Steam's customer database was recently compromised. Here's the statement from Valve:

And links to news sources, who're all analysing and making speculations based on the above statement, because there's little other info available right now. The story is still breaking.

Kotaku - Steam Hacked, Valve Investigating Possible Credit Card Theft
Slashdot - Valve Announces Massive Steam Server Intrusion
Hardware Canucks - Breaking: Valve Announces Massive Steam Server Intrusion
Gamasutra - Steam Accounts Hacked, Credit Card Info Obtained
Shack News - Steam hack goes beyond forums, Valve reveals
ars technica - Valve confirms Steam hack: credit cards, personal info may be stolen
Giant Bomb - Valve Admits Steam Intrusion, No Current Evidence of Fraud

 

At least they have the guts to admit to the mistake and warn users, unlike some other companies *cough* Sony *cough*.

 

The tl;dr right now, is that no one knows how worried we should be about this.

It may be anywhere on the scale from "asshole script kiddies defaced a forum, gained access to the server with the database, but never copied it because they didn't know what they had", to "cancel your credit cards, this is a hack by professional criminals".

I'm not sure which would concern me the most.

 

Now now, the PSN was simply undergoing "extended maintenance"

One should always watch their credit card statement.

Supposedly there's no evidence that steam accounts were compromised at the moment.

I'd still change my passwords to the account, forums and such.

 

I've never been happier that I use PayPal instead of a credit card, even if these are professional criminals they'd never be able to brute force the second password that they would need.

 

Yeah... I barely ever use steam, so I have no idea how vulnerable my cc info is. Guess we'll find out soon.

 

Any peeps knowledgeable in computer security around?

Having the passwords hashed and salted means that our account passwords should be safe, right? If someone wants to make use of the entire database before they die of old age, they'd be using rainbow tables, which salting should prevent. That's my very basic understanding of the theory. Does it work that way in the real world?

The encrypted creditcard info has me worried though. Have many encrypted credit card databases been cracked before? I assume there's some kind of industry standard for encrypting credit card details which Steam was hopefully following?

On a personal note, while my Steam Forum and Steam accounts have different user names, I just realised that they shared the same password. I quickly fixed that. They wouldn't have got much use out of the Steam account anyway, because I've got "Steam Guard Account Security" turned on [go to Steam settings to find it].

 

Handy that I got a new card a few weeks ago and haven't added it to Steam yet.

Changed my password anyway, just in case.

 

QFMFT

Anyways, I always use VCC to buy games and don't have a forum account. So I am safe I guess.

 

Hmmm this is interesting. I have never added an actual credit card to my account, preferring to just manually enter it when I want to purchase something in a usually futile attempt to curb my steam splurges. Would this then mean my credit card info would not have been stored on the steam servers?

 

Having worked with credit card encryption in the past, it is usually done through keeping the first four and last four digits intact while scrambling the rest in the primary database (which, from the sounds of the Steam release, is what got hacked), while in a secondary database utilized for card number storage, the full, unencrypted values are kept. If Steam is using SQL to pass number references, you can easily correlate the pieces in the primary database to the true values in the secondary database through a reasonably well-written SQL query, but the query will also involve passing other chunks of data to precisely verify numbers.

Granted, this might not entirely be how Steam handles their transactions, but from the companies I've worked at, it seems fairly standard. So while I'd reassure you that your data is probably safe, I'd still wait for more data to be absolutely certain.

 

So, having never checked that little 'save card info for easier future checkouts' box, am I at just as much risk?

I don't use paypal. Fuck JPMC.

 

In other words... watch your credit card statements. Just in case.

 

lol So glad I don't have a CC. Unlucky pricks.

 

AFAIK they would have to create their own rainbow tables, which could take years, if they manage it at all. So yeah, the passwords should be save, but I changed mine anyway.

I hope that those attacks will stop now. I mean really, if they want money they should go work for it, not steal it from game services.

 

For the past few days, I haven't been able to open the steam client on this computer. I wonder if this is connected.

 

Is this the computer that you usually use to play your Steam games? If it isn't, then check whatever email address is associated with your Steam account. You may have "Steam Guard Account Security" turned on, which prevents you from using Steam on an unfamiliar computer until you get an access code which Steam will email you automatically.

If it is your usual computer, then maybe something has become corrupted. Exit Steam. Rename the "ClientRegistry.blob" file to "ClientRegistry.blob.old". Restart Steam. This will force Steam to ask for your login details and is generally a cure all for many Steam problems.

 

Kang has £0.54 in his account. Ahahaha jokes on you!

 

And that's why I use a virtual online credit card that I fund with a debit card. The balance on my virtual online credit card is zero, so nothing to fear for me. It can't be used if it has zero balance.