It would have been nice if they told us who may have been affected, although I have not yet gotten that e-mail.

It would have been nice if they told us who may have been affected, although I have not yet gotten that e-mail.

Just saw it, just changed my details. Honestly the straw that breaks the camels back at this point, it was getting old dealing with having the client manifest itself as a resource hogging store front to even use the software you buy while they pocket huge dividends. Guess they didn't spend much of that on actually keeping stuff locked down just like sony.

Going to avoid using steam like the plague now.

Except that they actually encrypted passwords, unlike sony. This is to be expected with commerce rapidly expanding into cyberspace, and will become more commonplace in the coming years.

Enjoy not being able to play new games anymore since pretty much everything goes through steam now.

And this is why forcing people to use steam is bad, Bethesda.

And this is why forcing people to use steam is bad, Bethesda.

PayPal FTW.... Until they get hacked....

Gabe Newall has indicated that AES256 encryption was used on sensitive information, so there's very little to worry about if that's true.

I have far more faith in the security layers at a premier e-commerce company like Steam than I do in, say, ANY government agency. I'm pretty sure the average person's personal data is much more exposed in other places.

lol though, I cant cancel my card, its a holiday. I cant change my password, I get "unable to process request try again later"

what did they do, hack it and **** their ability to process PW change requests?

That sucks. Kinda glad I haven't bought any games on steam for a while, since any credit card details steam have are for an expired card heh

Even if the card you used was "expired" there's still a good chance the number is the same, as long as they put in an expiration date that is later than today, a lot of the time a transaction will go through. I've fumbled expiration dates a number of times and transactions still get processed. Only way to be sure is to get completely new numbers and make sure the old numbers are deactivated completely. My EVE sub on my alt got renewed even though the number on the card that was still on file was "deactivated" I got an email about an error processing the transaction, then logged into my bank account to check it and lo-and-behold, the bank approved the transaction anyways...even though the number was not supposed to work anymore...

Gabe Newall has indicated that AES256 encryption was used on sensitive information, so there's very little to worry about if that's true.

I have far more faith in the security layers at a premier e-commerce company like Steam than I do in, say, ANY government agency. I'm pretty sure the average person's personal data is much more exposed in other places.

Gabe Newall has indicated that AES256 encryption was used on sensitive information, so there's very little to worry about if that's true.

Well that's awesome! And I'm sure the hackers are right away trying to crack the AES256 encryption, instead of, you know, just downloading the AES256 keys from the compromised machine.

Sarcasm aside, one has to wonder how and where were they keeping the keys.

Posting on the No-Steam forum, an individual calling himself MaddoxX has claimed credit for hacking into Steam, and has posted presumably-confidential material including financial information, customers' credit card information, and screenshots of internal Valve web pages.

The alleged hacker appears to be attempting some form of online extortion against Valve, posting the following to the forum: "If you want me to remove these files you can e-mail me at (address removed) and I prefer you come with something good unless you want me to expose ALL of the customers their information." The specifics of his demands remain unclear.

Steam, introduced in 2004 in conjunction with Valve's massive hit Half-Life 2, has grown into a massively popular and successful online distribution system on the internet. Along with Valve, Steam is now also used by companies such as Eidos, Akella, Activision and 2K Games. As well as new releases, Steam is also serving as a distribution method for older releases such as Thief: Deadly Shadows, Arx Fatalis, and Deus Ex: Invisible War, offering gamers a chance to play titles that are otherwise difficult to obtain.

If this claim of data theft is genuine, it could quickly become a public relations nightmare for Valve, which would be forced to reveal to credit card holders that its security has been breached. This would also be the second high-profile lapse in security involving Valve in recent years; in 2003, the Half-Life 2 source code was stolen by someone who managed to break into Valve's internal systems undetected.

To put it simply: heGÇÖs screwed.

We might get free copies of Portal 2 and DOTA 2 out of it though lol
http://www.thereticule.com/update-on-steam-security-breach/

I would recomend changing passwords and watching your credit statements as indicated. However I see NO reason for them to lie about the AES256 encryption part.

Do you realize that it would take a powerful quantum computer to be able to crack that kind of encryption? If I remember right Wikileaks distributed its database encrypted weaker than that and word is even the gov will take time to crack that.

Be on the safe side folks. But don't act like a bunch of idiots and try to compare Valve. A company hellbent on security after the HL2 attack with Sony which had virtually no security in place.

The idiots who did this attack tho are in for a world of criminal charges when they are located tho. The last attack didn't net encrypted financial files.

Not requiring Steam to play a single-player game would be safer.

How are they going to compromise them? Magic? There is a reason people use heavy encryption.

There is something that has to decrypt them to send the charges to the bank, you can't send the bank an encrypted account number and expect them to know what to do with it. They also have to have something to encrypt them to store them, they don't magically encrypt themselves.

If they compromised the database, it is entirely possible they compromised whatever systems handle the data and put it in the database. It's not terribly difficult to reverse engineer that once you get a hold of the software doing the work.

If it wasn't possible for them to get the numbers then why would they tell you to watch your credit card and bank statements as well?

Use your brain for a minute. I've been doing this **** for 10 years. I write software that handles approximately 2 billion dollars annually and interacts with many financial institutions. I understand very well how all this **** works.

Ya... Right...

Do you honestly think Valve would be acting so calm if there was even a remote risk of the key being accessed? Again this is military/gov/financial grade encryption here.

Valve is asking people to watch their credit statements as a legal percaution. If there was ANY evidence of a breech of the encrypted data they would be at once warning people.

Be safe but don't be stupid folks.

To be fair, 2 Billion dollars is chump change in comparison to the hypervelocity trading programs that are used by investment firms. But I'm just being a **** with this sentence.

Anyways, if they stored the keys on a different database that wasn't compromised (which would be intelligent and not require a whole lot of thought as a basic security measure) then we have nothing to worry about.

Yes change your passwords and watch your cards but seriously don't compare them to sony.

Sony had NO encryption.

Yup, not liking this, changed my password already, going to call the bank tomorrow.

It will be months before they start using credit card numbers, or sell them, so you have a little time, but it will be pretty bad I think since there are so many people that have bought stuff off steam, CoD crowd and BF3 crowd in particular. Even if the stuff is encrypted, doesn't mean they can't crack it.

Crack AES256?

I won't be bothering to call my bank :)

They don't have to crack it. If you even bothered to read anything else in this thread or use your brain to realize they don't have to do one damn thing if they compromised more than what Steam knows about, or has let the general public know about.

hey wait wait so because pc gamers reacted in a well mannered way is it safe to say all console gamers are spoiled brats and pc gammers are respectable adults

I heard something interesting on the steam forums.

One of the ways lately to break encryption is to use a GPU or a series of GPUs to break encryption on passwords. To prevent this companies are using random generators on top of encrypting to add a great deal of random characters into the data sent to be compared on the server.

atm there are no reports of compromised CC's. also, maybe because of Sony, Valve decided to keep their decryption key safe somewhere in a place that is not inside the steam network proper.

anyways this happened around.. the 10th? and atm all of this is no more than speculation. Time will tell if there was CCs compromised or not.

that might work for the pw's themselves but not for the CC's. if what has been said it's true, CC's are encripted in AES256 and salted, which means that by the time they manage to get a CC number, with the current tech level, the universe has already ended

that said however, AES256 is only as safe as how safe you keep the decryption key.

Well that's awesome! And I'm sure the hackers are right away trying to crack the AES256 encryption, instead of, you know, just downloading the AES256 keys from the compromised machine.

Sarcasm aside, one has to wonder how and where were they keeping the keys.

Or they compromised machines responsible for encrypting and decrypting those numbers.

Doesnt work like that. Two part system of public and private keys. They might use kerberos for transactions between companies in which case it's a ticket key system. There also isnt "one" key generator machine. It's handled at a software level. (key generation)

http://en.wikipedia.org/wiki/Advanced_Encryption_Standard There's the gist.

stuff

So you want to say, that your systems are also vulnerable?

I'm kidding. I bet you did the best job possible to create a secure and robust piece of software ... and so did Valve probably.

With your background you should know how extremly unlikly the situation you describe can happen. If the individual / group that did the hack have such a profound knowledge, they'd hack banks and not a mere game publisher.


Half of the world wide online stores have my credit card number and I had never ever an issue. Quite the contrary, the CC data from my wife was stolen in a restaurant where she paid. You are never safe. Never!

well I guess Barakkus has a point. he's right, but while cautiousness is advised in this situation, it's also true that atm things have been quiet and we still don't know enough to go into a panic.

Couple friends of mine that do use steam have already had their CCs used by other people.

So you want to say, that your systems are also vulnerable?

I'm kidding. I bet you did the best job possible to create a secure and robust piece of software ... and so did Valve probably.

With your background you should know how extremly unlikly the situation you describe can happen. If the individual / group that did the hack have such a profound knowledge, they'd hack banks and not a mere game publisher.


Half of the world wide online stores have my credit card number and I had never ever an issue. Quite the contrary, the CC data from my wife was stolen in a restaurant where she paid. You are never safe. Never!

Ya that statement Barakkus made has not been confirmed to be related to steam at all in my opinion. So I am very suspicious.

How are his friends affected yet the steam forums are not overflowing with reports of CC fraud?

Ya that statement Barakkus made has not been confirmed to be related to steam at all in my opinion. So I am very suspicious.

How are his friends affected yet the steam forums are not overflowing with reports of CC fraud?

If CCP say they love Steam, then why are ISDs spamming the help channel with warnings that you shouldn't play EVE through Steam (I know I don't have to, but I don't see any disadvantages of using Steam to start EVE) everytime someone mentions Valve's service?

If CCP say they love Steam, then why are ISDs spamming the help channel with warnings that you shouldn't play EVE through Steam (I know I don't have to, but I don't see any disadvantages of using Steam to start EVE) everytime someone mentions Valve's service?

It's just that people are already trying to blame other issues on the steam hack.

A guy on there said he has fraudulent charges to his paypal and demanded Steam compensate him when there is NO evidence that paypal security has been compromised.

Blaming valve for no reason isn't helping anybody.

I wonder if theyre liable for damages given its their fault it happened for using (apparently) shoddy protection

Hmm. If the group that hacked Steam releases millions of credit card numbers, I foresee horrible, horrible things happening to them. The anti-cyber crime units in the modern world have been pretty good at arresting hackers, especially hackers of this caliber and gall. If they released millions of credit card numbers, every single bank ever would basically go into overdrive mode, and probably find a way to get governments to find and arrest them in the shortest, most violent way possible.
Considering that the banking industry basically runs every western government, it wouldn't be very difficult either. It might be Steam who was breached, but fraudulent credit card activity costs the banks money, and when it comes to not ******* around, banks are pretty much king. At least, the major, ethically questionable banks don't **** around.


Oh, and Steam is not responsible for fraudulent charges, and will not be required to reimburse people at all. If you call your bank within a few days though, they WILL refuse to pay the vendors where fraudulent charges were made. Still, this costs the banks money, and they hate that with a passion.

The number of CC numbers they could have stolen is like 1/10000th the number that are traded on the black market daily. 1 CC number goes for approximately $1 on the black market, millions of them are bought and sold every day. Sometimes they're good for a few hundred dollars in purchases, sometimes a few thousand, some are completely shut off before someone can make fraudulent charges on them. It's the cost of doing business in the internet world now a days. You'd be surprised at how much CC fraud and identity theft goes on every day.

Was it only a portion of Steam's credit card numbers that were stolen? Because I'm pretty sure Steam has millions of users, and if the encryption was broken on millions of credit card numbers simultaneously, then it would definitely not be 1/10000th the amount traded on the black market. 1/100th, maybe, but it would still be a huge influx of credit card numbers. Not to mention that these weren't stolen by taking advantage of concentrated stupid, these were stolen by hacking into a secure database.

That is a weak argument. Lets not blame the ones who did it, let blame the victims.

They have been hacked in the past.

Since many of you love Steam

The damn funny thing about this hack vs the Sony one, Sony got hacked, it was the end of the world, ppl screamin, up in arms, etc. Steam gets hacks, noone cares lol

Actually most of the people that have heard about it are too stupid to care. Sony had a wider audience :P