a dollar off, its a whole dollar!". Last Steam sale I picked up the FEAR 1&2 series, 5 games for $6.79. Now be honest can you EVER picture EA allowing even ONE game much less FIVE to be sold for less than $7?
  I'm just glad I got my boys on Steam as I fricking HATED dealing with Xmas shopping for them,as everything they wanted always seemed to be back ordered. Now they are counting down to the Steam sale to see how many games they can score. Go Steam!
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
10. Re:Proper back end hashing and encryption? by X0563511 · 2011-11-11 04:02 · Score: 2
  
  Didn't have any trouble myself.
  Sounds silly, but try changing your download location first in the settings, you might have better luck connecting via a different 'path'
  
  --
  For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
Hilarity by OverlordQ · 2011-11-10 12:06 · Score: 2, Insightful

Valve gets hacked, account details likely stolen, account information hashed and salted, Gabe still praised.
Sony gets hacked, accounts details stolen, account information hashed and salted, Sony ran through the ringer.
Love to see the hivemind at work.

--
Your hair look like poop, Bob! - Wanker.
1. Re:Hilarity by Anonymous Coward · 2011-11-10 12:10 · Score: 5, Insightful
  
  The difference is in part due to how the attacks were handled by the respective companies, and in part due to the fact that Sony is run by gigantic cocks while Valve isn't.
2. Re:Hilarity by mr_da3m0n · 2011-11-10 12:11 · Score: 4, Insightful
  
  I think it may have to do with Gabe being honest about it and immediatly going "Yeah it happened, here's what they got, terribly sorry about that :(" Also given the man's track record, I'd personally be more forgiving, when comparing to Sony's track record.
3. Re:Hilarity by ewanm89 · 2011-11-10 12:12 · Score: 4, Informative
  
  Well steam fundamentally different from sony:
  1. No-one told you you had to store credit card details in steam, they support paypal which prevents this being an issue.
  2. At least they told their users in a prompt manner.
  3. It sounds like the information was properly encrypted and stored, this did not sound true with Sony.
4. Re:Hilarity by gman003 · 2011-11-10 12:13 · Score: 4, Informative
  
  There was much miscommunication last time - a Sony executive said the credit card info was unencrypted. Which immediately launched a massive wave of "WTF?" from everyone with even a passing knowledge of security.
  There's also the fact that the intrusion targeted the Steam forums, which have distinct accounts from Steam itself. People probably use the same password on both (I think I might've), but it's still slightly better.
  And you can't forget the main difference - people can still play their games. During the Sony hacks, people were locked out of online play for quite some time. And people (being stupid) care more about getting their CoD on than not getting their credit cards stolen.
  Still not unforgivable, but the fact that Valve is immediately going "we fucked up, we're trying to fix it, here's exactly what's going on" rather than Sony's "We are aware of outages but won't even say that we got hacked for several days". Honesty counts for a lot.
5. Re:Hilarity by ewanm89 · 2011-11-10 12:16 · Score: 5, Insightful
  
  Shall we go into how they fired their whole network security team the week before, or the fact the attacks on Sony were orchestrated as a retaliatory strike on them for certain lawsuits (I'm not saying it's right) just there were lots more factors to those specific attacks than just "we were hacked".
6. Re:Hilarity by Moheeheeko · 2011-11-10 12:19 · Score: 5, Interesting
  
  The fact that all evidence suggests that all credit card info was unencrypted on the Sony server. And no, Sony didnt announce shit until the network had been down for 2 weeks, up until that point they just claimed "matinence"
7. Re:Hilarity by Anonymous Coward · 2011-11-10 12:22 · Score: 5, Interesting
  
  Couple of big differences in this case and the Sony case, though. So far, Valve is far ahead of Sony. In order to be on Sony's level, Valve would have to:
  1. Completely shut down the service for a week with no explanation.
  2. Keep the service offline for an additional month after admitting that they had been compromised.
  3. Claim that passwords were stored unencrypted, then when called on that, claim that they meant hashed. But not salted.
  4. Allow unencrypted credit card data to be stolen. (PSN users reported suspicious activity on their cards, and I know my bank sent me a new card due to the breech.)
  5. In order to make up for the outage, offer a "free month" of "premium" service that A) is a limited time offer and B) requires a subscription fee to continue to use any content accessed during that time.
  6. Later have it determined that the vulnerability was caused by an Apache server that was left unpatched for over two years.
  I think that about covers the differences.
8. Re:Hilarity by gman003 · 2011-11-10 12:23 · Score: 2
  
  Yes - but some Sony exec stated otherwise, which caused no end of confusion even after they corrected the statement.
9. Re:Hilarity by Local+ID10T · 2011-11-10 12:27 · Score: 3, Insightful
  
  The guy has just admitted they stuffed up. they had a responsibility to protect your data that they force you to provide. This is the equivalent of being raped in a police station and then being happy that the cops admitted it happened and are very sorry about it.
  If you think this situation is anything like being raped -you do not know what rape is...
  
  --
  "You want to know how to help your kids? Leave them the fuck alone." -George Carlin
10. Re:Hilarity by Joehonkie · 2011-11-10 12:28 · Score: 2, Insightful
  
  Yes, this is exactly like being raped. At a police station. Exactly the same.
11. Re:Hilarity by Kenja · 2011-11-10 12:29 · Score: 3, Informative
  
  Unless you disabled the security checks, you can not log into steam from an untrusted computer. If you try to do so, you will be asked to enter a code that is emailed to the account holder.
  
  --
  
  "Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
12. Re:Hilarity by Baloroth · 2011-11-10 12:29 · Score: 2
  
  Ummm, no? Unless you mean something weird by "linked", forum and Steam accounts are separate.
  
  --
  "None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton
13. Re:Hilarity by Anonymous Coward · 2011-11-10 12:33 · Score: 4, Funny
  
  Yeah... it's more like getting roofied, and then being told about it 4 days later.
14. Re:Hilarity by Cyberllama · 2011-11-10 12:33 · Score: 4, Informative
  
  Well, let's start with the fact that PSN intrusion was just one of 23 separate incidents for Sony within a time frame of just a couple of months.
15. Re:Hilarity by Anonymous Coward · 2011-11-10 12:33 · Score: 2, Informative
  
  You see i'm a bit bitter about entitlement complexed hackers stealing my info because sony wouldn't let them pirate games.
  Then you'll be pleased to know that this is not in fact what happened.
16. Re:Hilarity by X0563511 · 2011-11-10 12:40 · Score: 2
  
  Ignoring the rape comparison, I would be happy they admitted it. Would you prefer they pretend it didn't happen, and go "la la la la we didn't see it"?
  
  --
  For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
17. Re:Hilarity by Sitnalta · 2011-11-10 12:51 · Score: 4, Insightful
  
  Yes, but Sony stored customer data as PLAIN TEXT. Their security was a joke and they deserved all the bad press they got.
  Valve on the other hand had all sensitive data encrypted. Which means that the hackers likely got nothing but useless gobbledygook.
18. Re:Hilarity by Unoriginal_Nickname · 2011-11-10 13:03 · Score: 3, Interesting
  
  Be warned, the following is only hearsay:
  The CC info was encrypted in the database, and Sony used a separate internal-facing server to handle credit card transactions. The problem is, the transaction server wasn't configured properly; unencrypted credit card numbers and billing information were being recorded in Apache logs.
19. Re:Hilarity by Charliemopps · 2011-11-10 13:17 · Score: 5, Insightful
  
  It's amazing what being generally nice to your customers, delivering what you promise and not trying to ass-rape them at every turn can get you when you finally do screw up isn't it?
20. Re:Hilarity by artfulshrapnel · 2011-11-10 13:38 · Score: 2, Interesting
  
  Well, the PSN network requires you register a credit card to make any real use of it (like playing games online, for example). This card must be registered directly with Sony.
  Steam, by contrast, accepts PayPal, which is a financial institution with appropriate levels of security for such storage.
  So yes, they did tell you to store your credit card details with them.
21. Re:Hilarity by Baloroth · 2011-11-10 13:45 · Score: 4, Interesting
  
  In fact, this is why I have decided not to change my Steam password. If I get a notification that someone tried to access it, I know the password were compromised, and can act accordingly.
  
  --
  "None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton
22. Re:Hilarity by tomstockmail · 2011-11-10 14:26 · Score: 4, Informative
  
  Then screw heresy, here's the actual source.
  
  One other point to clarify is from this weekend’s press conference. While the passwords that were stored were not “encrypted,” they were transformed using a cryptographic hash function. There is a difference between these two types of security measures which is why we said the passwords had not been encrypted. But I want to be very clear that the passwords were not stored in our database in cleartext form. For a description of the difference between encryption and hashing, follow this link.
23. Re:Hilarity by Anonymous Coward · 2011-11-10 14:36 · Score: 2, Insightful
  
  Passwords != CC info... Passwords you want to be hashed, it is better than encryption. CC info, by contrast, can't be hashed because you need to reproduce it for the CC company and thus you have to settle for encrypting it. Don't confuse these 2 things, the security needs are quite different.
24. Re:Hilarity by jmhysong · 2011-11-10 14:43 · Score: 2
  
  Wrong on number two. Valve did not tell its Steam users about this intrusion. They did not send out any emails or Steam IMs to their members, they didn't mention this on the Steam news page, and in fact they didn't mention it anywhere on Steam at all. The only place this intrusion is mentioned is on the forum. They're happy as punch to tell me through Steam that I can buy freaking Wallace and Gromit for 66% off but they don't inform me that all that my personal information has been compromised? That is shameful.
25. Re:Hilarity by DarwinSurvivor · 2011-11-10 14:55 · Score: 3, Informative
  
  Our family plays on PSN regularly and we have NEVER given Sony any CC numbers. We even bought a couple games later on, also without cc (7-11 gift certificate).
26. Re:Hilarity by Daetrin · 2011-11-10 15:36 · Score: 4, Informative
  
  It took about 5-10 minutes of searching to find the exact reference, but here you go.
  
  So technically speaking the passwords _weren't_ encrypted. I remember when that bit of news came my friends and i were all very curious to know what kind of salt (if any) they were using, but we're all geeks at a software company so we're a bit more clued in about such things. In fact i don't remember if the salt question ever got answered.
  
  As for why it keeps getting brought up, especially in this thread, it's because people keep asking why Sony was treated more harshly than Valve seems to be getting treated now. The answer is that Sony took forever to say anything about what was going on and the made a habit of releasing partial bits of information, some of which were confusing or misleading. The encryption issue is just one of those bits the handling of which upset people.
  
  PSN was hacked between April 17th and 19th. It took a day or three before they shut down the servers without saying a word. It was three more days before they admitted there had been a data intrusion, and another three days before they admitted that user data had been compromised and days more before they admitted that personally identifiable information had been compromised.
  
  If Valve starts dribbling out more bits of previously unrevealed information over the next few weeks (not just details on the aspects they've already confirmed) then the amount of goodwill currently being displayed will erode very fast.
  
  Most of us don't feel that it's possible to prevent all security intrusions, but it is possible for companies to be responsible and forthright about it when it happens.
  
  --
  This Space Intentionally Left Blank
27. Re:Hilarity by Kalriath · 2011-11-10 15:58 · Score: 4, Informative
  
  Not entirely true - some credit card merchant gateways permit you to tokenize the credit card info and re-charge them without ever re-sending (or storing) the details. In these cases, the merchant only ever sees your details once - when they send them in to be tokenized. And the token is also usable only by the original merchant - so the worst a hacker could do with it is forcibly give your money to the merchant.
  
  --
  For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
28. Re:Hilarity by Chucky_M · 2011-11-10 21:13 · Score: 2
  
  Wrong on number two. Valve did not tell its Steam users about this intrusion. They did not send out any emails or Steam IMs to their members, they didn't mention this on the Steam news page, and in fact they didn't mention it anywhere on Steam at all. The only place this intrusion is mentioned is on the forum. They're happy as punch to tell me through Steam that I can buy freaking Wallace and Gromit for 66% off but they don't inform me that all that my personal information has been compromised? That is shameful.
  When you start steam it provides you this message in the main popup box where they normally try to sell you preorder crap.
29. Re:Hilarity by wjousts · 2011-11-11 02:54 · Score: 2
  
  in part due to the fact that Sony is run by gigantic cocks while Valve isn't.
  So Valve is run by tiny cocks? I feel sorry for Gabe's wife.
30. Re:Hilarity by man_the_king · 2011-11-11 08:51 · Score: 2
  
  Well, the PSN network requires you register a credit card to make any real use of it (like playing games online, for example). This card must be registered directly with Sony
  
  Ah, a lie from someone who has never played a game on PSN. Not sure if you are a 360 fanboy or just your standard /. Sony-hater, but FYI, Sony does NOT require you to register your CC for playing games online.
DRM rocks! by Anonymous Coward · 2011-11-10 12:08 · Score: 4, Insightful

Thank god I had to sign up to STEAM and give out my personal information to play a game I had already purchased otherwise I might never have become a victim of identity theft...
1. Re:DRM rocks! by Spad · 2011-11-10 12:27 · Score: 5, Insightful
  
  As opposed to Xbox Live? GFWL? The Rockstar Social Club? Origin? Any MMO ever? Any website you've ever purchased anything from? etc.
  Let's face it, there's no shortage of places that have some, part or all of your personal information these days; Steam is just one of many.
2. Re:DRM rocks! by Baloroth · 2011-11-10 13:22 · Score: 2
  
  Because these days it seems like it's either Steam or Securom (or *shudder* worse). I'll take Steam, TYVM.
  
  --
  "None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton
3. Re:DRM rocks! by artor3 · 2011-11-10 13:59 · Score: 3, Informative
  
  Liar. If you try to start Steam without an internet connection, it pops up a window with two options "Retry" and "Start in Offline Mode". You absolutely do not need to go into offline mode ahead of time. Did you really think no one would catch that lie?
4. Re:DRM rocks! by Squiddie · 2011-11-10 14:30 · Score: 2
  
  You still have to make a Steam account if you buy some retail games. It's just DRM, and while less intrusive than most, it's still horrible. I can't even give my old games away, which is crap, since I have friends that would usually take my old games, now they don't get squat.
5. Re:DRM rocks! by zigmeister · 2011-11-10 16:04 · Score: 4, Informative
  
  No he's probably not lying. I've had the exact same problem. I'll explain it as best I can (I don't know why it happens):
  Your computer is connected to the 'net with steam running. You shut down steam, disconnect from the internet completely, then restart steam. Then steam does all kinds of weird shit like it claims it's updating itself or "connecting"... after a while it finally pops up and says I can't connect to to a steam server what would you like to do? 1) Retry 2) Start in Offline Mode. Select option 2 (obviously) then steam says it's "connecting" (sigh) again, then it says something like could not connect to a steam server at this time. The only option is to close the window.
  As far as I can tell the workaround to play in offline depends on the game. For all games this was required: start steam with a working internet connection, select go/restart into offline mode while connected to the internet, then quit steam, then disconnect from the internet completely, then start steam in offline mode normally at your leisure. That worked for most games but it was also incredibly annoying; the buddies I LAN with don't have a 'net connection and I forgot to go through this process before going over once or twice.
  For some games (The Orange Box falls into this category) I had to have the game updated, then start the game while connected to the internet IF it had been updated since it was last played, then go through all the normal stuff I listed above. If I didn't do all of this the game would not start in offline mode even if steam would. Yet more games completely refused to start and I never figured out how to workaround that (none of the above worked.)
  For the GPs sake: I managed to fix the issue by uninstalling steam then nuking the contents of the steam folder on the drive. But it still does some weird shit but w/e. Also I haven't bothered reporting or complaining because I have heard that Valve ignores complaints about offline mode not working so...
  
  --
  Failure formatting five FAQs of financial facts.
Way to keep us informed? by feidaykin · 2011-11-10 12:09 · Score: 5, Insightful

Funny that I had to read about this on Slashdot. You think they could send out a mass email to everyone with a Steam account, especially when credit card numbers are involved (even if they're encrypted). I hate inbox clutter as much as the next guy, but Gabe himself says to watch your credit cards for suspicious activity (which is never a bad idea), but how are Steam users supposed to know to do so if we don't read the Steam forums, or read Slashdot? Seems like they kinda dropped the ball on the whole communication thing here...

--
"To confine our attention to terrestrial matters would be to limit the human spirit." -Stephen Hawking
1. Re:Way to keep us informed? by Anonymous Coward · 2011-11-10 12:16 · Score: 2, Interesting
  
  Funny you should say that - I just logged into steam and had that message pop up as the first thing it did, good luck getting any cash out of my account though - I max it the day I get paid :-D
2. Re:Way to keep us informed? by Gravatron · 2011-11-10 12:17 · Score: 2
  
  Sony was quite public about it, what are you talking about? I got emails about it, and they sent out press releases about it IIRC.
3. Re:Way to keep us informed? by Rockoon · 2011-11-10 12:19 · Score: 2
  
  My guess is that they are sending out emails, but since they literally have tens of millions of regular users (and certainly tens of millions of users that havent connected in a long time), that might takes some time.
  
  --
  "His name was James Damore."
4. Re:Way to keep us informed? by cstdenis · 2011-11-10 12:20 · Score: 4, Insightful
  
  It sounds like they are. The article says "...below is the full email from Gabe Newell to Steam members."
  Keep in mind Steam has a hell of a lot of members. It can easily take several hours to send out that many emails.
  
  --
  1984 was not supposed to be an instruction manual.
5. Re:Way to keep us informed? by IICV · 2011-11-10 12:25 · Score: 4, Informative
  
  The announcement also pops up after you stop playing a Steam game. Normally there's some ads when you do that, but currently the first thing that shows up is the text that Slashdot posted here. It's actually quite effective, because normally you get pictures and ads and things instead of a wall of text, so it stands out.
6. Re:Way to keep us informed? by koolfy · 2011-11-10 12:43 · Score: 3, Interesting
  
  Of course they did.... two weeks after downing PSN claiming it was for maintenance.
  
  They HAD to do so eventually, but the point is they went into denial mode for weeks before admitting the fuckup.
  
  --
  Segmentation Fault in "Life, Universe and Everything" at line 42. Don't Panic.
7. Re:Way to keep us informed? by X0563511 · 2011-11-10 12:51 · Score: 5, Informative
  
  as every time I close out a Steam game I am bombarded with a multi-page post of the latest deals and new releases.
  Sounds like you don't like this.
  1. Steam Menu
  2. Settings
  3. Interface Tab
  4. Uncheck the "Notify me..." box near the bottom
  
  --
  For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
8. Re:Way to keep us informed? by Gravatron · 2011-11-10 13:01 · Score: 2
  
  you mean 7 days. Hack occurred on the 19th and the full disclosure of what was taken was on the 26th iirc.
9. Re:Way to keep us informed? by Anubis+IV · 2011-11-10 13:08 · Score: 5, Informative
  
  Sony was quite public about it, what are you talking about?
  They may have been public about the fact that there was a breach, but they were incompetent in their handling of it. And based on my e-mail archives, they never fully informed their customers of the extent to which the intruders compromised their servers. Specifically, Sony only sent out two e-mails related to the PSN outage to all of their customers: one on April 28th to say that accounts had been compromised, but that there was no evidence of credit cards having been compromised at that time, and another on June 5th to announce the Welcome Back package. From what I can tell, there was NEVER a mass e-mail to inform their PSN customers that credit card information had, in fact, been stolen, nor did they ever send out a mass e-mail to announce their identity theft protection program (or maybe I just didn't get it because I signed up for it before they sent it?).
  Here's a complete timeline including other announcements besides e-mails:
  January or February 2011 - Sony is told by security experts specifically why their server security sucks
  Early April - Various PSN outages, some because of planned Anonymous DDoS attacks
  April 17th-19th - PSN compromised (source: Sony's April 28th e-mail)
  April 21st - PSN goes down as Sony realizes something is up
  April 23rd - Sony blames outage on external intrusion; makes no mention of compromised accounts
  April 24th - Sony starts "rebuilding" PSN after attack; still no mention of compromised accounts
  April 26th - Sony admits that someone may have some account information for their 77M accounts
  April 27th - Sony confirms that some data was stolen
  April 28th - First e-mail to customers gets sent; says there is no evidence yet of credit cards having been compromised
  May 1st - Sony confirms that 10M users had credit cards compromised; promises PSN up by week's end (spoiler: it didn't happen); doesn't send an e-mail
  May 2nd - SOE goes down after they realized it was compromised too
  May 3rd - Sony admits 24.6M SOE accounts were compromised
  May - Lots more drama as Sony makes promises to have PSN up but then reneges on them repeatedly
  June 2nd - PSN finally comes back up
  June 5th - Second e-mail to customers gets sent; tells them that the Welcome Back package is now available; makes no mention of credit cards, identity theft, or how to sign up for their free identity theft protection program
  I'd hardly call it a model to follow, and I'm still hoping that Valve will make a point of e-mailing their users in the next few days. It's fine to take a few days for something like this while you track down the details, but it does need to get done properly at some point. Sony never did it properly.
10. Re:Way to keep us informed? by captjc · 2011-11-10 13:42 · Score: 2
  
  It is also interesting to note that the daily deal on Steam today is "Day of Defeat." Coincidence or message?
  
  --
  Slow Down Cowboy! It's been 1 hour, 47 minutes since you last successfully posted a comment
11. Re:Way to keep us informed? by Cl1mh4224rd · 2011-11-10 15:10 · Score: 5, Informative
  
  They did? I never got that one myself.
  I did. I had completely forgotten about it until I read The MAZZTer's comment. I kind of shrugged it off as the usual email spoofing, but it still seemed odd at the time that it made it through Google's spam filter.
  The email, with redactions by me:
  
  Subject: Come join [redacted], a gaming resource community
  From: webmaster@steampowered.com
  Ever wanted to dominate the servers you play on with guaranteed results, but you were too afraid to cheat because of ban risks? Visit [redacted]. It's safe, secure and undetected.
  Along with hacks, we've also got some general discussion sections, hacking tutorials and tools, porn, free giveaways and much more. This site has been conditioned to meet all your needs in terms of resources so be sure to take a look and tell us what you think.
  Thanks again,
  the [redacted] team.
  
  --
  People will pass up steak once a week, for crap every day.
How hard are the passwords to crack? by Galaga88 · 2011-11-10 12:16 · Score: 2

I'm not worried about my Steam password, I can go change it when I get home, it was fairly complex, and it's not a reused password anywhere else, but how hard would it be to crack these?
For those of us who aren't cryptography experts, does cracking one of the easy passwords (love, password, money) then help crack the more complex ones (m4sT3rm!nd)? I'm guessing this is crypto 101 stuff.
I am glad I no longer store credit card information with steam, and only used PayPal (and have an authentication card attached to my PP account.)
1. Re:How hard are the passwords to crack? by Beryllium+Sphere(tm) · 2011-11-10 12:31 · Score: 4, Informative
  
  No, each one is an independent problem.
  None of the weaknesses that have been discovered in common hashes allow reversing them (which is in general impossible anyway since an infinite number of inputs could lead to the same hash, it's just infeasible to find them).
  The "crack" is just high-speed testing of possible passwords. Modern cracking software is actually fairly sophisticated about trying substitutions on dictionary words.
  Use a passphrase unless there's some stupid limit on password length.
2. Re:How hard are the passwords to crack? by alcourt · 2011-11-10 12:37 · Score: 2
  
  Knowing one password does not materially help attacks on other passwords. However, depending on the algorithm used, it may be possible to brute force the password. For example, if the old Unix crypt(3c) algorithm is used, then most passwords can be brute forced in reasonable time now. Recent advances have led to use of the graphics card on your system to perform those attacks.
  Longer hashes like MD-5 are significantly harder as they support a much longer search space, but few people use a password over twelve characters. Certainly, any password under seven characters should be considered vulnerable, regardless of algorithm used to salt/hash them.
  Assuming (big if) they are using standard password hashing algorithms, long (at least 15 characters long) passwords that are pasted, not typed because they are completely randomly generated is your best protection in such cases.
  Passwords are just evil though.
  
  --
  "I may disagree with what you say, but I will defend unto the death your right to say it." -- Voltaire
3. Re:How hard are the passwords to crack? by Anonymous Coward · 2011-11-10 14:05 · Score: 2, Informative
  
  The passwords are hopefully stored in one way non-reversible hashes, not encrypted. There is no decrypt, even with the salt. To compare a password, you would compare a hash of the entered data with the hash that's in the database and see if they match.
  To get the password, you'd have to find a same grouping of letters that creates the same hash as the password, which takes forever as they aren't reversible (We're also assuming the passwords aren't hashed using a compromised hashing algorithm). Rainbow tables are generated to provide a quick way around this; they're basically a list that says this password = this hash. So they can just look up the hash in the table and grab the password. Adding a salt makes those common rainbow tables useless as the hashes won't match the ones in the database, so the hackers would have to generate their own tables. This is very time consuming, even if they had the salt. In addition, as a 3rd level of complexity, even if the salt was stored right next to the password in the database, but unique for each account, the hackers would need to create a rainbow table for each account to retrieve a matching hash.
  Those devs aren't (always) dipshits.
hah by geekoid · 2011-11-10 12:25 · Score: 4, Funny

Secretly stabbed in the back, huh Valve? See Spies are overpowered and DO indeed, SUCK. Jerkwads.

--
The Kruger Dunning explains most post on /. http://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect
1. Re:hah by Bobfrankly1 · 2011-11-10 12:44 · Score: 3, Funny
  
  Secretly stabbed in the back, huh Valve? See Spies are overpowered and DO indeed, SUCK. Jerkwads.
  You're just upset *backstab* because you have difficulty *MEDIC!!!! backstab* spy-checking as a *backstab, cloak* pyro. Perhaps if you stopped standing in one place *backstab, backstab, miss, backstab* and developed your pyro techniques, you would find spies to be *sapper, backstab, die from being on fire* easy prey.
Accidental irony by Shillo · 2011-11-10 12:32 · Score: 5, Funny

Today's daily deal on Steam is: Day of Defeat.
Couldn't have made a better choice myself.

--
I refuse to use .sig
Whew! by Bobfrankly1 · 2011-11-10 12:37 · Score: 5, Funny

Good thing I just followed the e-mail that just arrived and changed my password then! I'm fortunate to have found it in my junk mail. Weird that Steam is requiring social security numbers to change passwords now.
Steaming pile by Culture20 · 2011-11-10 12:42 · Score: 2, Insightful

I reiterate for posterity: I will never buy any game that requires Steam or any other DRM that prevents me from installing it twenty years from now or forces me to give up personally identifying information (especially CC numbers).
1. Re:Steaming pile by Akzo · 2011-11-10 13:38 · Score: 2
  
  You don't have to enter any personally identifying information to make a steam account; Username, email and password is all it takes and seeing how there are already methods of bypassing Steam when loading games I doubt you would have any Steam related trouble playing games in 20 years.
  
  --
  Sig is for Signature, so you don't have to manually sign every post.
2. Re:Steaming pile by artor3 · 2011-11-10 14:03 · Score: 4, Insightful
  
  You don't need to give up your CC number (or any personal information) unless you are buying a game with your CC. How, exactly, do you think they should handle credit card purchases?
3. Re:Steaming pile by Ash-Fox · 2011-11-10 14:40 · Score: 2
  
  How, exactly, do you think they should handle credit card purchases?
  They should be using a laser and an artificial satellite.
  
  --
  Change is certain; progress is not obligatory.
4. Re:Steaming pile by Culture20 · 2011-11-10 14:51 · Score: 2
  
  20 years from now there is a good chance that such an old game would be incapable with what ever computer your running it on.
  I can run a full emulator on current hardware that I still need to slow down for older games. Twenty years from now, I'm betting it will be similar.
5. Re:Steaming pile by geminidomino · 2011-11-10 15:42 · Score: 2
  
  Do you spend your time today playing 20 year old games?
  More time than I spend playing 2 year old or younger games, yes.
  Currently replaying the original Final Fantasy using the "Duane and Brand0" party.
Re:This is Valve's fault by Spad · 2011-11-10 12:43 · Score: 4, Insightful

Until we have real information about how they were hit, it's difficult to make any assumptions about how badly Valve may have screwed up.
Hat? by jjshoe · 2011-11-10 12:47 · Score: 4, Funny

Do I get a hat for having to go through this?

--
-- botsex is {grep;touch;strip;unzip;head;mount} /dev/girl -t {wet;fsck;fsck;yes;yes;yes;umount} {/de
Re:In comparison with Sony? by IronSight · 2011-11-10 12:52 · Score: 2

TBH Valve wouldn't have found the intrusion if the forums weren't defaced. If the hackers were smart they would have left the site unscathed. Who knows how long they had all of our info. Kinda scary really.
Oblig Half-Life 3 delay... by dstyle5 · 2011-11-10 12:54 · Score: 5, Funny

I wonder how long this will delay the release of Half-Life 3? Or Half-Life 2 Episode 3? Left 4 Dead 3? Portal 3?

/oblig game delay post

Hmm, thats alot of 3 games Valve could be working on....
Re:PCI Compliance by X0563511 · 2011-11-10 12:54 · Score: 2

Yep. That's called a reference transaction. Someone needs to go do some homework before continuing to accept credit cards.

--
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
Unencrypted passwords by phorm · 2011-11-10 13:40 · Score: 5, Interesting

All you need to see about EA's security is how they deal with "lost passwords"
Last time I did a lost password request with EA, they happily sent me my password in email. No, not a "password reset request", but my actual password.
This tells me that:
a) They're dumb enough to send passwords in plaintext via email
b) They're dumb enough to store plaintext-retrievable passwords instead of doing a hash comparison.
FAIL!
My account was among those compromised. by JakFrost · 2011-11-10 14:26 · Score: 5, Interesting

Got hit with this one!
On the morning of Nov 7th I started getting e-mails from Steam Support with confirmation codes when someone was trying to change my password and e-mail. Reinstalled Steam after a year or more of non-usage only to find that someone has been playing TeamFortress 2 on it, the same day. Changed my passwords. That evening received a number of angry e-mails from a Russian guy ( [www.crazy_denis@mail.ru]) demanding that I put the passwords back so he can use the account he bought and paid for. Used Google Translate into Russian sometimes Ukrainian to string him along through 12 short e-mails and got him to reveal and confirm that he actually had my username and password in clear text. Opened up a support case with Steam and forwarded the entire e-mail chain to them to start investigating. Got a form letter back, replied again asking them to check their systems for intrusion... today Slashdot story breaks about Steam being compromised. I wasn't the only one I guess!
PasswordMaker - Storage-less and per-site unique hash based password scheme
Changing all my passwords now to a PasswordMaker scheme for unique passwords for every single site based on a storege-less system that uses a master password + URL + other info you choose -> MD5 sum -> alpha-numeric symbols -> length limit to generate a unique password for every site and account based off your own single or multiple master passwords. You have to remember your own password and the settings you used and generate the same password every time that is unique and there is no secret data file to steal from you or for you to lose on a USB disk or upload to the net. This way your password is already hashed when you submit it to a site, it is unique per site, you don't have to store a list of passwords in any file, and you can regenerate your password on any browser, mobile phone, programming language since this app has been ported to practically everything.
I was thinking of something simpler such as "echo MyPassword69! slashdot.org|md5sum" and then "aaa53a64cbb02f01d79e6aa05f0027ba" using that as my password since many sites will take 32-character long passwords or they will truncate for you. More generalized than PasswordMaker and easier to access but no alpha-num+symbol translation and only (32) 0-9af characters but that should be random enough, or you can do sha1sum instead for a little longer hash string.
Here's the conversation for all of you.

From: [mailto:www.crazy_denis@mail.ru]
Sent: Monday, November 07, 2011 11:03 PM
Crazy Denis: You bitch Give me my account is steam which I bought yesterday! will not come back you will have problems moshenik fucking
JakFrost: I would kindly suggest you go and get another account from the source before you lose more than just money. To understand each.
Crazy Denis: How do I get another account?
JakFrost: Ask a guy who you got this one and get another one. This account is off limits.
Crazy Denis: I wrote to him he was going to do nothing to write tehpoderzhku said there had already written an answer waiting for 24 hours
damn well bring back pliz account you do what it's worth it
JakFrost: What's the password for that account so that I could find one for you?
Crazy Denis: Login: MyUsername Password: ********
JakFrost: (No Reply)
Crazy Denis: Well, I found?
JakFrost: That is correct user name and password, but that account is currently blocked by Steam support of a security breach. I can not use it either, so it ruined for us both.
Crazy Denis: Yes, all right there!, Today began to go wrong is led pishel password or an account is not suschustvuet
JakFrost: I do not know, I get an error that the password is incorrect or the account has not been found.
Crazy Denis: A registered on your soap the same account?
JakFrost: No, it does not work.
Crazy Denis: clear, damn well feel sorry for you and I were left wi
Do unto others... by mjwx · 2011-11-10 15:01 · Score: 2

Valve gets hacked, account details likely stolen, account information hashed and salted, Gabe still praised.
Sony gets hacked, accounts details stolen, account information hashed and salted, Sony ran through the ringer.
Valve = Valuable contributor to healthy, competitive market. Cares about customers.
Sony = Anticompetitive lockdown ensures that a great many games are unplayable as they take a month to sort out the problem. Doesn't give a shit about customers.

Why is the concept that people will treat companies in the same way that those companies treat them such a strange and unusual concept to some people?

--
Calling someone a "hater" only means you can not rationally rebut their argument.
Re:PCI standards by alcourt · 2011-11-10 16:39 · Score: 2

PCI DSS does not prohibit storing the full payment account number (PAN) electronically, as long as it is encrypted. The note on PCI DSS 3.2.1 specifically talks about retaining the PAN in the normal course of business. PCI DSS 3.2.2 does prohibit storing the security code printed on the back, or the full magnetic track data. PCI DSS 3.4's requirement to render the PAN unreadable when stored makes it clear that storing that credit card number is permitted, if it is properly protected. The definition of properly protected is given.
I read the announcement as saying that the same database that housed some of the forum data also housed PAN data, but that they were claiming that table of the database was encrypted and thus don't believe it compromised.
One could argue that PCI DSS 2.2.1 (implement only one primary function per system) as violated, but that is debatable based on the few details publicly available.
There is too little available to gauge the incident at this time and guess specific PCI compliance failures.

--
"I may disagree with what you say, but I will defend unto the death your right to say it." -- Voltaire
Fraudulent transaction on my credit card by gregrah · 2011-11-10 18:05 · Score: 4, Informative

Not sure if this is a coincidence, but the credit card that I had on file with Steam got billed with a fraudulent charge on Nov 6. Any other steam users experiencing anything like this?
I've been wondering... by jones_supa · 2011-11-10 19:19 · Score: 2

At the times when Half-Life 2 source was leaked, the cracker said that along spectating the development process he actually made some small changes to the code. Is it possible that some of these made their way to the final product or if there is even some hidden malicious code included? Paranoid, but interesting.