PSA: Steam hacked

  • Two Factor Authentication is now available on BeyondUnreal Forums. To configure it, visit your Profile and look for the "Two Step Verification" option on the left side. We can send codes via email (may be slower) or you can set up any TOTP Authenticator app on your phone (Authy, Google Authenticator, etc) to deliver codes. It is highly recommended that you configure this to keep your account safe.

Kyllian

if (Driver == Bot.Pawn); bGTFO=True;
Aug 24, 2002
3,575
0
36
45.64.294
kyllian.deviantart.com
Here's the message I got after exiting a game
November 10th, 2011
Dear Steam Users and Steam Forum Users:

Our Steam forums were defaced on the evening of Sunday, November 6. We began investigating and found that the intrusion goes beyond the Steam forums.

We learned that intruders obtained access to a Steam database in addition to the forums. This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information. We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked. We are still investigating.

We don’t have evidence of credit card misuse at this time. Nonetheless you should watch your credit card activity and statements closely.

While we only know of a few forum accounts that have been compromised, all forum users will be required to change their passwords the next time they login. If you have used your Steam forum password on other accounts you should change those passwords as well.

We do not know of any compromised Steam accounts, so we are not planning to force a change of Steam account passwords (which are separate from forum passwords). However, it wouldn’t be a bad idea to change that as well, especially if it is the same as your Steam forum account password.

We will reopen the forums as soon as we can.

I am truly sorry this happened, and I apologize for the inconvenience.

Gabe.

This is why I never store CC info when making purchases
 

Sir_Brizz

Administrator
Staff member
Feb 3, 2000
26,020
83
48
The passwords were hashed and salted and the credit card numbers were encrypted. Yeah. Talk about useless data that would have to be brute forced and would not be worth the hackers' time.
 

Hadmar

Queen Bitch of the Universe
Jan 29, 2001
5,557
42
48
Nerdpole
The passwords were hashed and salted and the credit card numbers were encrypted. Yeah. Talk about useless data that would have to be brute forced and would not be worth the hackers' time.
Encrypted CC numbers are just one more hurdle. A hurdle you should have, yes, but it's not an impenetrable magical barrier. The billing system needs to work with those numbers and they are not much of a help if they are encrypted. That means that the password has to be stored somewhere in the system. There are several ways how this can be implemented and some are more and some are less secure. The point is: It's possible that they also got the password for the CC numbers and don't have to brute force anything.
 

Sir_Brizz

Administrator
Staff member
Feb 3, 2000
26,020
83
48
Encrypted CC numbers are just one more hurdle. A hurdle you should have, yes, but it's not an impenetrable magical barrier. The billing system needs to work with those numbers and they are not much of a help if they are encrypted. That means that the password has to be stored somewhere in the system. There are several ways how this can be implemented and some are more and some are less secure. The point is: It's possible that they also got the password for the CC numbers and don't have to brute force anything.
Where a database table would not require the highest privileges, things that decrypt data in the database are usually stored in root access only files (if you're smart). I can't guarantee that happened, but tracking down that file would take more time than the length of the hack, frankly, even if it was stored in plain text and accessible to everyone. I don't know what the Steam site is built in, or their payment processor, but it's also possible that the decryption password is compiled into their code, adding yet another layer of complexity. The point is, we don't know, but chances are probably pretty high that the hackers would have to brute force the encryption, which would take more time than it was worth.
 

Hadmar

Queen Bitch of the Universe
Jan 29, 2001
5,557
42
48
Nerdpole
Where a database table would not require the highest privileges, things that decrypt data in the database are usually stored in root access only files (if you're smart). I can't guarantee that happened, but tracking down that file would take more time than the length of the hack, frankly, even if it was stored in plain text and accessible to everyone. I don't know what the Steam site is built in, or their payment processor, but it's also possible that the decryption password is compiled into their code, adding yet another layer of complexity. The point is, we don't know, but chances are probably pretty high that the hackers would have to brute force the encryption, which would take more time than it was worth.
In a file, or maybe in RAM only, wherever, it has to be there somewhere. Yes, we don't know what the system looks like and what exactly happened.

But that's kinda my point: We don't know.
And because of that saying the data was encrypted, don't worry is not a good idea.
 

Sir_Brizz

Administrator
Staff member
Feb 3, 2000
26,020
83
48
I'm not saying not to keep an eye on your accounts, I'm just saying it's unlikely that anything will happen that is tied to the hack.

Also, your password won't be taken. Unlike the Sony hack, Valve has hashed and salted passwords. By design they cannot be reverse engineered.
 
Mar 19, 2002
8,616
1
0
Denver Co. USA
Visit site
I'm not so worried about the Steam account as my credit card, so I've done a check on it and everything is cool right now.
I'll probably give it another check in a few days.

My credit card company might get tired of me doing this so often, but I could always cancel the number with a quick phone call and get a new one issued.
 
Last edited: