Steam Hacked | Credit Card Information at Risk

[Locut0s]

Thanks Steam. Thanks for fu*king e-mailing me about something like this. Oh wait, you didn't. And I didn't see the news update/notice either. F*ck.

This is probably the only website/store where I have my CC info saved. Now I can't even find where I can delete it, but I guess there's no point since it's already been taken - not on my account page. It's my main CC. *sigh*

Wonder if I should notify my CC company while I'm ahead. At least Steam made it public.

Edit: Sent my CC provider an e-mail. Covers my ass in case their database "encryption" fails.

Your CC number is actually the last thing I would worry about here. It's the most secure and has the most people backing you up on. Even if somehow your number gets compromised credit card companies are extremely good at reversing / forgiving faulty charges. It's any other info they may have in that database that I would be more worried about. Luckily it's probably just your name, address, phone number and the like, which is freely available to anyone and everyone already. Not saying this is nothing to worry about. I'd still take precautions but it's nothing to panic about.

 

[HarvardAce]

Well that explains why, when I was purchasing Skyrim on Steam a few hours ago, my credit card company declined the purchase then called me as part of their fraud detection program. I told the nice associate that I purchase stuff on Steam all the time, so I wasn't sure why that caused it to flag as potential fraud. She didn't have an answer, but now I have it.

 

[The Boston Dangler]

steam is currently unable to process my password change

 

[Chaptorial]

steam is currently unable to process my password change

I was having that same problem when I changed mine about 2 hours ago. It seems to come and go.

 

[Mike Gayner]

If the information actually is encrypted as they seem to suggest then the card numbers themselves are likely safe. No amount of brute force hacking is going to crack any modern encryption scheme.

According to my brother (who is way smarter than me) this isn't entirely true. Firstly, we don't know what kind of encryption was used. Sony's files were encrypted too, and that was broken very quickly. Secondly, we don't know if the encryption key has been compromised. There's little reason at the moment to assume it hasn't been.

 

[Zenoth]

Let's change our passwords at the very least, and then hope for the best in the coming days. By the way, hackers (any of you out there), go die or something.

 

[dennilfloss]

OK. I have no Steam account as I haven't needed their service yet. However, I'm picking up my copy of Skyrim at the store tomorrow and will need to register and use Steam to update the game to 1.1. How am I affected by this? Is their service secure now for new users?

 

[Locut0s]

According to my brother (who is way smarter than me) this isn't entirely true. Firstly, we don't know what kind of encryption was used. Sony's files were encrypted too, and that was broken very quickly. Secondly, we don't know if the encryption key has been compromised. There's little reason at the moment to assume it hasn't been.

He's right. But it depends on what you mean by compromised. The only way to "compromise" AES style encryption is to have the key or to brute force it. Having the key isn't compromising it. Anymore than stealing the key to your house compromises its security. A brute force attack can work if the type of encryption used is very weak, say 64bit or something like it. Other forms of security may have been used that are erroneously being called encryption that aren't.

 

[Locut0s]

OK. I have no Steam account as I haven't needed their service yet. However, I'm picking up my copy of Skyrim at the store tomorrow and will need to register and use Steam to update the game to 1.1. How am I affected by this? Is their service secure now for new users?

You should't need to give them your CC info just to active a retail copy. Just buy the game and create a Steam account.

 

[The Boston Dangler]

OK. I have no Steam account as I haven't needed their service yet. However, I'm picking up my copy of Skyrim at the store tomorrow and will need to register and use Steam to update the game to 1.1. How am I affected by this? Is their service secure now for new users?

i don't expect you to be affected at all, unless a 2nd hack occurs. me personally, i deleted the linked credit card (like it matters now) and will try to change my password again...that's all. the only issue for most idiots (like me) is that i've used the same password elsewhere, and need to change those too. if they did get my cc, i'm protected anyway.

 

[dennilfloss]

Thanks. I am a bit worried. I'm picking my retail copy probably tomorrow (with chronic fatigue syndrome, I can never be sure I'll feel good enough) and I expect a DVD in the box but some people are said to find only a slip of paper with a Steam code. Weird.

 

[The Boston Dangler]

and now i've re-entered the same cc to buy a game that's 50% off

 

[Locut0s]

Thanks. I am a bit worried. I'm picking my retail copy probably tomorrow (with chronic fatigue syndrome, I can never be sure I'll feel good enough) and I expect a DVD in the box but some people are said to find only a slip of paper with a Steam code. Weird.

No the retail edition will have a disc.

 

[mundane]

..

 

[raasco]

Man it pisses me off that these companies can't keep their shit secure. If they're unable to protect sensitive information then they shouldn't be keeping it in the first place. The amount of Valve ass-eating on the reddit thread is sickening - this is no different to the Sony breach, but as soon as people hear "valve" they act as if no wrong can be done.

I love Steam, but I'm seriously pissed off that yet another corporation isn't taking the security of my personal data seriously.

"This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information."

Huge difference between PSN plain text bullshit and Valves "hashed and salted" info.

 

[paperfist]

WTF why didn't I get an email about this?

 

[Locut0s]

If the passwords were salted with a constant value (which is *not* what I would expect from Valve), the attackers could recompute a simple rainbow table (anyone have any idea how long that would take?). They could do it for whatever the minimum requirements were for the password (N character, alpha + num). Using that table, they could query for users who had those dumb-as-bricks passwords. They don't need to know *your* account, all they need is to find N weak accounts to make it worth their while, financially or for the Lulz.

Look at it this way - in a city of X million people, the attackers have figured out Y thousand keys, and can test those keys nearly instantaneously against every door in the metro.

Having said that, at the very least I expect Valve properly salted their database, to a degree that would make precomputing tables infeasible.

I guess I was thinking more of the credit card numbers than the passwords.

 

[Leopardos]

Thank you Paypal for helping me hiding my Credit card number to companies with EPIC FAIL Security ...

 

[Mike Gayner]

Huge difference between PSN plain text bullshit and Valves "hashed and salted" info.

I don't know where this myth that psn passwords were plain text are coming from. Complete bullshit.

 

[Locut0s]

Thank you Paypal for helping me hiding my Credit card number to companies with EPIC FAIL Security ...

PayPal must be the Mount Everest Holy Grails of Holy Grails of hackerdom.

 

[Dankk]

I don't know where this myth that psn passwords were plain text are coming from. Complete bullshit.

IRC dump of hackers' conversation:

http://pastie.org/private/erihhjd2ccvj0lkmzbtuw

 

[Sureshot324]

Anyone else's credit card get deactivated after this? Mine just did apparently due to suspicious activity (they won't tell me what).

 

[Locut0s]

Anyone else's credit card get deactivated after this? Mine just did apparently due to suspicious activity (they won't tell me what).

They are probably being extra careful in lieu of this. Anyone who has had frequent steam activity on their accounts in the past are probably having their accounts red flagged by the CC companies for extra scrutiny. Doesn't necessarily mean your card was compromised. Or maybe it was, but not from this source. Course it could have been too

 

[greenhawk]

They are probably being extra careful in lieu of this. Anyone who has had frequent steam activity on their accounts in the past are probably having their accounts red flagged by the CC companies for extra scrutiny. Doesn't necessarily mean your card was compromised. Or maybe it was, but not from this source. Course it could have been too

yep.

select *
from Customer_History
where Business_Name = "Valve"

then output that into the database called "Cards_To_Watch"

 

[Aikouka]

I deactivated mine. Kind of annoying since I don't have a very good back up card to use. :\