Thursday, November 10th 2011

Steam Hack More Severe Than Thought: Change Your Password NOW

Gabe Newell of Valve has issued a statement that the forum hack they experienced over the weekend actually goes much deeper than they thought. The criminals accessed the main database containing such goodies as user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information. Apparently, no personally identifying information was taken - but we await the result of the full investigation before breathing a sigh of relief. Due to this serious breach, TechPowerUp advises all Steam users to change their account password immediately. People starting up their Steam client will now see the following message from Gabe Newell about this:

10 November 2011
Dear Steam Users and Steam Forum Users:

Our Steam forums were defaced on the evening of Sunday, November 6. We began investigating and found that the intrusion goes beyond the Steam forums.

We learned that intruders obtained access to a Steam database in addition to the forums. This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information. We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked. We are still investigating.

We don’t have evidence of credit card misuse at this time. Nonetheless you should watch your credit card activity and statements closely.

While we only know of a few forum accounts that have been compromised, all forum users will be required to change their passwords the next time they login. If you have used your Steam forum password on other accounts you should change those passwords as well.

We do not know of any compromised Steam accounts, so we are not planning to force a change of Steam account passwords (which are separate from forum passwords). However, it wouldn’t be a bad idea to change that as well, especially if it is the same as your Steam forum account password.

We will reopen the forums as soon as we can.

I am truly sorry this happened, and I apologize for the inconvenience.

Gabe.
Add your own comment

127 Comments on Steam Hack More Severe Than Thought: Change Your Password NOW

#1
Enmity
thanks man, tried again and still the same message. Will keep trying. Cheers :)
Posted on Reply
#2
Rammkopf
Just the reason why I'm no fan of the cloud. Still trusting all those fat@$$ services that claim they're widely public and insanely safe in the same time? :nutkick:

I've always been asking myself, who needs that friggin' Steam and all other on-line services of the likes, anyway? :shadedshu

Just take our money for the game, give us a decent server for on-line play (should we feel like it) that only requires a user ID and a password to log into and quit squeezing credit card info and such from your customers, ffs. Geez!
Posted on Reply
#3
Shihabyooo
Funny, I didn't get the message when I ran Steam.
BTW, Wouldn't Steam Guard be more than enough for protection ? Unless you're E-mail is also compromised.
Posted on Reply
#4
qubit
Overclocked quantum bit
by: Shihabyooo
Funny, I didn't get the message when I ran Steam.
BTW, Wouldn't Steam Guard be more than enough for protection ? Unless you're E-mail is also compromised.
No man, they got the root database. :shadedshu
Posted on Reply
#5
Millennium
changed my password just in case. If lots of steam accounts start getting hacked that would be pretty bad news for steam, they've been great so far. Except maybe the client is bloatware now but thats another story (and my PC can cope :p)
Posted on Reply
#6
shb-
by: Shihabyooo
Funny, I didn't get the message when I ran Steam.
BTW, Wouldn't Steam Guard be more than enough for protection ? Unless you're E-mail is also compromised.
I think it is enough to keep those hackers out of your steam account, unless u use same pwd for email too. So there is no real reason to change password (again - if u dont use it elsewhere). Other reason not to change pwd is that they were hashed and salted. I guess if your password is complex enough, no one will unsalt/unhash it.

Real problem is that they got some credit card data, IMO.

updated:
looks like credit card data was encrypted with aes256 (according to some comments @ toms), so no worries i guess.
Posted on Reply
#7
n-ster
I used the same password for my TPU forum and some other forums lol. But I don't feel like changing so many passwords :p
Posted on Reply
#8
Ahhzz
Thx Q, I don't use the steam forums, but changed my main one just in case.
Posted on Reply
#9

I doubt they got anything at all... Steam forums are hacked by fkn0wned, who used to make CS:S hacks. This hack, IMO, isn't what it's hyped up to be. They probably only hacked the VBulletin and not much else. Steam is way more complicated than hacking a forum. It's not something a kid can break, even the debugger of Steam requires specific knowledge. There's virtually not a single program that can mess with Steam; say, brute force it. And there never have been one. It's like trying to hack Winamp. These guys simply aren't capable of doing such act.

That said, Gabe also mentions to change your Steam pass "just in case". So yeah.
#10
qubit
Overclocked quantum bit
by: John Doe
I doubt they got anything at all... Steam forums are hacked by fkn0wned, who used to make CS:S hacks. This hack, IMO, isn't what it's hyped up to be. They probably only hacked the VBulletin and not much else. Steam is way more complicated than hacking a forum. It's not something a kid can break, even the debugger of Steam requires specific knowledge. There's virtually not a single program that can mess with Steam; say, brute force it. And there never have been one. It's like trying to hack Winamp. These guys simply aren't capable of doing such act.

That said, Gabe also mentions to change your Steam pass "just in case". So yeah.
I'm sure you're right about the overall complexity/security of Steam. I'll bet Valve end up ditching vB and creating their own forum software that's more secure.

It might be a bit expensive and time consuming, but a company that operates 100% online could go out of business if they were seen as having poor security, so I reckon this is a possibility.
Posted on Reply
#11
ShiBDiB
Why is it that TPU, just like all the gaming wannabe news websites, are turning a hacking of the steam forum (not linked to ur steam account) into a hacking of steams secure servers..

All steam said to do is what you as a non retarded consumer should be doing anyway, watching your statements to make sure your not getting double charged, over charged, etc....

Sorry if I sound like an ass, but all this uppity make news out of nothing more then a Game Hack Website putting their ad into suddenly this being a full blown end of your credit score attack is retarded.


Your god damn topic title breaks forum rules as FUD.. Nowhere have I seen them doing anything besides covering their ass and doing what anyone whos had a forum hack done and resetting forum passwords. If they honestly had any hint that your accounts on a completely different presumably much better defended server had been compromised they would have also reset your steam account passwords.
Posted on Reply
#12
qubit
Overclocked quantum bit
by: ShiBDiB
You god damn topic title breaks forum rules as FUD..
It's more than that, it's a news title. Does that make it better? ;)
Posted on Reply
#13
ShiBDiB
I apologize I just worked all night so I'm grouchier then usual, but this entire thing is being blown completely out of proportion... And theirs no reason to get the less common sense empowered users all worried that their CC's are gonna have charges for random flat screen tv's and horse porn on them if they dont change their passwords.
Posted on Reply
#14

by: qubit
I'm sure you're right about the overall complexity/security of Steam. I'll bet Valve end up ditching vB and creating their own forum software that's more secure.

It might be a bit expensive and time consuming, but a company that operates 100% online could go out of business if they were seen as having poor security, so I reckon this is a possibility.
They don't have "poor security" at all. The system (Steam) has yet to be hacked in years. It's like a Media player, it doesn't get affected by traditional hacking methods. The only thing that's hacked here is SPUF, which is a pathetic forum. I stopped reading there a few years ago. Trolling/insults are galore, mods (volunteer) are chosen from users who praised VALVe the most against their update screw ups, people get banned left and right. People from VALVe don't care or even read it at all.

So basically, the forum is a representive of itself. It's not related to Steam at all. They're probably making fuss with the hopes of some guy that can't login to open a new account then buy the games again. lol.
#15
qubit
Overclocked quantum bit
by: ShiBDiB
I apologize I just worked all night so I'm grouchier then usual, but this entire thing is being blown completely out of proportion... And theirs no reason to get the less common sense empowered users all worried that their CC's are gonna have charges for random flat screen tv's and horse porn on them if they dont change their passwords.
Ya, no problem, I know all about feeling ratty! :laugh: :toast:

Thing is, I wouldn't feel too cozy that everything is all right. Think of the security breaches one sees with companies (not just gaming companies) who offer bland assurances that their customer's details are ok and then it turns out that the sh*t has hit the fan. Fact is, we just don't know yet and may never know, so it's a reasonable precaution to change our passwords.
Posted on Reply
#16
n-ster
We learned that intruders obtained access to a Steam database in addition to the forums
So is it only the Steam forums or more? I'm confused
Posted on Reply
#17
qubit
Overclocked quantum bit
by: n-ster
So is it only the Steam forums or more? I'm confused
They got to the databases, we don't know what they got out of them, which is crucial. If it's meaningless highly encrypted data, then we're probably safe. Or if no data was extracted at all.
Posted on Reply
#18
n-ster
by: qubit
They got to the databases, we don't know what they got out of them, which is crucial. If it's meaningless highly encrypted data, then we're probably safe. Or if no data was extracted at all.
K so it isn't blown out of proportion IMO... There IS a REAL chance that we could have had our passwords hacked etc etc
Posted on Reply
#19
ShiBDiB
by: n-ster
K so it isn't blown out of proportion IMO... There IS a REAL chance that we could have had our passwords hacked etc etc
They would have reset your steam account passwords and issued more of a warning, the game industry learned from sony what to do in such a situation and steam isnt doing anything.. So I'm not worried.
Posted on Reply
#20
n-ster
The chances are low that they got anything... but I ain't leaving my steam account, passwords and if I had one on the account CC info in the hands of chance. It takes a few minutes to make sure everything is safe
Posted on Reply
#21

by: n-ster
The chances are low that they got anything... but I ain't leaving my steam account, passwords and if I had one on the account CC info in the hands of chance. It takes a few minutes to make sure everything is safe
Trust me, they didn't get anything. It's fkn0wned, a bunch of kids who write off CS:S hooks. I highly doubt some lamer kid can hack Steam DB.

Even if they did hack, your account is one out of millions. What's the chance of a few kids messing with yours out of millions? I personally am not concerned about this. And not going to change mine. They're hyping this for people to make new accounts.
#22
digibucc
i'm sure you're absolutely right john - but honestly it's a good idea to change passwords once every few years anyway, and i've had the same one forever.

also, while the chances may be small - my account is worth over $4k USD, i am not risking that to a friggin password, i'll change it thanks :)
Posted on Reply
#23
Ahhzz
by: John Doe
.... They're hyping this for people to make new accounts.
I'm curious... for what reason would they want people to make new accounts?
Posted on Reply
#24
n-ster
by: Ahhzz
I'm curious... for what reason would they want people to make new accounts?
He'll respond with something like stats or publicity

But WHO would make new accounts? noone... Who in the world would abandon their Steam account for this and not just change their password etc?
Posted on Reply
#25

by: Ahhzz
I'm curious... for what reason would they want people to make new accounts?
Erm, bucks? New games bought = more money for them.

by: n-ster
But WHO would make new accounts? noone... Who in the world would abandon their Steam account for this and not just change their password etc?
There will always be some. If someone can't access his account, he might think his account in hacked in this period. Before he can login back, he might just open a new account and buy a few games.
Add your own comment