Games Steam hacked...

Mabs

J Peasemould Gruntfuttock
Joined
Dec 22, 2003
Messages
6,869
Dear Steam Users and Steam Forum Users:

Our Steam forums were defaced on the evening of Sunday, November 6. We began investigating and found that the intrusion goes beyond the Steam forums.

We learned that intruders obtained access to a Steam database in addition to the forums. This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information. We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked. We are still investigating.

We don’t have evidence of credit card misuse at this time. Nonetheless you should watch your credit card activity and statements closely.

While we only know of a few forum accounts that have been compromised, all forum users will be required to change their passwords the next time they login. If you have used your Steam forum password on other accounts you should change those passwords as well.

We do not know of any compromised Steam accounts, so we are not planning to force a change of Steam account passwords (which are separate from forum passwords). However, it wouldn’t be a bad idea to change that as well, especially if it is the same as your Steam forum account password.

We will reopen the forums as soon as we can.

I am truly sorry this happened, and I apologize for the inconvenience.

Gabe.
 

opticle

Part of the furniture
Joined
Sep 14, 2011
Messages
1,201
This database contained information including user names, hashed and salted passwords.

Can someone enlightened enlighten the unenlightened.. I'm guessing the above isn't something I'm planning to have for breakfast tomorrow? :rolleyes:
 

Zarjazz

Identifies as a horologist.
Joined
Dec 11, 2003
Messages
2,383
In this scenario a hash function is a method of turning your password into random text, but in such a way as to make it extremely hard to work out the password from the hash. All operating systems store passwords this way.

Basically the only way to crack the hash is to go through every single possible combination of characters, hash each string and compare the result. The most common hash functions are MD5 and SHA1 and people have generated huge lists of all the possible hashes upto 7,8,9,10 characters long, these are called rainbow tables. A salt stops these working by adding some junk text (the salt) to the start of each password and then generating the hash. This breaks the rainbow tables and makes the job of cracking the password exponentially harder. If Valve are using a more modern hash function such as SHA256 or better then it's harder still.
 

Uncle Sick

One of Freddy's beloved
Joined
Dec 23, 2003
Messages
792
Yeah... I like having my debit card info available for Pjotr, Dimitri and... Harry, I guess? :(
Hackers need to get a slap on the cock.
 

Keitanz

Can't get enough of FH
Joined
Nov 4, 2010
Messages
2,760
There are some good hackers though, but probably more bad hackers :/
 

Ch3tan

I aer teh win!!
Joined
Dec 22, 2003
Messages
27,318
1 up for valve, sony et all take note on how to deal with these things.
 

Deebs

Chief Arsewipe
Staff member
Moderator
FH Subscriber
Joined
Dec 11, 1997
Messages
9,076,920
I wonder how they got in. It seems the forums where the target and then they worked their way in from reading that statement.
 

Raven

Happy Shopper Ray Mears
FH Subscriber
Joined
Dec 27, 2003
Messages
44,616
It's not steam itself, just the steam forums. Important information is encrypted.
 

Deebs

Chief Arsewipe
Staff member
Moderator
FH Subscriber
Joined
Dec 11, 1997
Messages
9,076,920
It's not steam itself, just the steam forums. Important information is encrypted.
I take it you didn't read the original notice?
We learned that intruders obtained access to a Steam database in addition to the forums. This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information.
Regardless of encryption, sensitive data has been compromised.
 

Deebs

Chief Arsewipe
Staff member
Moderator
FH Subscriber
Joined
Dec 11, 1997
Messages
9,076,920
In this scenario a hash function is a method of turning your password into random text, but in such a way as to make it extremely hard to work out the password from the hash. All operating systems store passwords this way.

Basically the only way to crack the hash is to go through every single possible combination of characters, hash each string and compare the result. The most common hash functions are MD5 and SHA1 and people have generated huge lists of all the possible hashes upto 7,8,9,10 characters long, these are called rainbow tables. A salt stops these working by adding some junk text (the salt) to the start of each password and then generating the hash. This breaks the rainbow tables and makes the job of cracking the password exponentially harder. If Valve are using a more modern hash function such as SHA256 or better then it's harder still.
I wish that Eksblowfish was the normal for creating password hashes with a suitable long number of rounds. Bye bye bruteforce. I would much rather have a 5-10 second delay on password hashing knowing that it scales with hardware and therefore doesn't become easier to crack over time.
 

old.Tohtori

FH is my second home
Joined
Jan 23, 2004
Messages
45,210
Don't know what hackers might want with my account, so not that worried. It's not like i got cash, interesting games, or even influencal contact data there :D

Might as well pop a new password in though.
 

Everz

FH is my second home
Joined
Nov 7, 2004
Messages
13,685
I only just changed my damn password.. still.. would they really wish to borrow my copy of Overlord or such eh? hah.
 

MYstIC G

Official Licensed Lump of Coal™ Distributor
Staff member
Moderator
FH Subscriber
Joined
Dec 22, 2003
Messages
12,362
Goes to show Valve obviously aren't so confident about their super login system now though. Otherwise Gabe would be saying "pfft, doesn't matter, your steamworks login only works on your computer" I wonder if they're figuring out that loads of people probably use the same password for everything and that you could login to A N Others e-mail using a nicked steam password, get the verify code and away you go.
 

Shagrat

I am a FH squatter
Joined
Dec 23, 2003
Messages
6,945
its hardly valves fault if people are dumb enough to use the same password for everything though is it.
 

Zarjazz

Identifies as a horologist.
Joined
Dec 11, 2003
Messages
2,383
Well if you believe what Valve say the passwords are not stored in plain text. So unless your password is some stupid dictionary word like "password" or "qwerty" it would take a vast about of processing power to break them.
 

opticle

Part of the furniture
Joined
Sep 14, 2011
Messages
1,201
Bet it was EA ^^

People using the same passwords for everything ? Who does that?! :LOL: That encompasses pretty much EVERY person I've ever known who's not a little bit tech savvy. Tbh, beyond 2/3 passwords I was one of them until I discovered LastPass(.com) and I'm wondering whether or not that was a good idea - but their webpage had gold stars on, so that sold it.

In this scenario a hash function is a method of turning your password into random text, but in such a way as to make it extremely hard to work out the password from the hash. All operating systems store passwords this way. Basically the only way to crack the hash is to go through every single possible combination of characters, hash each string and compare the result. The most common hash functions are MD5 and SHA1 and people have generated huge lists of all the possible hashes upto 7,8,9,10 characters long, these are called rainbow tables. A salt stops these working by adding some junk text (the salt) to the start of each password and then generating the hash. This breaks the rainbow tables and makes the job of cracking the password exponentially harder. If Valve are using a more modern hash function such as SHA256 or better then it's harder still.

Ta Zarjazz, appreciated o/
 

Calaen

I am a massive cock who isn't firing atm!
Joined
Dec 22, 2003
Messages
9,538
Goes to show Valve obviously aren't so confident about their super login system now though. Otherwise Gabe would be saying "pfft, doesn't matter, your steamworks login only works on your computer" I wonder if they're figuring out that loads of people probably use the same password for everything and that you could login to A N Others e-mail using a nicked steam password, get the verify code and away you go.

Sounds to me that rather than boasting about their security he's covering all the bases required, yapping off that you are untouchable just spurs these guys on even more. They seem to have responded very fast and their communication on the matter has been top notch. Anyone with the same passwords everywhere is asking for trouble!!
 

Zarjazz

Identifies as a horologist.
Joined
Dec 11, 2003
Messages
2,383
They seem to have responded very fast and their communication on the matter has been top notch.

Well better than Sony did but that's not saying very much. Now I'm just waiting on the announcement that all steam users will get a free copy of TF2 as compensation ... oh wait.
 

Rulke

Can't get enough of FH
Joined
Dec 23, 2003
Messages
2,237
Some more details leaked about how the hackers got in:

Fvr8W.jpg


PS how do you do spoiler tags on this new forum?
 

Deebs

Chief Arsewipe
Staff member
Moderator
FH Subscriber
Joined
Dec 11, 1997
Messages
9,076,920
Spoiler tags are done the same way as on the old.

Test
Told you!
Code:
[spoiler]
Test
[/spoiler]
[spoiler=Not Safe For Work]
Told you!
[/spoiler]
 

Zenith.UK

Part of the furniture
Joined
Dec 20, 2008
Messages
2,913
Bet it was EA ^^

People using the same passwords for everything ? Who does that?! :LOL: That encompasses pretty much EVERY person I've ever known who's not a little bit tech savvy. Tbh, beyond 2/3 passwords I was one of them until I discovered LastPass(.com) and I'm wondering whether or not that was a good idea - but their webpage had gold stars on, so that sold it.
I too was just like you and many other people until the PSN hack earlier this year. After that, I got on board with LastPass and secured all my accounts on a per-site basis, Steam included. The nice thing is that my password in cleartext looks something like an MD5 hash. :)

It's an inconvenience, but I don't remember ever using the Steam forums. I'll check anyway.

A weak link many people seem to forget when they're changing their site password is the password on their primary validating email address. If you're going to secure your login chain, make sure the email is locked tight as well.
 

MYstIC G

Official Licensed Lump of Coal™ Distributor
Staff member
Moderator
FH Subscriber
Joined
Dec 22, 2003
Messages
12,362
Sounds to me that rather than boasting about their security he's covering all the bases required, yapping off that you are untouchable just spurs these guys on even more. They seem to have responded very fast and their communication on the matter has been top notch. Anyone with the same passwords everywhere is asking for trouble!!
That's my point though. When they first introduced the secure login shit, he gave out his password and basically went "have a try if you like"

http://n4g.com/news/714527/valves-gabe-newell-gives-his-steam-password-to-everyone

Not so fucking brash now are we.
 

MYstIC G

Official Licensed Lump of Coal™ Distributor
Staff member
Moderator
FH Subscriber
Joined
Dec 22, 2003
Messages
12,362
Thank you for confirming that you are a cunt. You cunt :eek:
 

Calaen

I am a massive cock who isn't firing atm!
Joined
Dec 22, 2003
Messages
9,538
It's only the forums that are down not the steam user accounts? So I don't see how this has anything to do with him giving out his steam password.
 

Users who are viewing this thread

Top Bottom