Gabe Newall has indicated that AES256 encryption was used on sensitive information, so there's very little to worry about if that's true.

I have far more faith in the security layers at a premier e-commerce company like Steam than I do in, say, ANY government agency. I'm pretty sure the average person's personal data is much more exposed in other places.

Gabe Newall has indicated that AES256 encryption was used on sensitive information, so there's very little to worry about if that's true.

Well that's awesome! And I'm sure the hackers are right away trying to crack the AES256 encryption, instead of, you know, just downloading the AES256 keys from the compromised machine.

Sarcasm aside, one has to wonder how and where were they keeping the keys.

Posting on the No-Steam forum, an individual calling himself MaddoxX has claimed credit for hacking into Steam, and has posted presumably-confidential material including financial information, customers' credit card information, and screenshots of internal Valve web pages.

The alleged hacker appears to be attempting some form of online extortion against Valve, posting the following to the forum: "If you want me to remove these files you can e-mail me at (address removed) and I prefer you come with something good unless you want me to expose ALL of the customers their information." The specifics of his demands remain unclear.

Steam, introduced in 2004 in conjunction with Valve's massive hit Half-Life 2, has grown into a massively popular and successful online distribution system on the internet. Along with Valve, Steam is now also used by companies such as Eidos, Akella, Activision and 2K Games. As well as new releases, Steam is also serving as a distribution method for older releases such as Thief: Deadly Shadows, Arx Fatalis, and Deus Ex: Invisible War, offering gamers a chance to play titles that are otherwise difficult to obtain.

If this claim of data theft is genuine, it could quickly become a public relations nightmare for Valve, which would be forced to reveal to credit card holders that its security has been breached. This would also be the second high-profile lapse in security involving Valve in recent years; in 2003, the Half-Life 2 source code was stolen by someone who managed to break into Valve's internal systems undetected.

To put it simply: heGÇÖs screwed.

We might get free copies of Portal 2 and DOTA 2 out of it though lol
http://www.thereticule.com/update-on-steam-security-breach/

I would recomend changing passwords and watching your credit statements as indicated. However I see NO reason for them to lie about the AES256 encryption part.

Do you realize that it would take a powerful quantum computer to be able to crack that kind of encryption? If I remember right Wikileaks distributed its database encrypted weaker than that and word is even the gov will take time to crack that.

Be on the safe side folks. But don't act like a bunch of idiots and try to compare Valve. A company hellbent on security after the HL2 attack with Sony which had virtually no security in place.

The idiots who did this attack tho are in for a world of criminal charges when they are located tho. The last attack didn't net encrypted financial files.

Not requiring Steam to play a single-player game would be safer.

How are they going to compromise them? Magic? There is a reason people use heavy encryption.

There is something that has to decrypt them to send the charges to the bank, you can't send the bank an encrypted account number and expect them to know what to do with it. They also have to have something to encrypt them to store them, they don't magically encrypt themselves.

If they compromised the database, it is entirely possible they compromised whatever systems handle the data and put it in the database. It's not terribly difficult to reverse engineer that once you get a hold of the software doing the work.

If it wasn't possible for them to get the numbers then why would they tell you to watch your credit card and bank statements as well?

Use your brain for a minute. I've been doing this **** for 10 years. I write software that handles approximately 2 billion dollars annually and interacts with many financial institutions. I understand very well how all this **** works.

Ya... Right...

Do you honestly think Valve would be acting so calm if there was even a remote risk of the key being accessed? Again this is military/gov/financial grade encryption here.

Valve is asking people to watch their credit statements as a legal percaution. If there was ANY evidence of a breech of the encrypted data they would be at once warning people.

Be safe but don't be stupid folks.

To be fair, 2 Billion dollars is chump change in comparison to the hypervelocity trading programs that are used by investment firms. But I'm just being a **** with this sentence.

Anyways, if they stored the keys on a different database that wasn't compromised (which would be intelligent and not require a whole lot of thought as a basic security measure) then we have nothing to worry about.

Yes change your passwords and watch your cards but seriously don't compare them to sony.

Sony had NO encryption.

Yup, not liking this, changed my password already, going to call the bank tomorrow.

It will be months before they start using credit card numbers, or sell them, so you have a little time, but it will be pretty bad I think since there are so many people that have bought stuff off steam, CoD crowd and BF3 crowd in particular. Even if the stuff is encrypted, doesn't mean they can't crack it.

Crack AES256?

I won't be bothering to call my bank :)

They don't have to crack it. If you even bothered to read anything else in this thread or use your brain to realize they don't have to do one damn thing if they compromised more than what Steam knows about, or has let the general public know about.