Possible Steam Security Breach

SwampFae

SwampFae

Super Moderator
Staff member
Just found this message posted on Steam forums. (link embedded in the blue icon)

Originally Posted by Gabe
Dear Steam Users and Steam Forum Users:

Our Steam forums were defaced on the evening of Sunday, November 6. We began investigating and found that the intrusion goes beyond the Steam forums.

We learned that intruders obtained access to a Steam database in addition to the forums. This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information. We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked. We are still investigating.

We don’t have evidence of credit card misuse at this time. Nonetheless you should watch your credit card activity and statements closely.

While we only know of a few forum accounts that have been compromised, all forum users will be required to change their passwords the next time they login. If you have used your Steam forum password on other accounts you should change those passwords as well.

We do not know of any compromised Steam accounts, so we are not planning to force a change of Steam account passwords (which are separate from forum passwords). However, it wouldn’t be a bad idea to change that as well, especially if it is the same as your Steam forum account password.

We will reopen the forums as soon as we can.

I am truly sorry this happened, and I apologize for the inconvenience.

Gabe.
Click to expand...
 
Wol

Wol

In Cryo Sleep
Panda with issues... said:
What does this actually mean, aside from making me want hash browns?
Click to expand...

Hashing is turning one lot of info into another, to the point where it cant be reversed. MD5 is the de-facto standard thats used for this.

e.g. if my password is "apple" - then the MD5 hash is "1f3870be274f6c49b3e31a0c6728957f"

The hash is then what's stored in the database. Anyone who gets a copy of the database knows what the hash is, but can't work out what the original password was (not mathematically anyway).

*however* there are reverse hash lookups which use dictionary attacks to generate the reverse lookups for this. So if you find a md5 reverse lookup table, and type the above hash in, you can get "apple" back.

Thats the unsecure version of using hashing. Obviously using a more secure password like "g3qM8950Ch", it's not going to be found in a dictionary (thus the whole "strength" of a password thing), and you would have to brute force 62^10 combinations to get to that point (62 = A-Z a-z 0-9) (^10 = 10 letters in the above. of course you need to then count the 9 letter, 8 letter passwords and so on).


Adding a salt basically pads your password with random data, so rather than it just using a normal dictionary word being hashed which can be looked up in a reverse lookup table, its now a dictionary word with some munge around it.

e.g.:

password: apple
salting the password = "herp" + pass + "derp" e.g. : herpapplederp

You then take the md5 hash of "herpapplederp" which gives: d2c05f1c3388fcc8926d0978af015f7c

Same password, but you will not find that latest hash in a reverse lookup table.

You can then add your username into the mix there, so if you have a username of "panda", with a password of "apple", and the salt from above, youd be taking the md5 hash of: "pandaherpapplederp" - which is "9b5fe517ecc3b1fa59312936fe3e4b4c".

If you try and login, and give that info, you can then compare to see if the two hashes are the same, without the database knowing what your password is!

You can then go further still and MD5 the hash again. This way unless someone creates a massive reverse lookup table of each possible md5 sum, it's impossible your password will ever be recovered from the hash.

Thats kinda a ..... garbled explanation of it anyway :)

"encrypted cc details". Theyre using a security certificate to encrypt the credit card details, so in the database, theyre not storing your card number or anything directly, and you need their decryption key to decrypt it. Without the key - you can't decrypt it.


And thats why I'm not really worried. No idea if theyre storing billing addresses encrypted or not though. But there are other places to get peoples addresses from :p
 
SwampFae

SwampFae

Super Moderator
Staff member
THREAD NECROMANCY!..with an update*cough*
So. Gabe just posted this:

Originally Posted by Gabe
viewpost.gif

10 February 2012
Dear Steam Users and Steam Forum Users:

We continue our investigation of last year’s intrusion with the help of outside security experts. In my last note about this, I described how intruders had accessed our Steam database but we found no evidence that the intruders took information from that database. That is still the case.

Recently we learned that it is probable that the intruders obtained a copy of a backup file with information about Steam transactions between 2004 and 2008. This backup file contained user names, email addresses, encrypted billing addresses and encrypted credit card information. It did not include Steam passwords.

We do not have any evidence that the encrypted credit card numbers or billing addresses have been compromised. However as I said in November it’s a good idea to watch your credit card activity and statements. And of course keeping Steam Guard on is a good idea as well.

We are still investigating and working with law enforcement authorities. Some state laws require a more formal notice of this incident so some of you will get that notice, but we wanted to update everyone with this new information now.

Gabe
Click to expand...

Source: Steam Update news (page1/4) for steam client.
 
Ghostwolf67

Ghostwolf67

Well-Known Member
Dont worry gabe, we forgive you.

Edit: blanked my post, which was much better but CBA to write it again...
 
You must log in or register to reply here.
Top