Steam Hacked | Credit Card Information at Risk

[Locut0s]

I deactivated mine. Kind of annoying since I don't have a very good back up card to use. :\

I seriously think you guys doing this are overreacting. But anyway I could be wrong.

 

[The Green Bean]

So what's the verdict? Cancelling my credit card that I use on Steam will be a huge hassle since I am overseas.

 

[Locut0s]

So what's the verdict? Cancelling my credit card that I use on Steam will be a huge hassle since I am overseas.

To early to say. No one can tell you what to do. My personal stance is to take the steps Steam has recommended, deauthorize your computers, and change passwords on all sites you use the same password you used for Steam. I wouldn't do anything with your CC beyond monitoring it more closely. Your CC company will do that for you too.

 

[Wyndru]

Why is it important to deauthorize all of your computers? Wouldn't simply changing the password be enough to stop someone from being able to log into steam using your account? Are they referring to any computers you have set in offline mode? (which I still don't see why it would matter since your password is changed).

 

[mrblotto]

de-authorized all computers, removed CC info (was an old one anyhow), and changed pwd.

 

[Barfo]

"This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information."

Huge difference between PSN plain text bullshit and Valves "hashed and salted" info.

Don't bother him with facts, he's just doing his work as the forum's resident asshole.

 

[MacLeod1592]

On emails not being received, somebody on another forum made a good point that since this was a huge chain email, your email provider or ISP or whatever might've blocked it thinking it was spam.

 

[Modelworks]

The credit card information was stored with a different level of encryption than the user information like passwords and email addresses. The main people at risk here are the ones that use the same password for a lot of different sites. I am willing to bet I could take a good portion of the people that use steam and use their steam password for their email accounts. Get their email , find emails from other sites like amazon, banks, paypal, and then use that same password to access those sites too.

The amount of people that use one password for lots of sites is the biggest threat.

 

[SunnyD]

I wonder if I should just proactively report my credit card as stolen and get a new one. Amex is pretty damn good about this stuff anyhow.

Regardless... one thing to remember... if you have used a credit/debit card... ANYWHERE - online or manually swiped, odds are your number is already in some black hat database somewhere waiting to be sold/used illegally.

 

[Modelworks]

Having said that, at the very least I expect Valve properly salted their database, to a degree that would make precomputing tables infeasible.

Personal information like email and password is hashed but not salted. Credit card and financial information is hashed + salted and the salt is computed at the time the information is entered and kept on a server separate from the DB server.

 

[WT]

Always bought my Steam games with Paypal, so I assume I'm OK ? No card tied to that as far as I know, but I should be changing my login password at the very least.

 

[Red Storm]

How do you remove a CC from being remembered by Steam?

 

[mundane]

..

 

[ViviTheMage]

Not too worried, my info is blasted all over the net, worst case I file VISA chargebacks for fraudulent use.

 

[vshah]

is there a way to change my password on the website? i don't see it

 

[Dankk]

Gabe responds to emails involving the hacking:

 

[Aikouka]

Personal information like email and password is hashed but not salted. Credit card and financial information is hashed + salted and the salt is computed at the time the information is entered and kept on a server separate from the DB server.

I don't think you're right on this. Unless my idea of hashing is completely off, hashing a credit card for storage for future use would never work. Hashes are one way conversions and that's how they're meant to be. Passwords can be stored as hashes, because you always provide the password, and they simply compare the hash of what you provided to the hash of what's stored.

A credit card being encrypted makes sense, because then it would be decrypted at the time of purchase and used in the transaction.

What I want to know is why they keep the Steam forums separate (separate account), but apparently you can still get at the same information! :|

EDIT:

Gabe responds to emails involving the hacking:

What's the possibility that they got or could get the encryption key?

 

[Imp]

Your CC number is actually the last thing I would worry about here. It's the most secure and has the most people backing you up on. Even if somehow your number gets compromised credit card companies are extremely good at reversing / forgiving faulty charges. It's any other info they may have in that database that I would be more worried about. Luckily it's probably just your name, address, phone number and the like, which is freely available to anyone and everyone already. Not saying this is nothing to worry about. I'd still take precautions but it's nothing to panic about.

True. I'm not worried about having to pay for any fake charges, but I am concerned that I would have to go through the bullshit administrative process for fraudulent charges.

Also, I'm annoyed because that's my main CC that I use daily and collect points on, and it may be put out of action for a few weeks.

 

[SpatiallyAware]

Keep in mind these cc numbers seem to be sold in 'blocks'.. It's very possible that you wouldn't see charges for months or even years. I got hit by the monoprice crap with a card I ONLY used for them, and it took at least 6-7 months before fraudulent stuff showed up.

 

[Skott]

Hopefully the hackers did it just to piss off Valve, prove it can be done, and don't intend to do harm to the users. This seems to be a trend lately aimed at corporations. Still, changing your pw and watching your CC more closely for the next month is the prudent thing to do.

 

[Fallen Kell]

dammit!!! I had never saved my credit card information with steam, UNTIL LAST WEEK! I finally got tired of pulling out my card all the time with all the steam daily deals etc, that I have been buying lately. I finally let it save my credit information, and then they get hacked...... I need to go chance my passwords now.

 

[pmv]

Thanks Steam. Thanks for fu*king e-mailing me about something like this. Oh wait, you didn't. And I didn't see the news update/notice either. F*ck.

This is probably the only website/store where I have my CC info saved. Now I can't even find where I can delete it, but I guess there's no point since it's already been taken - not on my account page. It's my main CC. *sigh*

Wonder if I should notify my CC company while I'm ahead. At least Steam made it public.

Edit: Sent my CC provider an e-mail. Covers my ass in case their database "encryption" fails.

No email from Steam, and as I haven't used steam (or played any games at all) for many months I didn't see any announcement (in fact, still can't find any such thing on the site). Only know about it at all 'cos of happening to read it here. Is this a US-specific thing or does it relate to Steam as accessed from any country - anyone know?

 

[WT]

Steam only sending emails to users who have a CC tied to their account ?? Very little info on this so far, and of course the Steam forums are still down at this point.

 

[colaxs]

Guys, would this affect those who pay via paypal?

 

[Liet]

On a possibly related note, my debit card was used for two separate $122 ATM withdrawals on 10/15 and 10/20 in a place I've never been to.

Doesn't hurt to check, boys.