Thursday, November 10th 2011

Steam Hack More Severe Than Thought: Change Your Password NOW

Gabe Newell of Valve has issued a statement that the forum hack they experienced over the weekend actually goes much deeper than they thought. The criminals accessed the main database containing such goodies as user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information. Apparently, no personally identifying information was taken - but we await the result of the full investigation before breathing a sigh of relief. Due to this serious breach, TechPowerUp advises all Steam users to change their account password immediately. People starting up their Steam client will now see the following message from Gabe Newell about this:

10 November 2011
Dear Steam Users and Steam Forum Users:

Our Steam forums were defaced on the evening of Sunday, November 6. We began investigating and found that the intrusion goes beyond the Steam forums.

We learned that intruders obtained access to a Steam database in addition to the forums. This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information. We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked. We are still investigating.

We don’t have evidence of credit card misuse at this time. Nonetheless you should watch your credit card activity and statements closely.

While we only know of a few forum accounts that have been compromised, all forum users will be required to change their passwords the next time they login. If you have used your Steam forum password on other accounts you should change those passwords as well.

We do not know of any compromised Steam accounts, so we are not planning to force a change of Steam account passwords (which are separate from forum passwords). However, it wouldn’t be a bad idea to change that as well, especially if it is the same as your Steam forum account password.

We will reopen the forums as soon as we can.

I am truly sorry this happened, and I apologize for the inconvenience.

Gabe.
Add your own comment

127 Comments on Steam Hack More Severe Than Thought: Change Your Password NOW

#1
qubit
Overclocked quantum bit
by: John Doe
Erm, bucks? New games bought = more money for them.

There will always be some. If someone can't access his account, he might think his account in hacked in this period. Before he can login back, he might just open a new account and buy a few games.
Yeah, there will be some, but they'd be real dumbasses to do that. :laugh: I don't think there would be very many who would do this.
Posted on Reply
#2
digibucc
i highly doubt enough people to be noticeable would just create new accounts and buy new games. that's a thin theory with nothing really backing it. sorry.
Posted on Reply
#3

by: digibucc
i highly doubt enough people to be noticeable would just create new accounts and buy new games. that's a thin theory with nothing really backing it. sorry.
It's not. Say you can't login for a few days, and want to play your favourite game. You'd think your account may be hacked, then open a new one to just buy that game and play it. Afterwards, it wouldn't matter you login back to your old account or not. There you bought it, and you don't have to be stupid to do that either. On an online system like this, these kind of things happen. So why not write off a paragraph that will be forgotten if it'll land you more money? (regardless of it's amount)
#4
digibucc
but to say it's an elaborate scheme for that reason is far fetched. i'm not saying it never happens, i'm saying there is no way it happens as much as you are implying, and i in no way believe Valve is doing this on purpose. and i am the conspiracy guy among friends, i just don't see it. there is no way i would just accept my account is gone and start a new one, and anyone with more than 3 games i'd bet would be the same.
Posted on Reply
#5

Steam is a huge network, so I wouldn't just think of myself. Not everyone buys everything off Steam. I don't integrate my games to it (after my past experiences) like having to wait for an update or it not booting. I buy games outside of Steam, and just because you keep them all under one account, doesn't mean everyone else does. In fact, most people I see on the community have a few games tied to their account. It's not wrong to think of it that way.
Posted on Edit | Reply
#6
digibucc
right but that still says nothing about the likelihood of gabe newell lying to everyone to create a few accounts and sell a few games. it's just ridiculously unlikely in my mind. i'll leave it there as this won't head anywhere good i don't think.
Posted on Reply
#7

He lied about HL2's code being stolen (notting came out of it) to delay the game. They messed up TF2, worked on other games and didn't care for HL2: DM/CS:S updates etc. for years. They're a company, and companies aren't after you, they're after your money. So it's not unlikely to think he may slip this near the hacking of forum. VALVe screwed up a lot of stuff in past, and they did on purpose.
Posted on Edit | Reply
#8
dicobalt
It shouldn't even be legal for a website to store your credit card information once an order has been processed.
Posted on Reply
#9
Crap Daddy
No message from Gabe for me. I don't plan to change my password, got my account hacked once and got it back to work in a few days thanks to Gabe's boys so I'm not too worried. Oh, and my card is debit and most of the time the account is empty.
Posted on Reply
#10
Wrigleyvillain
PTFO or GTFO
by: John Doe
VALVe screwed up a lot of stuff in past, and they did on purpose.
Oh PLEASE. :shadedshu

I think you need a new tin foil hat.
Posted on Reply
#11

by: Wrigleyvillain
Oh PLEASE. :shadedshu

I think you need a new tin foil hat.
They knew AVP was going to break CS:S, regardless, they did it. They knew porting the game to new engine would disable some console commands and bhopping, still, they did it. Then they fixed what they broke after what has happened.

I think you need to posses some brain before you resort to a cheap attack, but at this rate I've no reason to believe you do. ;)
Posted on Edit | Reply
#12
Wrigleyvillain
PTFO or GTFO
If you honestly think Valve-the shining example of how to be a great game developer, have a revolutionary business model, provide fantastic and honest customer service, give cool little gifts and do cool favors for many people that have emailed them with problems and such (Gabe and others) AND make a shit ton of money to boot-did this on purpose then you are the one who needs to "posses some brain".

And the reason you state above doesn't even make any sense offhand (at least as related to allowing a hack or whatever it is you are claiming exactly) though regardless it's laughable if that's the best you can do with the likes of Activision, EA and Ubisoft in the industry. You know, publishers/devs who actually DO screw over their customers and deserve such ire...
Posted on Reply
#13

by: Wrigleyvillain
If you honestly think Valve-the shining example of how to be a great game developer, have a revolutionary business model, provide fantastic and honest customer service, give cool little gifts and do cool favors for many people that have emailed them (Gabe and others) AND make a shit ton of money to boot-did this on purpose then you are the one who needs to "posses some brain".
I'd call you a name but anyway, you certainly haven't used Steam as long as I did. Haven't gotten nailed on unworking software, messed up games and so on. But then again, those are mostly a thing of past. However I'll let those "fantastic and honest" customer service slip through. Good day sir.
Posted on Edit | Reply
#14
Mr McC
by: John Doe
They knew AVP was going to break CS:S, regardless, they did it. They knew porting the game to new engine would disable some console commands and bhopping, still, they did it. Then they fixed what they broke after what has happened.

I think you need to posses some brain before you resort to a cheap attack, but at this rate I've no reason to believe you do. ;)
John, as a firm advocate of conspiracy theories, a harsh critic of DRM and someone who was reticent when it came to using Steam for the first time, simply this: no.
Posted on Reply
#15

by: Mr McC
John, as a firm advocate of conspiracy theories, a harsh critic of DRM and someone who was reticent when it came to using Steam for the first time, simply this: no.
There's no "yes" or "no" to any of the statements made here. The situation is closed, so all we can do is to speculate over it.
Posted on Edit | Reply
#16
Mr McC
by: John Doe
There's no "yes" or "no" to any of the statements made here. The situation is closed, so all we can do is to speculate over it.
That's merely speculation.
Posted on Reply
#17
Wrigleyvillain
PTFO or GTFO
by: John Doe
I'd call you a name but anyway, you certainly haven't used Steam as long as I did. Haven't gotten nailed on unworking software, messed up games and so on. But then again, those are mostly a thing of past. However I'll let those "fantastic and honest" customer service slip through. Good day sir.
Since Day ONE. When it sucked. Sounds like you just need some better computer skills.
Posted on Reply
#18

by: Wrigleyvillain
Since Day ONE. When it sucked. Sounds like you just need some better computer skills.
Says the guy who calls Automatic Weapon Pricing and bunnyhops "hacks or whatever". Oh well.

by: Mr McC
That's merely speculation.
Did I call YOUR post speculation? I said WE can only speculate over this. Since we don't have access to VALVe's content/master server, right? All you said was "no". So yes, your post wasn't speculation. It was just "opinion".
Posted on Edit | Reply
#19
Coreinsanity
by: John Doe
Steam is a huge network, so I wouldn't just think of myself. Not everyone buys everything off Steam. I don't integrate my games to it (after my past experiences) like having to wait for an update or it not booting. I buy games outside of Steam, and just because you keep them all under one account, doesn't mean everyone else does. In fact, most people I see on the community have a few games tied to their account. It's not wrong to think of it that way.
That's still a pretty lacking reason.

First off, the number of people who would remake their account and purchase all of their stuff again is small, if not non-existant. It's much more likely those people will go to steam and get their account sorted out if they can't access it. Furthermore, they said the hackers had access to the database that contained your credit card information. Though encrypted, It's much more likely more people will delete their CC off of steam and leave steam because their CC information was exposed than it is for people to buy all their games again. "Hey, this company screwed up and got my CC information exposed, I'm going to buy crap from them again. They obviously deserve my money still" - Yeah, I'm not seeing it.

This isn't a publicity thing to get people, if anything this is a deterrent to using steam. I know what encryption is, and how their service works. I'm not worried, my information is one of millions and millions of users. But the less computer-savvy people out there might look at this and leave because they don't understand what's going on.

The fact that this information was exposed at all is bad and shouldn't be taken lightly. While I wouldn't up and cancel your CC just yet (Though I can't blame you if you do), I would watch your statement and news on this event to keep up to date.
Posted on Reply
#20
Ahhzz
by: John Doe
Erm, bucks? New games bought = more money for them.
Who would open a new account based on the press that someone just hacked into the company you're considering buying from?? :wtf:


by: John Doe

There will always be some. If someone can't access his account, he might think his account in hacked in this period. Before he can login back, he might just open a new account and buy a few games.
I think it's a pretty far stretch to think that the company was hacked, so the leaders decided to issue a press release saying that the hacking was WORSE than it really was, on the possibility that some user somewhere might be inclined to open a new account to replace his (money spent!!!) games, instead of just trying his password again, or resetting it with the provided tool, or even contacting Steam.... It could happen.... And Bobby Kotick could sell Blizz back to the employees, and Blizz and Bethesda could merge to form a Mega-ultra-Gaming Monolith called "Blizzthesda".... hmmm... liking the sound of that more and more...

:slap:
Posted on Reply
#21
Mr McC
by: John Doe

Did I call YOUR post speculation?
You did not.

by: John Doe
I said WE can only speculate over this.
This appears to be correct, certainly in relation to the "we", but again, it may be just speculation on your part.


by: John Doe
Since we don't have access to VALVe's content/master server, right?
There may be employees amongst us, it isn't safe here, I think it's Wrigley.


by: John Doe
All you said was "no".
Ah, but it was a poignant no, a call to haul you back from the very precipice of collapse.

by: John Doe
So yes, your post wasn't speculation. It was just "opinion".
in your opinion.
Posted on Reply
#22

by: Coreinsanity
First off, the number of people who would remake their account and purchase all of their stuff again is small, if not non-existant. It's much more likely those people will go to steam and get their account sorted out if they can't access it. Furthermore, they said the hackers had access to the database that contained your credit card information. Though encrypted, It's much more likely more people will delete their CC off of steam and leave steam because their CC information was exposed than it is for people to buy all their games again. "Hey, this company screwed up and got my CC information exposed, I'm going to buy crap from them again. They obviously deserve my money still" - Yeah, I'm not seeing it.

The fact that this information was exposed at all is bad and shouldn't be taken lightly. While I wouldn't up and cancel your CC just yet (Though I can't blame you if you do), I would watch your statement and news on this event to keep up to date.
First off, I know the so called "hacker"s. They're a bunch of kids that write off CS:S cheat packs (aimbots etc.) that get you VAC banned. The only thing they clearly got into is SPUF. Probably via an exploit. The forum, not Steam. No one has far managed to get into Steam itself, let alone these kids.

As for buying the game again, you don't have to use your CC. You can just buy it off the store and use the key. I'm not concerned about any of this. Even the way Gabe's message is written is cheesy. Like how he's "hacked and truly sorry" about it.

by: Mr McC
You did not.

This appears to be correct, certainly in relation to the "we", but again, it may be just speculation on your part.
No, it's not. Read back the thread, this has been hashed out endlessly. People speculated like "it must be Anon" and such. Again, I repeat, WE can only speculate since we don't have info from the inside.

by: Mr McC
There may be employees amongst us, it isn't safe here, I think it's Wrigley.
I think

by: Mr McC
Ah, but it was a poignant no, a call to haul you back from the very precipice of collapse.

in your opinion.
you're spouting off nonsense to make yourself look right, fatty. You're being silly. Grow up.
Posted on Edit | Reply
#23
Mr McC
by: John Doe

you're coming up with nonsense to make yourself look right, fatty. You're being silly. Grow up.
I am not coming up with nonsense to make myself look right, nor am I fat, although I have no objection to the term fatty. Insofar as being silly, I stand guilty as charged and will spare no effort in endeavouring to grow up. I extend my apologies.
Posted on Reply
#24
Coreinsanity
by: John Doe
First off, I know the so called "hacker"s. They're a bunch of kids that write off CS:S cheat packs (aimbots etc.) that get you VAC banned. The only thing they clearly got into is SPUF. Probably via an exploit. The forum, not Steam. No one has far managed to get into Steam itself, let alone these kids.

As for buying the game again, you don't have to use your CC. You can just buy it off the store and use the key. I'm not concerned about any of this. Even the way Gabe's message is written is cheesy. Like how he's "hacked and truly sorry" about it.
Oh please. It doesn't matter who hacked the forum and whatever other database they managed to get in to. If they got to the CC information, which Valve said they could at least see (note, see, not download), Valve screwed up as far as security goes. That seems like a poor security design on their part if it was tied in any way to the forum or steam profile database directly.

As far as knowing who did it, prove it. Because their advertisement was on the forums? That doesn't mean anything. Some one else could have done it to draw attention to those people as a distraction. You don't know what happened, nor who hacked their database or what they really had access to. Unless, of course, you personally know these hackers? In which case I hope some one comes to question you soon.

I'm not concerned about them getting into "steam", however I think you need to define that term if you're going to continue to use it. The fact is none of us really has any idea how their network is laid out, for all we know they merged the tables containing the forum user data with the account data for some kind of "convenience". We don't know. It seems to me the CC/billing information should be on an internal server that is accessed only when purchasing a game or adding another payment method, and is only accessed through the/an internal steam server acting as a layer to separate the CC information from being directly accessible to the internet (Not some web application tied to a forum created by a third party). Until we know how it's laid out and what layers were broken into, we can't say they didn't get access to it. And to say otherwise is just foolish and and flies in the face of any good consumer security practice. You should be cautious, always. If it turns out to be some false alarm, great, some kids hacked the forum and I don't care. Otherwise, some one at Valve should have their butt on the line for dropping the ball. These companies shouldn't be lacking in security, anywhere.

As for what the CEO says, I have no reason to believe you over him. If he says the encrypted CC information was exposed, why do I have any reason not to believe him? All this does it make negative hype for steam and create a deterrent for using it. Furthermore he didn't say sorry to us because he was hacked, he said sorry because HIS COMPANY (according to his own letter) caused our CC information to be exposed to an unauthorized third party. He was saying sorry to the community for the company failing to do part of it's job, keeping our information secure.

No, you don't have to use a CC to buy a game off of steam. That's not what you said, though. If I went to the store and bought a CD key it kind of defeats your theory of "They are hyping it so valve gets more money from people buying all their games again". Furthermore, I can't think of anyone who would purchase all of their stuff again from a company who screwed up. Seriously, that's some backwards logic. "Oh, their insecure and won't help me get my account back? Sure! I'll buy all my stuff off of your service again" - totally.
Posted on Reply
#25

by: Coreinsanity
Oh please. It doesn't matter who hacked the forum and whatever other database they managed to get in to. If they got to the CC information, which Valve said they could at least see (note, see, not download), Valve screwed up as far as security goes. That seems like a poor security design on their part if it was tied in any way to the forum or steam profile database directly.
Look, the forum and Steam itself have nothing to do with each other. SPUF is a craptastic forum where people say whatever they want with the mods (volunteer "user" mods) do what they want. Workers from VALVe don't read or care about it. It's a forum left for users to create their own feedback. However, sadly, it instead is full of locked threads and banned people due to insults/trolls, "I'm VAC BANned!" threads and whatever you name it.

As such, VALVe didn't "screw up". Steam is driven off different content servers from all across the globe, unlike the forum which is a vBulletin ran off Washington from VALVe HQ (ping it/look at Steam settings).

You don't know what you're talking about.

by: Coreinsanity
As far as knowing who did it, prove it. Because their advertisement was on the forums? That doesn't mean anything. Some one else could have done it to draw attention to those people as a distraction. You don't know what happened, nor who hacked their database or what they really had access to. Unless, of course, you personally know these hackers? In which case I hope some one comes to question you soon.
That's a pretty absurdist statement... also, I assumed it's fkn0wned themselves to take attention (buy their private hacks). It was worded that way, yes, it may be someone else, BUT, Steam is running perfect and please read Gabe's message again. He says "might be/just in case, and we think". He's not sure and is assuming. So it's not to be relied on.

by: Coreinsanity
I can't think of anyone who would purchase all of their stuff again from a company who screwed up. Seriously, that's some backwards logic. "Oh, their insecure and won't help me get my account back? Sure! I'll buy all my stuff off of your service again" - totally.
Like I said, not everyone thinks that way. Lots of people go on about cheating, getting VAC banned then buying a new game again. VAC for example uses delayed bans (a few weeks) which makes doing that act possible. As such, it's not unnormal to think of some people to buy their games again. The majority of people are uninformed. They'd think like; this account is banned, gone. Have to open a new one. Whenever they can't login in such case. You're thinking of yourself, not the average majority.
Posted on Edit | Reply
Add your own comment