Steam user database compromised, Newell addresses Steam users

[Deleted User]

Steamguard, enough said/

 

[Ritsuki]

The forum account is the same that the one we use to log on Steam ?

 

[Foxi4]

As a gesture of goodwill gabe should give out a free game or credit
steam needs better security.

Steam giving out a free game = Steam giving out free Skyrim almost on release.

In other words, it won't happen.

Not true. They can just as well give you a selection of games and allow you to choose 1, much like Sony did.

 

[Thunderboyx]

The forum account is the same that the one we use to log on Steam ?

Nope, they are seperate. However, if you use the sameusername/pass for them, then yea it pretty much has the same fate ._.

 

[Ritsuki]

The forum account is the same that the one we use to log on Steam ?

Nope, they are seperate. However, if you use the sameusername/pass for them, then yea it pretty much has the same fate ._.

I should check. I'm not sure if I've created an account for the forums

 

[injected11]

wat about all the games i registered! ALL OF THEM ARE GONNA GET HACKED AND I WONT BE ABLE TO GET THEM??? (changes password) no more panic hahahaha (next day credit card number stolen, dies)

(Unchecks the "save credit card info" box on checkout screen)
Well that was a hard problem to solve...

Steam took proper precautions to ensure they couldn't get their hands on usable data, and informed us of what happened much quicker than other companies have in the past. People need to read the statement and understand what it says before they start bitching and moaning over something that will have no effect on them at all.

You speak as if you knew the grade of the encryption used. Encryption != everything is fine. Credit card data, in any state, is the highest form of security breach.

And you started whining and boycotting without knowing the same thing. One of Valve's main focuses is security, and they take it quite seriously. And credit card data is only saved if you specifically ask for it to be saved.

 

[TheLostSabre]

There's no such thing as a perfect security. You make it sound like the Pentagon is impenetrable and we all know at this point that is far from true. Extremely Tight yes but not immune.

 

[junkerde]

There's no such thing as a perfect security. You make it sound like the Pentagon is impenetrable and we all know at this point that is far from true. Extremely Tight yes but not immune.

agreed on this, that is why i stated that joke post b4 cuz i dont even have credit card info on steam thank god, just living off of free games, pre-steam games and such.

 

[Gahars]

Calm down everyone, there weren't any hacks; Gabe just went on a hunger binge and grabbed the wrong chips.

(Curious to see if anyone believes that)

 

[Zarcon]

If I recall, Steam encrypts Credit Card info with 256-bit AES encryption.
Last I checked, it would take longer than the entire lifespan of the universe to decrypt/break that.
Not saying you shouldn't worry, but...it's highly unlikely that out of all the accounts in Steam you'd be unfortunate enough to be the one who's CC info was successfully taken.

Steam passwords are properly salted and hashed, but it takes all of 10 seconds to change your password just to be safe.
Steam Guard makes it so any computer that isn't recognized trying to access the account needs confirmation via the email linked to the account before gaining access.
It's also on by default.

All in all, I really doubt anything will come out of this.
Except maybe free stuff for Steam users to make them feel better.

 

[Gh0sti]

Steam wont even let me change my password what the fuck so my account could be compromised and i cant do anything to fix it

 

[Zarcon]

How/where are you trying to change it?

 

[Kyohack]

A question for you all: When did steam last upgrade their vbulletin forums?

I highly suspect that this hack was caused from a MySQL injection attack on their forum. These types of attacks are quite simple, really. Performing a malicious search (on vulnerable vbulletin forum versions), while adding some MySQL commands into the search query, could dump a hashed admin password. After bruteforcing this password, you basically have access to the admin control panel in vbulletin. From there, you could execute PHP code on the server running the forum. I suspect that the attacker created a simple PHP script to read the database configuration file of vbulletin. It is not uncommon for lazy server administrators to use the same username and password for multiple MySQL databases. Possibly the database which contained credit card numbers used the same username and password as the forum database. Its a common security flaw that could be eaisly over looked.

Another stupid mistake, is that steam decided it would be OK to have the forums AND the credit card database on the same server. Keeping the database on a different server, would have prevented this attack.

 

[Gameking-4]

whats with all the hacks for personal data lately!!

 

[shakirmoledina]

must be a steam hater, i am thinking lulzsec but no updates on its twitter.
an awesome and respectable system destroyed by damn hackers. unethical hacking to say the least.

 

[AlanJohn]

Damn h4xx0rs.
*changes password*

 

[TheFireRed]

Steam was the ONLY service I trusted. Seriously, when are we going to have proper security systems?

 

[AlanJohn]

Steam was the ONLY service I trusted. Seriously, when are we going to have proper security systems?

There is no such thing as an ideal system.
Everything must have a flaw.

 

[TheFireRed]

Steam was the ONLY service I trusted. Seriously, when are we going to have proper security systems?

There is no such thing as an ideal system.
Everything must have a flaw.

We might not have an ideal one, but I'm sure they can update their systems regularly. Kyohack mentioned that Steam hadn't updated their vBulletin forums...

 

[ProtoKun7]

Glad I was banned from steam years ago, and never used any real information anyway.

Why'd you get banned?