Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Valve Announces Massive Steam Server Intrusion

samzenpus posted more than 2 years ago | from the save-my-game dept.

Security 434

SKYMTL writes "Valve has revealed that hackers have gained access to the Steam database and have pulled a variety of information. A statement from Gabe Newell reads in part: 'Dear Steam Users and Steam Forum Users, Our Steam forums were defaced on the evening of Sunday, November 6. We began investigating and found that the intrusion goes beyond the Steam forums. We learned that intruders obtained access to a Steam database in addition to the forums. This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information. We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked. We are still investigating. We don’t have evidence of credit card misuse at this time. Nonetheless you should watch your credit card activity and statements closely."

cancel ×

434 comments

Sorry! There are no comments related to the filter you selected.

Hey gabe (4, Interesting)

Anonymous Coward | more than 2 years ago | (#38017918)

As a show of good will, how about something extra? We trusted steam, now they have our encrypted credit card info and billing addresses. Origin looks mighty tempting right about now.. with BF3 and all... =)

Re:Hey gabe (5, Informative)

kelemvor4 (1980226) | more than 2 years ago | (#38018090)

Origin looks mighty tempting right about now.. with BF3 and all...

Sure, if you don't mind handing over an inventory of everything on your PC and letting origin do what they want with the information... http://decryptedtech.com/index.php?option=com_k2&view=item&id=257:eas-origin-may-be-a-little-too-intrusive&Itemid=138 [decryptedtech.com]

Re:Hey gabe (4, Insightful)

ludomancer (921940) | more than 2 years ago | (#38018180)

You're just being stupid for the sake of comedy right?

Amazon.com looks good right now.
Fuck, even Best Buy looks good right now.

Origin looks like the exact same crap, but with a much less trustworthy company in charge of it. EA would sell all that personal information straight to the hackers if it meant they could turn a profit.

Re:Hey gabe (5, Insightful)

Mashiki (184564) | more than 2 years ago | (#38018186)

Even after this, I still trust Valve more than I trust EA. Hell Valve could kill kittens and use their blood to fuel their servers, and I'd still trust them more than EA. One only needs to look into the past and see how much EA has treated not only their customers as dirt, but their employees.

Proper back end hashing and encryption? (5, Insightful)

Anonymous Coward | more than 2 years ago | (#38017922)

Awesome. Sounds like they were doing things right.

Re:Proper back end hashing and encryption? (5, Funny)

ackthpt (218170) | more than 2 years ago | (#38017956)

Awesome. Sounds like they were doing things right.

Yeah, sounds like they did better than most businesses *cough* Sony *cough* who probably kept everything in a big ol' text file.

which was named readme.txt

Re:Proper back end hashing and encryption? (5, Funny)

pixelpusher220 (529617) | more than 2 years ago | (#38018092)

please, they aren't that stupid.

They called it 'dontreadme.txt'

Re:Proper back end hashing and encryption? (1, Funny)

BenJCarter (902199) | more than 2 years ago | (#38018284)

"People in cars cause accidents....accidents in cars cause people" Sorry for off topic. Sig made me lol!

Re:Proper back end hashing and encryption? (5, Insightful)

muon-catalyzed (2483394) | more than 2 years ago | (#38018212)

..until some external auditor confirms this better start the identity theft ritual (credit cards pull etc.)

Re:Proper back end hashing and encryption? (2)

X0563511 (793323) | more than 2 years ago | (#38018288)

All my cards already got compromised. Whee. I think some merchant somewhere was doing exactly what the PCI-DSS council [pcisecuritystandards.org] says not to do.

Fortunately they all have 'zero liability' - wonder how long that will last? In my case, the best the hackers got were deactivated card numbers and a password that just became useless.

Hilarity (2, Insightful)

OverlordQ (264228) | more than 2 years ago | (#38017930)

Valve gets hacked, account details likely stolen, account information hashed and salted, Gabe still praised.
Sony gets hacked, accounts details stolen, account information hashed and salted, Sony ran through the ringer.

Love to see the hivemind at work.

Re:Hilarity (5, Insightful)

Anonymous Coward | more than 2 years ago | (#38017974)

The difference is in part due to how the attacks were handled by the respective companies, and in part due to the fact that Sony is run by gigantic cocks while Valve isn't.

Re:Hilarity (1, Insightful)

Gravatron (716477) | more than 2 years ago | (#38017992)

Sony announced it rather quickly, brought the network down till it was fixed, and gave everyone free games and a year of ID theft protection. What, exactly, was Sony's major problem in how they handled things?

Re:Hilarity (5, Insightful)

ewanm89 (1052822) | more than 2 years ago | (#38018042)

Shall we go into how they fired their whole network security team the week before, or the fact the attacks on Sony were orchestrated as a retaliatory strike on them for certain lawsuits (I'm not saying it's right) just there were lots more factors to those specific attacks than just "we were hacked".

Re:Hilarity (0, Troll)

Gravatron (716477) | more than 2 years ago | (#38018202)

Except the hack was really all that mattered in the end. I still hope they find the SOB's that did it and have their pimply arses thrown in jail. You see i'm a bit bitter about entitlement complexed hackers stealing my info because sony wouldn't let them pirate games.

Re:Hilarity (2, Informative)

Anonymous Coward | more than 2 years ago | (#38018248)

You see i'm a bit bitter about entitlement complexed hackers stealing my info because sony wouldn't let them pirate games.

Then you'll be pleased to know that this is not in fact what happened.

Re:Hilarity (5, Interesting)

Moheeheeko (1682914) | more than 2 years ago | (#38018076)

The fact that all evidence suggests that all credit card info was unencrypted on the Sony server. And no, Sony didnt announce shit until the network had been down for 2 weeks, up until that point they just claimed "matinence"

Re:Hilarity (1)

Gravatron (716477) | more than 2 years ago | (#38018172)

Citation needed? I remember them saying the CC info was indeed encrypted. And they announced it sooner then that I believe.

Re:Hilarity (4, Informative)

Cyberllama (113628) | more than 2 years ago | (#38018232)

Well, let's start with the fact that PSN intrusion was just one of 23 separate incidents for Sony within a time frame of just a couple of months.

Re:Hilarity (4, Insightful)

mr_da3m0n (887821) | more than 2 years ago | (#38017988)

I think it may have to do with Gabe being honest about it and immediatly going "Yeah it happened, here's what they got, terribly sorry about that :(" Also given the man's track record, I'd personally be more forgiving, when comparing to Sony's track record.

Re:Hilarity (1, Funny)

bloodhawk (813939) | more than 2 years ago | (#38018100)

The guy has just admitted they stuffed up. they had a responsibility to protect your data that they force you to provide. This is the equivalent of being raped in a police station and then being happy that the cops admitted it happened and are very sorry about it.

Re:Hilarity (3, Insightful)

Local ID10T (790134) | more than 2 years ago | (#38018166)

The guy has just admitted they stuffed up. they had a responsibility to protect your data that they force you to provide. This is the equivalent of being raped in a police station and then being happy that the cops admitted it happened and are very sorry about it.

If you think this situation is anything like being raped -you do not know what rape is...

Re:Hilarity (4, Funny)

Anonymous Coward | more than 2 years ago | (#38018228)

Yeah... it's more like getting roofied, and then being told about it 4 days later.

Re:Hilarity (2, Insightful)

Joehonkie (665142) | more than 2 years ago | (#38018178)

Yes, this is exactly like being raped. At a police station. Exactly the same.

Re:Hilarity (2)

X0563511 (793323) | more than 2 years ago | (#38018322)

Ignoring the rape comparison, I would be happy they admitted it. Would you prefer they pretend it didn't happen, and go "la la la la we didn't see it"?

Re:Hilarity (4, Informative)

ewanm89 (1052822) | more than 2 years ago | (#38017998)

Well steam fundamentally different from sony:
1. No-one told you you had to store credit card details in steam, they support paypal which prevents this being an issue.
2. At least they told their users in a prompt manner.
3. It sounds like the information was properly encrypted and stored, this did not sound true with Sony.

Re:Hilarity (1)

somersault (912633) | more than 2 years ago | (#38018070)

No-one told you you had to store credit card details in steam

Did somebody tell you to store your credit card details on PSN?

Re:Hilarity (1)

Stan92057 (737634) | more than 2 years ago | (#38018148)

It Sounds Like?? That doesnt make me feel any safer.

Re:Hilarity (4, Informative)

gman003 (1693318) | more than 2 years ago | (#38018016)

There was much miscommunication last time - a Sony executive said the credit card info was unencrypted. Which immediately launched a massive wave of "WTF?" from everyone with even a passing knowledge of security.

There's also the fact that the intrusion targeted the Steam forums, which have distinct accounts from Steam itself. People probably use the same password on both (I think I might've), but it's still slightly better.

And you can't forget the main difference - people can still play their games. During the Sony hacks, people were locked out of online play for quite some time. And people (being stupid) care more about getting their CoD on than not getting their credit cards stolen.

Still not unforgivable, but the fact that Valve is immediately going "we fucked up, we're trying to fix it, here's exactly what's going on" rather than Sony's "We are aware of outages but won't even say that we got hacked for several days". Honesty counts for a lot.

Re:Hilarity (1)

Gravatron (716477) | more than 2 years ago | (#38018030)

CC info was indeed encrypted on Sony's end, it was personal details like address that was not.

Re:Hilarity (2)

gman003 (1693318) | more than 2 years ago | (#38018130)

Yes - but some Sony exec stated otherwise, which caused no end of confusion even after they corrected the statement.

Re:Hilarity (1)

Kenja (541830) | more than 2 years ago | (#38018168)

And of course the large number of CC fraud reported by Sony customers right after the event lends some credence to the idea that the numbers where not encrypted, or at least not encrypted well.

Re:Hilarity (1)

Gravatron (716477) | more than 2 years ago | (#38018188)

Who cares? A exec misspeaking doesn't suddenly mean it was all in clear text.

Re:Hilarity (1)

Daetrin (576516) | more than 2 years ago | (#38018262)

In the period between when the exec, a reasonable authority figure in this case, said the credit card info was unencrypted and when it was confirmed that it actually was encrypted it was entirely reasonable for everyone to be worried and pissed off at Sony. Finding out the truth later is a pretty good reason to stop worrying (as much) but it provides an entirely different reason to be pissed off at Sony.

Re:Hilarity (1)

Gravatron (716477) | more than 2 years ago | (#38018302)

Do you have a citation for the exec part btw, I honestly don't remember that. And again, in the end the info was properly secured. I don't see why people keep bringing it up as a bash against them over, and over again. Hell, it's been mentioned several times in this thread alone.

Re:Hilarity (1)

ewanm89 (1052822) | more than 2 years ago | (#38018066)

The forum account password and the steam account password are linked.

Re:Hilarity (3, Informative)

Kenja (541830) | more than 2 years ago | (#38018190)

Unless you disabled the security checks, you can not log into steam from an untrusted computer. If you try to do so, you will be asked to enter a code that is emailed to the account holder.

Re:Hilarity (2)

Baloroth (2370816) | more than 2 years ago | (#38018192)

Ummm, no? Unless you mean something weird by "linked", forum and Steam accounts are separate.

Re:Hilarity (0)

Anonymous Coward | more than 2 years ago | (#38018020)

Valve gets hacked, account details likely stolen, account information hashed and salted, Gabe still praised.
Sony gets hacked, accounts details stolen, account information hashed and salted, Sony ran through the ringer.

Love to see the hivemind at work.

They owned up to it immediately, they didn't wait several weeks, and deny anything happened several times.

Re:Hilarity (0)

Anonymous Coward | more than 2 years ago | (#38018120)

Valve is being upfront, and transparent. Sony would barely admit they were hacked initially with details of the hack getting worse over the weeks after the hack. The difference here is Valve is telling everyone exactly what they need to know upfront. Please troll elsewhere.

Re:Hilarity (5, Interesting)

Anonymous Coward | more than 2 years ago | (#38018124)

Couple of big differences in this case and the Sony case, though. So far, Valve is far ahead of Sony. In order to be on Sony's level, Valve would have to:

1. Completely shut down the service for a week with no explanation.
2. Keep the service offline for an additional month after admitting that they had been compromised.
3. Claim that passwords were stored unencrypted, then when called on that, claim that they meant hashed. But not salted.
4. Allow unencrypted credit card data to be stolen. (PSN users reported suspicious activity on their cards, and I know my bank sent me a new card due to the breech.)
5. In order to make up for the outage, offer a "free month" of "premium" service that A) is a limited time offer and B) requires a subscription fee to continue to use any content accessed during that time.
6. Later have it determined that the vulnerability was caused by an Apache server that was left unpatched for over two years.

I think that about covers the differences.

Fuck people. (-1, Offtopic)

orphiuchus (1146483) | more than 2 years ago | (#38017936)

I'm out of other ways to word it. I fucking hate people.

Re:Fuck people. (1)

Anonymous Coward | more than 2 years ago | (#38018078)

I hate you too.

Re:Fuck people. (1)

geekoid (135745) | more than 2 years ago | (#38018164)

You could learn about bias confirmation and statistics,. Then you would realize that the vast majority won't do something like that.

Re:Fuck people. (1)

mark_elf (2009518) | more than 2 years ago | (#38018268)

In this thread, bias confirmation and statistics prove that people are good. Don't hate them!

d'oh (1)

terrox (555131) | more than 2 years ago | (#38017938)

and I just joined Steam recently.. damn.

Encrypted (0)

Anonymous Coward | more than 2 years ago | (#38017946)

Why isn't EVERYTHING on their server encrypted?

Re:Encrypted (1)

cheater512 (783349) | more than 2 years ago | (#38018046)

Cause the encryption key would also have to be on the server?

Re:Encrypted (1)

ewanm89 (1052822) | more than 2 years ago | (#38018194)

well, technically it could be on a separate server to the database server or the webserver, but generally once one has access to one of the three they have enough access to the other two if they were segregated.

Re:Encrypted (1)

koolfy (1213316) | more than 2 years ago | (#38018316)

Then how do they manage the credit card numbers ?
They cannot simply hash them, they need access to the actual cleartext data at some point.

My bet is on one or several servers containing one or several decryption keys.

So the question remains. Why not encrypt EVERYTHING ?

Re:Encrypted (1)

Firehed (942385) | more than 2 years ago | (#38018224)

Because it's highly impractical if you want your audit logs to be in any way useful (also if you don't want your key rotation to take months). It's also pointless overhead when it comes to non-sensitive data. Get a name and city, and there's a good chances you can get phone number, full street address, and more from whitepages.com (and similar sites). Several years ago, people got this same info from things called phone books.

I'm disappointed to hear this happened, but assuming they're correct in their belief that the encryption keys were not compromised I'm not worried. I don't think anything was compromised that isn't about four seconds worth of Googling away, with the exception of the list of games I've bought (oh, no!)

In comparison with Sony? (1)

Commontwist (2452418) | more than 2 years ago | (#38017950)

Sounds a bit quicker (once they discovered the problem) and sincere from what I remember of Sony's 'efforts' when PSN got hacked.

Re:In comparison with Sony? (1)

salemboot (1178525) | more than 2 years ago | (#38018088)

PSN Admins just never noticed for whatever reasons, playing games... looking at p0rn... Same thing it seems with kernel.org they were too focused on releases and deprecations.

DRM rocks! (4, Insightful)

Anonymous Coward | more than 2 years ago | (#38017952)

Thank god I had to sign up to STEAM and give out my personal information to play a game I had already purchased otherwise I might never have become a victim of identity theft...

Re:DRM rocks! (0)

Anonymous Coward | more than 2 years ago | (#38018056)

If you already purchased the game, why would you enter real/valid information into steam?

I can understand if you are buying online with a credit card or if they are shipping to you, but just an online account there is no reason to give true information, it just causes these exact problems.

Re:DRM rocks! (5, Insightful)

Spad (470073) | more than 2 years ago | (#38018160)

As opposed to Xbox Live? GFWL? The Rockstar Social Club? Origin? Any MMO ever? Any website you've ever purchased anything from? etc.

Let's face it, there's no shortage of places that have some, part or all of your personal information these days; Steam is just one of many.

Way to keep us informed? (5, Insightful)

feidaykin (158035) | more than 2 years ago | (#38017964)

Funny that I had to read about this on Slashdot. You think they could send out a mass email to everyone with a Steam account, especially when credit card numbers are involved (even if they're encrypted). I hate inbox clutter as much as the next guy, but Gabe himself says to watch your credit cards for suspicious activity (which is never a bad idea), but how are Steam users supposed to know to do so if we don't read the Steam forums, or read Slashdot? Seems like they kinda dropped the ball on the whole communication thing here...

Re:Way to keep us informed? (1)

The MAZZTer (911996) | more than 2 years ago | (#38018024)

The funny thing is the HACKERS sent out a mass e-mail to everyone with a steam forums account, advertising some steam hacks (either they are stupid and were advertising themselves or they were framing another group). Also I never actually got Gabe's email, I only read about THAT on Joystiq first.

Re:Way to keep us informed? (1)

Kral_Blbec (1201285) | more than 2 years ago | (#38018028)

No kidding. I didn't get any email about this. Posting it on the forums is half-assed at best. Still better than Sony's no-ass attempt though.

Re:Way to keep us informed? (2)

Gravatron (716477) | more than 2 years ago | (#38018060)

Sony was quite public about it, what are you talking about? I got emails about it, and they sent out press releases about it IIRC.

Re:Way to keep us informed? (1)

Anonymous Coward | more than 2 years ago | (#38018250)

two weeks AFTER it happened

Re:Way to keep us informed? (1)

Mashiki (184564) | more than 2 years ago | (#38018294)

Funny. From the time Sony was hacked to the time I go an email on an account that was a one-time use for something particular it took them nearly 3 weeks to send out an email.

Valve took their forums offline on the 7th, reported that they were attacked the same day. And reported today exactly what had been taken. I dunno 3 days, all the major gaming sites covered it...

Re:Way to keep us informed? (2, Interesting)

Anonymous Coward | more than 2 years ago | (#38018038)

Funny you should say that - I just logged into steam and had that message pop up as the first thing it did, good luck getting any cash out of my account though - I max it the day I get paid :-D

Re:Way to keep us informed? (1)

Kenja (541830) | more than 2 years ago | (#38018074)

Only forum account information was lost. If you try to connect to the forums you are told and forced to change your password.

Re:Way to keep us informed? (2)

Rockoon (1252108) | more than 2 years ago | (#38018084)

My guess is that they are sending out emails, but since they literally have tens of millions of regular users (and certainly tens of millions of users that havent connected in a long time), that might takes some time.

Re:Way to keep us informed? (4, Insightful)

cstdenis (1118589) | more than 2 years ago | (#38018106)

It sounds like they are. The article says "...below is the full email from Gabe Newell to Steam members."

Keep in mind Steam has a hell of a lot of members. It can easily take several hours to send out that many emails.

Re:Way to keep us informed? (1)

Ihmhi (1206036) | more than 2 years ago | (#38018136)

Steam has the ability to push out news to everyone, as well as updates. I am well aware of this as every time I close out a Steam game I am bombarded with a multi-page post of the latest deals and new releases. I'm also notified when the client has to update.

I'm pretty sure that they have a way to push out a notice to everyone - I'm just wondering why they haven't done it yet.

Re:Way to keep us informed? (1)

pete_p (70057) | more than 2 years ago | (#38018254)

You can disable the annoying ad when you leave a game, btw. It's the "Notify me (with Steam instant messages)..." checkbox in prefs under interface.

But yeah, they probably should have pushed a notice through Steam.

Re:Way to keep us informed? (4, Informative)

IICV (652597) | more than 2 years ago | (#38018144)

The announcement also pops up after you stop playing a Steam game. Normally there's some ads when you do that, but currently the first thing that shows up is the text that Slashdot posted here. It's actually quite effective, because normally you get pictures and ads and things instead of a wall of text, so it stands out.

YOU FAIL* IT (-1)

Anonymous Coward | more than 2 years ago | (#38018000)

fly They LoOked purposes *BSD is

Prevention (1)

salemboot (1178525) | more than 2 years ago | (#38018014)

SQL Injection? Come on Valve. Get your Database Specialist some training.

Re:Prevention (1)

Bobfrankly1 (1043848) | more than 2 years ago | (#38018256)

SQL Injection? Come on Valve. Get your Database Specialist some training.

Where are you getting SQL injection from? Database access != SQL injection.

Oh Shi- (0)

Anonymous Coward | more than 2 years ago | (#38018036)

I accidentally just like Sony!?!

How hard are the passwords to crack? (2)

Galaga88 (148206) | more than 2 years ago | (#38018048)

I'm not worried about my Steam password, I can go change it when I get home, it was fairly complex, and it's not a reused password anywhere else, but how hard would it be to crack these?

For those of us who aren't cryptography experts, does cracking one of the easy passwords (love, password, money) then help crack the more complex ones (m4sT3rm!nd)? I'm guessing this is crypto 101 stuff.

I am glad I no longer store credit card information with steam, and only used PayPal (and have an authentication card attached to my PP account.)

Re:How hard are the passwords to crack? (1)

Kenja (541830) | more than 2 years ago | (#38018158)

Keep in mind, you cant log into a steam account from an unregistered computer (assuming you didn't turn the security checks off). If someone tries, they need to enter a code that gets emailed to you. So I'm having a hard time figuring out what anyone can do with the information other then build a list of email addresses to try and use for phishing scams. Granted, if you stored your CC number in steam you may have a problem.

Re:How hard are the passwords to crack? (1)

Anonymous Coward | more than 2 years ago | (#38018230)

Of course people stored their CC numbers in steam. Steam gamers buy alot of games.. and they trusted Valve. So yes, alot of people are screwed. including this anonymous coward.

Re:How hard are the passwords to crack? (1)

Kenja (541830) | more than 2 years ago | (#38018306)

I am a steam customer, I buy a lot of games, I dont store my credit card information any place other then my wallet. And keep in mind, the CC numbers them selves may not have been taken. They are in a separate table and s the email says, they have no evidence that it was touched.

Re:How hard are the passwords to crack? (4, Informative)

Beryllium Sphere(tm) (193358) | more than 2 years ago | (#38018210)

No, each one is an independent problem.

None of the weaknesses that have been discovered in common hashes allow reversing them (which is in general impossible anyway since an infinite number of inputs could lead to the same hash, it's just infeasible to find them).

The "crack" is just high-speed testing of possible passwords. Modern cracking software is actually fairly sophisticated about trying substitutions on dictionary words.

Use a passphrase unless there's some stupid limit on password length.

Re:How hard are the passwords to crack? (1)

Spad (470073) | more than 2 years ago | (#38018218)

General rules are: Mixed case/numbers/symbols all make them hard to crack but not as much as making them longer.
Cracking simple encrypted passwords will not help you crack any more complex ones unless Valve have done something horribly wrong in terms of encrypting them.

Re:How hard are the passwords to crack? (0)

Anonymous Coward | more than 2 years ago | (#38018242)

I'm not worried about my Steam password, I can go change it when I get home, it was fairly complex, and it's not a reused password anywhere else, but how hard would it be to crack these?

For those of us who aren't cryptography experts, does cracking one of the easy passwords (love, password, money) then help crack the more complex ones (m4sT3rm!nd)? I'm guessing this is crypto 101 stuff.

I am glad I no longer store credit card information with steam, and only used PayPal (and have an authentication card attached to my PP account.)

You should probably read this:

http://xkcd.com/936/

Re:How hard are the passwords to crack? (2)

alcourt (198386) | more than 2 years ago | (#38018280)

Knowing one password does not materially help attacks on other passwords. However, depending on the algorithm used, it may be possible to brute force the password. For example, if the old Unix crypt(3c) algorithm is used, then most passwords can be brute forced in reasonable time now. Recent advances have led to use of the graphics card on your system to perform those attacks.

Longer hashes like MD-5 are significantly harder as they support a much longer search space, but few people use a password over twelve characters. Certainly, any password under seven characters should be considered vulnerable, regardless of algorithm used to salt/hash them.

Assuming (big if) they are using standard password hashing algorithms, long (at least 15 characters long) passwords that are pasted, not typed because they are completely randomly generated is your best protection in such cases.

Passwords are just evil though.

Re:How hard are the passwords to crack? (1)

mug funky (910186) | more than 2 years ago | (#38018292)

gabe says the passwords are salted.

this means random strings of text are added to your password before hashing.

this is extremely difficult to crack - leaves you having to bruteforce it, as rainbow tables become nearly useless.

Re:How hard are the passwords to crack? (0)

Anonymous Coward | more than 2 years ago | (#38018324)

Cracking a few passwords would reveal how steam salt the passwords before hashing. This would help in cracking other passwords by being able to apply the salting to dictionary based attacks etc

Dear Bethesda (0)

phrostie (121428) | more than 2 years ago | (#38018128)

please don't make me use Steam to use a game i've bought disks for.

Re:Dear Bethesda (1)

ADRA (37398) | more than 2 years ago | (#38018272)

Its either that or you have antiquated schemes from the likes of EA where you still (in this day in age) keep the disc in the drive for the entire time playing the game. I'd hate doing that today and I'm pretty bad at jumping between games in a given sitdown.

SO thankful right now (0, Troll)

ludomancer (921940) | more than 2 years ago | (#38018140)

I really love Steam. I can't recount the number of times someone broke into my house, stole my entire game library, AND my credit card, and then used my credit card to buy tons of other games on it, and send mail to all my friends posing as me. Steam is so worth the convenience of not having to get out of my chair, go to a store, and pick up a physical copy of entertainment that I will probably revisit for years on end.

Thank you Valve!!

Re:SO thankful right now (1)

grantek (979387) | more than 2 years ago | (#38018222)

I (no sarcasm) love Steam, and didn't expect a large-scale intrusion like this, but after the fun and games around the PSN intrusions, I removed my CC details from my Steam account.

It was so easy to buy games with a couple of clicks, and I do miss that, but I must admit a little smugness now over my decision...

I just hope Paypal is on top of their security, because by design they're more heavily linked into people's finance.

Re:SO thankful right now (0)

Anonymous Coward | more than 2 years ago | (#38018244)

I really love Steam. I can't recount the number of times someone broke into my house, stole my entire game library, AND my credit card, and then used my credit card to buy tons of other games on it, and send mail to all my friends posing as me. Steam is so worth the convenience of not having to get out of my chair, go to a store, and pick up a physical copy of entertainment that I will probably revisit for years on end.

Thank you Valve!!

Let me know when this actually happens and you might actually have a valid point. You're being intentionally dishonest. There's a big difference between what you described and "our forum server was compromised and they may or may not have seen some *encrypted* billing data."

Re:SO thankful right now (1)

Baloroth (2370816) | more than 2 years ago | (#38018274)

And this incident hasn't added to that count at all! Unless you know something we don't, a) steam accounts weren't compromised, b) CC numbers weren't compromised, and c) pretty much everything important that was compromised was either hashed and salted (forum passwords only, separate from Steam accounts) or encrypted.

Of course, if someone did break into your house and steal your game collection, you would have nearly zero chance of getting it back. With Steam, you almost certainly could.

Re:SO thankful right now (0)

Anonymous Coward | more than 2 years ago | (#38018318)

Or, you know, you could have actually gotten out of your chair, gone to a store, and picked up a physical copy of whatever. But you didn't. Sounds like you've been enjoying the convenience just fine up until this point, just like the rest of us. Don't be a tool.

hah (4, Funny)

geekoid (135745) | more than 2 years ago | (#38018152)

Secretly stabbed in the back, huh Valve? See Spies are overpowered and DO indeed, SUCK. Jerkwads.

This is Valve's fault (1)

Liambp (1565081) | more than 2 years ago | (#38018182)

I'm a fan of Steam but I am a mad as hell that they let this happen. It is not as if they weren't an obvious target given the number of game companies that have been hit before.This is Valve's fault. They screwed up big time and a limp apology from Gabe Newell doesn't make me feel any better.

Re:This is Valve's fault (1)

Ihmhi (1206036) | more than 2 years ago | (#38018220)

To be fair, they could be the best company in the world and it would still take time for them to figure out what exactly happened and how they are going to remedy it. Give them some time. Accidents happen, mistakes happen, and there's really no way of knowing what the end result will be until they've had time to investigate further and decide on a solution. The fact that Steam got this information out so quickly is a good sign in my eyes.

Re:This is Valve's fault (0)

Anonymous Coward | more than 2 years ago | (#38018300)

If somebody wants to hack a company, eventually they will break in. What sets Steam apart is the multiple contingency layers they had that Sony did not, IE encrypting the credit card numbers, salting the password hashes, using steam guard...etc

Expect compensation once there is a case where all the checks fail, but I don't think you'll be seeing cc activity that isn't your's soon.

PCI Compliance (1)

Anonymous Coward | more than 2 years ago | (#38018200)

Why does Valve store Credit Card numbers? I thought this was a big no-no.
Before you respond, credit card profiles (name, address, cc#) can be stored by the secure merchant gateway rather than your local database. You only store a unique key like a GUID that can only be used by your merchant account.

Accidental irony (5, Funny)

Shillo (64681) | more than 2 years ago | (#38018226)

Today's daily deal on Steam is: Day of Defeat.

Couldn't have made a better choice myself.

Skyrim DRM (0)

Anonymous Coward | more than 2 years ago | (#38018278)

So, how's that Steam requirement for your single player game working out for you, Bethesda?

Whew! (5, Funny)

Bobfrankly1 (1043848) | more than 2 years ago | (#38018286)

Good thing I just followed the e-mail that just arrived and changed my password then! I'm fortunate to have found it in my junk mail. Weird that Steam is requiring social security numbers to change passwords now.

Re:Whew! (1)

the_Bionic_lemming (446569) | more than 2 years ago | (#38018320)

I would of liked to have an email instead of finding out a week later on Slashdot.

This is why I don't (1)

s.petry (762400) | more than 2 years ago | (#38018298)

I trust no company to hold my data on the internet, plain and simple. I hope I'm not alone in stating that quality and security on the Net took a back seat long ago to IP law, and profit margins. If you put it on the Interwebtube, expect that a bad guy has it. It's a sad reality, but still a reality.

And yes, shame on Steam for not notifying users the day they discovered the problem. Finding out 4 days later, from an external company is not excusable. I'm sure they will blame a 3rd party for the break in claiming it's not their code or design that's the problem too.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>