Slashdot Mirror

← Back to Stories (view on slashdot.org)

Valve Announces Massive Steam Server Intrusion

Posted by samzenpus on from the save-my-game dept.

SKYMTL writes "Valve has revealed that hackers have gained access to the Steam database and have pulled a variety of information. A statement from Gabe Newell reads in part: 'Dear Steam Users and Steam Forum Users, Our Steam forums were defaced on the evening of Sunday, November 6. We began investigating and found that the intrusion goes beyond the Steam forums. We learned that intruders obtained access to a Steam database in addition to the forums. This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information. We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked. We are still investigating. We don’t have evidence of credit card misuse at this time. Nonetheless you should watch your credit card activity and statements closely."

23 of 434 comments (clear)

  1. Proper back end hashing and encryption? by Anonymous Coward · · Score: 5, Insightful

    Awesome. Sounds like they were doing things right.

    1. Re:Proper back end hashing and encryption? by ackthpt · · Score: 5, Funny

      Awesome. Sounds like they were doing things right.

      Yeah, sounds like they did better than most businesses *cough* Sony *cough* who probably kept everything in a big ol' text file.

      which was named readme.txt

      --

      A feeling of having made the same mistake before: Deja Foobar
    2. Re:Proper back end hashing and encryption? by pixelpusher220 · · Score: 5, Funny

      please, they aren't that stupid.

      They called it 'dontreadme.txt'

      --
      People in cars cause accidents....accidents in cars cause people :-D
    3. Re:Proper back end hashing and encryption? by muon-catalyzed · · Score: 5, Insightful

      ..until some external auditor confirms this better start the identity theft ritual (credit cards pull etc.)

  2. Way to keep us informed? by feidaykin · · Score: 5, Insightful

    Funny that I had to read about this on Slashdot. You think they could send out a mass email to everyone with a Steam account, especially when credit card numbers are involved (even if they're encrypted). I hate inbox clutter as much as the next guy, but Gabe himself says to watch your credit cards for suspicious activity (which is never a bad idea), but how are Steam users supposed to know to do so if we don't read the Steam forums, or read Slashdot? Seems like they kinda dropped the ball on the whole communication thing here...

    --

    "To confine our attention to terrestrial matters would be to limit the human spirit." -Stephen Hawking

    1. Re:Way to keep us informed? by X0563511 · · Score: 5, Informative

      as every time I close out a Steam game I am bombarded with a multi-page post of the latest deals and new releases.

      Sounds like you don't like this.
      1. Steam Menu
      2. Settings
      3. Interface Tab
      4. Uncheck the "Notify me..." box near the bottom

      --
      For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
    2. Re:Way to keep us informed? by Anubis+IV · · Score: 5, Informative

      Sony was quite public about it, what are you talking about?

      They may have been public about the fact that there was a breach, but they were incompetent in their handling of it. And based on my e-mail archives, they never fully informed their customers of the extent to which the intruders compromised their servers. Specifically, Sony only sent out two e-mails related to the PSN outage to all of their customers: one on April 28th to say that accounts had been compromised, but that there was no evidence of credit cards having been compromised at that time, and another on June 5th to announce the Welcome Back package. From what I can tell, there was NEVER a mass e-mail to inform their PSN customers that credit card information had, in fact, been stolen, nor did they ever send out a mass e-mail to announce their identity theft protection program (or maybe I just didn't get it because I signed up for it before they sent it?).

      Here's a complete timeline including other announcements besides e-mails:
      January or February 2011 - Sony is told by security experts specifically why their server security sucks
      Early April - Various PSN outages, some because of planned Anonymous DDoS attacks
      April 17th-19th - PSN compromised (source: Sony's April 28th e-mail)
      April 21st - PSN goes down as Sony realizes something is up
      April 23rd - Sony blames outage on external intrusion; makes no mention of compromised accounts
      April 24th - Sony starts "rebuilding" PSN after attack; still no mention of compromised accounts
      April 26th - Sony admits that someone may have some account information for their 77M accounts
      April 27th - Sony confirms that some data was stolen
      April 28th - First e-mail to customers gets sent; says there is no evidence yet of credit cards having been compromised
      May 1st - Sony confirms that 10M users had credit cards compromised; promises PSN up by week's end (spoiler: it didn't happen); doesn't send an e-mail
      May 2nd - SOE goes down after they realized it was compromised too
      May 3rd - Sony admits 24.6M SOE accounts were compromised
      May - Lots more drama as Sony makes promises to have PSN up but then reneges on them repeatedly
      June 2nd - PSN finally comes back up
      June 5th - Second e-mail to customers gets sent; tells them that the Welcome Back package is now available; makes no mention of credit cards, identity theft, or how to sign up for their free identity theft protection program

      I'd hardly call it a model to follow, and I'm still hoping that Valve will make a point of e-mailing their users in the next few days. It's fine to take a few days for something like this while you track down the details, but it does need to get done properly at some point. Sony never did it properly.

    3. Re:Way to keep us informed? by Cl1mh4224rd · · Score: 5, Informative

      They did? I never got that one myself.

      I did. I had completely forgotten about it until I read The MAZZTer's comment. I kind of shrugged it off as the usual email spoofing, but it still seemed odd at the time that it made it through Google's spam filter.

      The email, with redactions by me:

      Subject: Come join [redacted], a gaming resource community
      From: webmaster@steampowered.com

      Ever wanted to dominate the servers you play on with guaranteed results, but you were too afraid to cheat because of ban risks? Visit [redacted]. It's safe, secure and undetected.

      Along with hacks, we've also got some general discussion sections, hacking tutorials and tools, porn, free giveaways and much more. This site has been conditioned to meet all your needs in terms of resources so be sure to take a look and tell us what you think.

      Thanks again,
      the [redacted] team.

      --
      People will pass up steak once a week, for crap every day.
  3. Re:Hilarity by Anonymous Coward · · Score: 5, Insightful

    The difference is in part due to how the attacks were handled by the respective companies, and in part due to the fact that Sony is run by gigantic cocks while Valve isn't.

  4. Re:Hilarity by ewanm89 · · Score: 5, Insightful

    Shall we go into how they fired their whole network security team the week before, or the fact the attacks on Sony were orchestrated as a retaliatory strike on them for certain lawsuits (I'm not saying it's right) just there were lots more factors to those specific attacks than just "we were hacked".

  5. Re:Hilarity by Moheeheeko · · Score: 5, Interesting

    The fact that all evidence suggests that all credit card info was unencrypted on the Sony server. And no, Sony didnt announce shit until the network had been down for 2 weeks, up until that point they just claimed "matinence"

  6. Re:Hey gabe by kelemvor4 · · Score: 5, Informative

    Origin looks mighty tempting right about now.. with BF3 and all...

    Sure, if you don't mind handing over an inventory of everything on your PC and letting origin do what they want with the information... http://decryptedtech.com/index.php?option=com_k2&view=item&id=257:eas-origin-may-be-a-little-too-intrusive&Itemid=138

  7. Re:Hilarity by Anonymous Coward · · Score: 5, Interesting

    Couple of big differences in this case and the Sony case, though. So far, Valve is far ahead of Sony. In order to be on Sony's level, Valve would have to:

    1. Completely shut down the service for a week with no explanation.
    2. Keep the service offline for an additional month after admitting that they had been compromised.
    3. Claim that passwords were stored unencrypted, then when called on that, claim that they meant hashed. But not salted.
    4. Allow unencrypted credit card data to be stolen. (PSN users reported suspicious activity on their cards, and I know my bank sent me a new card due to the breech.)
    5. In order to make up for the outage, offer a "free month" of "premium" service that A) is a limited time offer and B) requires a subscription fee to continue to use any content accessed during that time.
    6. Later have it determined that the vulnerability was caused by an Apache server that was left unpatched for over two years.

    I think that about covers the differences.

  8. Re:DRM rocks! by Spad · · Score: 5, Insightful

    As opposed to Xbox Live? GFWL? The Rockstar Social Club? Origin? Any MMO ever? Any website you've ever purchased anything from? etc.

    Let's face it, there's no shortage of places that have some, part or all of your personal information these days; Steam is just one of many.

  9. Re:Hey gabe by Mashiki · · Score: 5, Insightful

    Even after this, I still trust Valve more than I trust EA. Hell Valve could kill kittens and use their blood to fuel their servers, and I'd still trust them more than EA. One only needs to look into the past and see how much EA has treated not only their customers as dirt, but their employees.

    --
    Om, nomnomnom...
  10. Accidental irony by Shillo · · Score: 5, Funny

    Today's daily deal on Steam is: Day of Defeat.

    Couldn't have made a better choice myself.

    --
    I refuse to use .sig
  11. Whew! by Bobfrankly1 · · Score: 5, Funny

    Good thing I just followed the e-mail that just arrived and changed my password then! I'm fortunate to have found it in my junk mail. Weird that Steam is requiring social security numbers to change passwords now.

  12. Oblig Half-Life 3 delay... by dstyle5 · · Score: 5, Funny

    I wonder how long this will delay the release of Half-Life 3? Or Half-Life 2 Episode 3? Left 4 Dead 3? Portal 3?

    /oblig game delay post

    Hmm, thats alot of 3 games Valve could be working on....

  13. Re:Hilarity by Charliemopps · · Score: 5, Insightful

    It's amazing what being generally nice to your customers, delivering what you promise and not trying to ass-rape them at every turn can get you when you finally do screw up isn't it?

  14. Re:Hey gabe by Ant+P. · · Score: 5, Informative

    Yeah, so far Valve's credit card database has been stolen, but EA customers are the ones getting money stolen from their bank accounts.

  15. Unencrypted passwords by phorm · · Score: 5, Interesting

    All you need to see about EA's security is how they deal with "lost passwords"

    Last time I did a lost password request with EA, they happily sent me my password in email. No, not a "password reset request", but my actual password.
    This tells me that:
    a) They're dumb enough to send passwords in plaintext via email
    b) They're dumb enough to store plaintext-retrievable passwords instead of doing a hash comparison.

    FAIL!

  16. Re:Hey gabe by rapidreload · · Score: 5, Funny

    Hell Valve could kill kittens and use their blood to fuel their servers

    Wait... are you saying kitteh sacrifices are NOT part of standard server administration? Shit, I'm not quite sure what my boss is going to say when he finds out how I run things...

    --
    To all newcomers - people here are very close-minded and can't handle complaints about Linux. Keep this in mind.
  17. My account was among those compromised. by JakFrost · · Score: 5, Interesting

    Got hit with this one!

    On the morning of Nov 7th I started getting e-mails from Steam Support with confirmation codes when someone was trying to change my password and e-mail. Reinstalled Steam after a year or more of non-usage only to find that someone has been playing TeamFortress 2 on it, the same day. Changed my passwords. That evening received a number of angry e-mails from a Russian guy ( [www.crazy_denis@mail.ru]) demanding that I put the passwords back so he can use the account he bought and paid for. Used Google Translate into Russian sometimes Ukrainian to string him along through 12 short e-mails and got him to reveal and confirm that he actually had my username and password in clear text. Opened up a support case with Steam and forwarded the entire e-mail chain to them to start investigating. Got a form letter back, replied again asking them to check their systems for intrusion... today Slashdot story breaks about Steam being compromised. I wasn't the only one I guess!

    PasswordMaker - Storage-less and per-site unique hash based password scheme

    Changing all my passwords now to a PasswordMaker scheme for unique passwords for every single site based on a storege-less system that uses a master password + URL + other info you choose -> MD5 sum -> alpha-numeric symbols -> length limit to generate a unique password for every site and account based off your own single or multiple master passwords. You have to remember your own password and the settings you used and generate the same password every time that is unique and there is no secret data file to steal from you or for you to lose on a USB disk or upload to the net. This way your password is already hashed when you submit it to a site, it is unique per site, you don't have to store a list of passwords in any file, and you can regenerate your password on any browser, mobile phone, programming language since this app has been ported to practically everything.

    I was thinking of something simpler such as "echo MyPassword69! slashdot.org|md5sum" and then "aaa53a64cbb02f01d79e6aa05f0027ba" using that as my password since many sites will take 32-character long passwords or they will truncate for you. More generalized than PasswordMaker and easier to access but no alpha-num+symbol translation and only (32) 0-9af characters but that should be random enough, or you can do sha1sum instead for a little longer hash string.

    Here's the conversation for all of you.

    From: [mailto:www.crazy_denis@mail.ru]
    Sent: Monday, November 07, 2011 11:03 PM

    Crazy Denis: You bitch Give me my account is steam which I bought yesterday! will not come back you will have problems moshenik fucking

    JakFrost: I would kindly suggest you go and get another account from the source before you lose more than just money. To understand each.

    Crazy Denis: How do I get another account?

    JakFrost: Ask a guy who you got this one and get another one. This account is off limits.

    Crazy Denis: I wrote to him he was going to do nothing to write tehpoderzhku said there had already written an answer waiting for 24 hours
    damn well bring back pliz account you do what it's worth it

    JakFrost: What's the password for that account so that I could find one for you?

    Crazy Denis: Login: MyUsername Password: ********

    JakFrost: (No Reply)

    Crazy Denis: Well, I found?

    JakFrost: That is correct user name and password, but that account is currently blocked by Steam support of a security breach. I can not use it either, so it ruined for us both.

    Crazy Denis: Yes, all right there!, Today began to go wrong is led pishel password or an account is not suschustvuet

    JakFrost: I do not know, I get an error that the password is incorrect or the account has not been found.

    Crazy Denis: A registered on your soap the same account?

    JakFrost: No, it does not work.

    Crazy Denis: clear, damn well feel sorry for you and I were left wi