Dear Steam Users and Steam Forum Users,

Our Steam forums were defaced on the evening of Sunday, November 6. We began investigating and found that the intrusion goes beyond the Steam forums.

We learned that intruders obtained access to a Steam database in addition to the forums. This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information. We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked. We are still investigating.

We don’t have evidence of credit card misuse at this time. Nonetheless you should watch your credit card activity and statements closely.

While we only know of a few forum accounts that have been compromised, all forum users will be required to change their passwords the next time they login. If you have used your Steam forum password on other accounts you should change those passwords as well.

We do not know of any compromised Steam accounts, so we are not planning to force a change of Steam account passwords (which are separate from forum passwords). However, it wouldn’t be a bad idea to change that as well, especially if it is the same as your Steam forum account password.

We will reopen the forums as soon as we can.

I am truly sorry this happened, and I apologize for the inconvenience.

Gabe.

Watch those credit cards!

Shitfuck my credit card is linked to my Steam account

My Paypal account has been used to "instant-purchase" games. Would my papal account be at risk? BTW remember to change your passwords everyone.

hey sony, look at these guys not waiting a week to tell us

Bound to happen eventually. Glad to see valve handling it better than fucking sony. This is why I never save my credit card information with online services.

I activated Steam guard and changed my password, I hope that's enough.

Damnit, it keeps telling me to try again later when I try to change my password.

Not too worried. Changed my password to be safe however.

These things are why I never keep the info logged into my account. I never have Steam remember this stuff and only use Debit/Visa Gift cards for a transaction for a game every so often. I don't trust the internet enough. :tinfoil:

Passwords were properly hashed. Credit card info was encrypted. I'm not going to bother changing anything unless I hear reports of actual fraud.

Well shit
Pirates win again

I wonder why they didn't hack Origin instead. That's not to say I'm not happy they didn't. That shit ain't secure enough, probably. Still, if Origin got hacked first, everyone would be bashing it for being shit at protection. But here we have the prized possession of the PC gaming industry here getting pushed around. Interesting.

"Steam cannot currently process your request.

Please try again later."

Oh, come on!

I think its cool that Gabe wrote the letter. I'll change my stuff next time I'm on.

Like I said when the PSN was hacked... security is extremely difficult. Sony was unlucky.

I wonder why they didn't hack Origin instead. That's not to say I'm not happy they didn't. That shit ain't secure enough, probably. Still, if Origin got hacked first, everyone would be bashing it for being shit at protection. But here we have the prized possession of the PC gaming industry here getting pushed around. Interesting.

It's entirely likely that Origin has been hacked. The only reason the Valve hack was noticed is because they defaced the forums.

The great thing about valve over sony is that steam guard actually fucking works. Gabe gave out his username and pass before to let people try to get past steam guard and they couldn't.

Passwords were properly hashed. Credit card info was encrypted. I'm not going to bother changing anything unless I hear reports of actual fraud.
Pretty much this.

Thanks to rainbow tables and offloading computations to GPUs, hashed passwords can be brute forced with ease.

They were salted too, but I have no idea what that means.

Thanks to rainbow tables and offloading computations to GPUs, hashed passwords can be brute forced with ease.They don't have rainbow tables for every hashing function. Since it would be idiotic for Valve to announce which function they use, we're left to hope that it's something advanced like sha-256 and not something like md5. And if they rainbow sha256 (for example), Valve can always move on to a new function. It's like staying ahead of antibiotic resistances in bacteria. There's always a new drug being invented.

Since there is no 1:1 ratio between hashes and inputs, they would get several possible solutions that they would have to try. Salting expands the solution set beyond a reasonable amount. Just as long as nobody is using an actual word as their password that could easily be plucked from a set of possible solutions, a hacker would have to try everything and hopefully, Valve would be able to identify the brute force attempt and shut it down.

And that's all assuming that there was only one hash function used. You can hash a password with md5, then hash it again with md5, then hash it again with sha256. A little extra server load traded for a lot of extra security.

This is all a lot of trouble and they would have to repeat the process for each account they're trying to hack. These aren't exactly bank accounts. It's just Steam.

Mostly, I'm just being defiant by not changing. I know it's easy enough to reset passwords (not so easy to cancel your credit card), but fuck them. I ain't scurred.

It means user passwords are combined with a randomly generated string before the hashing algorithm. This makes passwords substantially more difficult to crack, because you can't calculate checksums for possible passwords once and compare all of the user's passwords against that list at the same time. Each user would need to run through trillions of combinations.

But, as Kornman said, it's becoming easier to crack even salted passwords with our powerful GPUs. IIRC, a 6 character password can be cracked in a few minutes.

Except the problem is that they got more than just your user name and password. They also got your email address, physical address, etc. This information mounts up. That information can be abused outside of Steam. Passwords could be reused, so brute forcing can be well worth the wait. Especially if they're trying to brute force the accounts of devs, and not just Valve devs but other companies as well (this wouldn't be the first time where this done for just that, with success). The perps may not be after non-devs, but that doesn't mean they won't sell the information to others with different priorities.

It's like breaking into a house by going through the unlocked patio door instead of thru the front. You may have to climb a fence but it helps hide the fact that the house has been compromised.

Steam Guard is worthless if you're not using a password unique to Steam. Your compromised information could be plugged in elsewhere. Moving on to some new hashing function now wouldn't do squat.

Steam Guard is worthless if you're not using a password unique to Steam. Your compromised information could be plugged in elsewhere. Moving on to some new hashing function now wouldn't do squat.Yeah, this.

This is one reason I don't understand why everyone is treating this lightly. It doesn't mean jack shit that you have Steam Guard on your account if it's the thing an attacker would care least about. This attack isn't any different from the attack on Sony.

Heh, I use a separate password for steam. Guess I'm good to go.

I use separate accounts for everything and use my ubikey as a master password. So unless someone breaks into my home and steals my ubikey from me, good luck with hacking any of my shit.

http://media.tumblr.com/tumblr_lfp2hoS7xu1qc9f5v.jpg

You've defeated yourself by posting a broken image link and/or a link to an image which is preventing hotlinking!!

Now that you've edited it, proof!!


Text Changes

- http://fak3r.com/wp-content/blogs.dir/12/files/challenge_accepted_Amazing_Feats_Fails_WIns_Lolz_a nd_A_Contest-s325x265-158648-535.png
+ http://media.tumblr.com/tumblr_lfp2hoS7xu1qc9f5v.jpg

Yeah, this.

This is one reason I don't understand why everyone is treating this lightly. It doesn't mean jack shit that you have Steam Guard on your account if it's the thing an attacker would care least about. This attack isn't any different from the attack on Sony.As I recall, it was unclear as to whether Sony had things properly encrypted and hashed. Plus, Sony made a password reset mandatory, which Valve is free to do as well.

If they got your e-mail address and physical address, they got them. I'm not going to move or cancel my credit card. This shit is just going to keep happening with more and more regularity. It probably goes unreported or unnoticed more often than it doesn't. There is just no way to know what personal information is out there at this point.

If I were a developer or someone with a lot to lose, I'd probably purchase some type of identity protection/insurance.

If I were a developer or someone with a lot to lose, I'd probably purchase some type of identity protection/insurance.
That protection/insurance doesn't help combat compromised accounts. Say one of the Valve devs had the same login info for access to Havok's dev center. Now Havok has a compromised dev account where these same black-hat people can leach their products (ie, commercial SDKs). Havok is just a tiny drop in the middleware-sea.

We already planted a sign in your yard, what makes you think we can't steal your ubikey?

We already planted a sign in your yard, what makes you think we can't steal your ubikey?
My guns would have a disagreement with your face.

That's what.

Are you forgetting? I have guns too.

Plus I live in America. More firepower.

All I need is a sack of mexicanspotatoes to hide them in while I drive over the border.

Although I have like 60 bucks in my bank account at the moment. So this isn't going to happen most likely.

You have to leave your house sometime, prancer

You have to leave your house sometime, prancer
Yeah, and I take my ubikey with me.

Even better :mech2:

My guns would have a disagreement with your face.

That's what.
Who needs bullets when you can just drop a fishing net on you from the roof with weights at the edges, round you up like sardine.
:haw: