Slashdot Mirror
Valve Announces Massive Steam Server Intrusion
SKYMTL writes "Valve has revealed that hackers have gained access to the Steam database and have pulled a variety of information. A statement from Gabe Newell reads in part: 'Dear Steam Users and Steam Forum Users, Our Steam forums were defaced on the evening of Sunday, November 6. We began investigating and found that the intrusion goes beyond the Steam forums. We learned that intruders obtained access to a Steam database in addition to the forums. This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information. We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked. We are still investigating.
We don’t have evidence of credit card misuse at this time. Nonetheless you should watch your credit card activity and statements closely."
As a show of good will, how about something extra? We trusted steam, now they have our encrypted credit card info and billing addresses. Origin looks mighty tempting right about now.. with BF3 and all... =)
Awesome. Sounds like they were doing things right.
Thank god I had to sign up to STEAM and give out my personal information to play a game I had already purchased otherwise I might never have become a victim of identity theft...
Funny that I had to read about this on Slashdot. You think they could send out a mass email to everyone with a Steam account, especially when credit card numbers are involved (even if they're encrypted). I hate inbox clutter as much as the next guy, but Gabe himself says to watch your credit cards for suspicious activity (which is never a bad idea), but how are Steam users supposed to know to do so if we don't read the Steam forums, or read Slashdot? Seems like they kinda dropped the ball on the whole communication thing here...
"To confine our attention to terrestrial matters would be to limit the human spirit." -Stephen Hawking
The difference is in part due to how the attacks were handled by the respective companies, and in part due to the fact that Sony is run by gigantic cocks while Valve isn't.
I think it may have to do with Gabe being honest about it and immediatly going "Yeah it happened, here's what they got, terribly sorry about that :("
Also given the man's track record, I'd personally be more forgiving, when comparing to Sony's track record.
Well steam fundamentally different from sony:
1. No-one told you you had to store credit card details in steam, they support paypal which prevents this being an issue.
2. At least they told their users in a prompt manner.
3. It sounds like the information was properly encrypted and stored, this did not sound true with Sony.
There was much miscommunication last time - a Sony executive said the credit card info was unencrypted. Which immediately launched a massive wave of "WTF?" from everyone with even a passing knowledge of security.
There's also the fact that the intrusion targeted the Steam forums, which have distinct accounts from Steam itself. People probably use the same password on both (I think I might've), but it's still slightly better.
And you can't forget the main difference - people can still play their games. During the Sony hacks, people were locked out of online play for quite some time. And people (being stupid) care more about getting their CoD on than not getting their credit cards stolen.
Still not unforgivable, but the fact that Valve is immediately going "we fucked up, we're trying to fix it, here's exactly what's going on" rather than Sony's "We are aware of outages but won't even say that we got hacked for several days". Honesty counts for a lot.
Shall we go into how they fired their whole network security team the week before, or the fact the attacks on Sony were orchestrated as a retaliatory strike on them for certain lawsuits (I'm not saying it's right) just there were lots more factors to those specific attacks than just "we were hacked".
The fact that all evidence suggests that all credit card info was unencrypted on the Sony server. And no, Sony didnt announce shit until the network had been down for 2 weeks, up until that point they just claimed "matinence"
Couple of big differences in this case and the Sony case, though. So far, Valve is far ahead of Sony. In order to be on Sony's level, Valve would have to:
1. Completely shut down the service for a week with no explanation.
2. Keep the service offline for an additional month after admitting that they had been compromised.
3. Claim that passwords were stored unencrypted, then when called on that, claim that they meant hashed. But not salted.
4. Allow unencrypted credit card data to be stolen. (PSN users reported suspicious activity on their cards, and I know my bank sent me a new card due to the breech.)
5. In order to make up for the outage, offer a "free month" of "premium" service that A) is a limited time offer and B) requires a subscription fee to continue to use any content accessed during that time.
6. Later have it determined that the vulnerability was caused by an Apache server that was left unpatched for over two years.
I think that about covers the differences.
Secretly stabbed in the back, huh Valve? See Spies are overpowered and DO indeed, SUCK. Jerkwads.
The Kruger Dunning explains most post on
The guy has just admitted they stuffed up. they had a responsibility to protect your data that they force you to provide. This is the equivalent of being raped in a police station and then being happy that the cops admitted it happened and are very sorry about it.
If you think this situation is anything like being raped -you do not know what rape is...
"You want to know how to help your kids? Leave them the fuck alone." -George Carlin
Unless you disabled the security checks, you can not log into steam from an untrusted computer. If you try to do so, you will be asked to enter a code that is emailed to the account holder.
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
No, each one is an independent problem.
None of the weaknesses that have been discovered in common hashes allow reversing them (which is in general impossible anyway since an infinite number of inputs could lead to the same hash, it's just infeasible to find them).
The "crack" is just high-speed testing of possible passwords. Modern cracking software is actually fairly sophisticated about trying substitutions on dictionary words.
Use a passphrase unless there's some stupid limit on password length.
Today's daily deal on Steam is: Day of Defeat.
Couldn't have made a better choice myself.
I refuse to use
Yeah... it's more like getting roofied, and then being told about it 4 days later.
Well, let's start with the fact that PSN intrusion was just one of 23 separate incidents for Sony within a time frame of just a couple of months.
Good thing I just followed the e-mail that just arrived and changed my password then! I'm fortunate to have found it in my junk mail. Weird that Steam is requiring social security numbers to change passwords now.
Until we have real information about how they were hit, it's difficult to make any assumptions about how badly Valve may have screwed up.
Do I get a hat for having to go through this?
-- botsex is {grep;touch;strip;unzip;head;mount}
Yes, but Sony stored customer data as PLAIN TEXT. Their security was a joke and they deserved all the bad press they got.
Valve on the other hand had all sensitive data encrypted. Which means that the hackers likely got nothing but useless gobbledygook.
I wonder how long this will delay the release of Half-Life 3? Or Half-Life 2 Episode 3? Left 4 Dead 3? Portal 3?
/oblig game delay post
Hmm, thats alot of 3 games Valve could be working on....
Be warned, the following is only hearsay:
The CC info was encrypted in the database, and Sony used a separate internal-facing server to handle credit card transactions. The problem is, the transaction server wasn't configured properly; unencrypted credit card numbers and billing information were being recorded in Apache logs.
It's amazing what being generally nice to your customers, delivering what you promise and not trying to ass-rape them at every turn can get you when you finally do screw up isn't it?
All you need to see about EA's security is how they deal with "lost passwords"
Last time I did a lost password request with EA, they happily sent me my password in email. No, not a "password reset request", but my actual password.
This tells me that:
a) They're dumb enough to send passwords in plaintext via email
b) They're dumb enough to store plaintext-retrievable passwords instead of doing a hash comparison.
FAIL!
In fact, this is why I have decided not to change my Steam password. If I get a notification that someone tried to access it, I know the password were compromised, and can act accordingly.
"None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton
You don't need to give up your CC number (or any personal information) unless you are buying a game with your CC. How, exactly, do you think they should handle credit card purchases?
One other point to clarify is from this weekend’s press conference. While the passwords that were stored were not “encrypted,” they were transformed using a cryptographic hash function. There is a difference between these two types of security measures which is why we said the passwords had not been encrypted. But I want to be very clear that the passwords were not stored in our database in cleartext form. For a description of the difference between encryption and hashing, follow this link.
Got hit with this one!
On the morning of Nov 7th I started getting e-mails from Steam Support with confirmation codes when someone was trying to change my password and e-mail. Reinstalled Steam after a year or more of non-usage only to find that someone has been playing TeamFortress 2 on it, the same day. Changed my passwords. That evening received a number of angry e-mails from a Russian guy ( [www.crazy_denis@mail.ru]) demanding that I put the passwords back so he can use the account he bought and paid for. Used Google Translate into Russian sometimes Ukrainian to string him along through 12 short e-mails and got him to reveal and confirm that he actually had my username and password in clear text. Opened up a support case with Steam and forwarded the entire e-mail chain to them to start investigating. Got a form letter back, replied again asking them to check their systems for intrusion... today Slashdot story breaks about Steam being compromised. I wasn't the only one I guess!
PasswordMaker - Storage-less and per-site unique hash based password scheme
Changing all my passwords now to a PasswordMaker scheme for unique passwords for every single site based on a storege-less system that uses a master password + URL + other info you choose -> MD5 sum -> alpha-numeric symbols -> length limit to generate a unique password for every site and account based off your own single or multiple master passwords. You have to remember your own password and the settings you used and generate the same password every time that is unique and there is no secret data file to steal from you or for you to lose on a USB disk or upload to the net. This way your password is already hashed when you submit it to a site, it is unique per site, you don't have to store a list of passwords in any file, and you can regenerate your password on any browser, mobile phone, programming language since this app has been ported to practically everything.
I was thinking of something simpler such as "echo MyPassword69! slashdot.org|md5sum" and then "aaa53a64cbb02f01d79e6aa05f0027ba" using that as my password since many sites will take 32-character long passwords or they will truncate for you. More generalized than PasswordMaker and easier to access but no alpha-num+symbol translation and only (32) 0-9af characters but that should be random enough, or you can do sha1sum instead for a little longer hash string.
Here's the conversation for all of you.
Our family plays on PSN regularly and we have NEVER given Sony any CC numbers. We even bought a couple games later on, also without cc (7-11 gift certificate).
It took about 5-10 minutes of searching to find the exact reference, but here you go.
So technically speaking the passwords _weren't_ encrypted. I remember when that bit of news came my friends and i were all very curious to know what kind of salt (if any) they were using, but we're all geeks at a software company so we're a bit more clued in about such things. In fact i don't remember if the salt question ever got answered.
As for why it keeps getting brought up, especially in this thread, it's because people keep asking why Sony was treated more harshly than Valve seems to be getting treated now. The answer is that Sony took forever to say anything about what was going on and the made a habit of releasing partial bits of information, some of which were confusing or misleading. The encryption issue is just one of those bits the handling of which upset people.
PSN was hacked between April 17th and 19th. It took a day or three before they shut down the servers without saying a word. It was three more days before they admitted there had been a data intrusion, and another three days before they admitted that user data had been compromised and days more before they admitted that personally identifiable information had been compromised.
If Valve starts dribbling out more bits of previously unrevealed information over the next few weeks (not just details on the aspects they've already confirmed) then the amount of goodwill currently being displayed will erode very fast.
Most of us don't feel that it's possible to prevent all security intrusions, but it is possible for companies to be responsible and forthright about it when it happens.
This Space Intentionally Left Blank
Not entirely true - some credit card merchant gateways permit you to tokenize the credit card info and re-charge them without ever re-sending (or storing) the details. In these cases, the merchant only ever sees your details once - when they send them in to be tokenized. And the token is also usable only by the original merchant - so the worst a hacker could do with it is forcibly give your money to the merchant.
For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
Not sure if this is a coincidence, but the credit card that I had on file with Steam got billed with a fraudulent charge on Nov 6. Any other steam users experiencing anything like this?