A message sent just now from Valve Corporation head Gabe Newell says credit card numbers and other personal information were inside a database compromised during a defacement attack on the Steam forums this Sunday.
Valve is advising all of its Steam customers to keep close eye on their credit card activity, as those numbers were inside a database the hackers penetrated during the larger attack, Newell wrote. The Steam Forums are currently closed. Steam itself is operating.
“We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked. We are still investigating,” Newell wrote. “We don’t have evidence of credit card misuse at this time. Nonetheless you should watch your credit card activity and statements closely.”
The database exposed during the attack “contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information,” Newell said in the statement.
I changed my password too, but I’m more concerned about creditcards being exposed. Does anyone know if steam requests the 3-digit CCV code when you buy a game? They aren’t allowed to save it, right?
Yikes. Hopefully all is well, but this kinda sucks (understatement).
PS - Given the rash of hacks, I personally think that companies would do well to do away with the whole storing of CC info to make purchases “easier” for their customers.
If it was in fact hashed and salted passwords, that’s not really a big account risk. I mean, it’s not great, but it’s unlikely to lead to a lot of stolen accounts.
With SteamGuard enabled, it shouldn’t be a problem anyway. Just be sure to enable SteamGuard by going to Settings under the Steam entry in the upper left hand corner of the client.
Yeah, I’m a little more worried about the card than the account - I have faith that Valve will sort out accounts if they get swiped and that they’ll work through “gifts” which are purchased fraudulently. On the other hand, if someone has raw card data, then that could completely screw several people over. Various banks have differing levels of fraud response, and frankly I wouldn’t want to trust myself with their good graces.
Well it’s not raw credit card data, it’s obfuscated or hashed in some way. Hopefully they actually encrypted the data. That’s a pretty expensive operation, so many environments cheat and just hash them or use a cheaper operation to obfuscate rather than encrypt.
True, it’s not raw. But here’s the thing - if it’s encrypted (which it is, according to Gabe), why would they grab it if they didn’t have the means to break the encryption?
You can store the credit card numbers and personally identifiable information for millions of people in 1GB. Remember 1KB is 1024 characters, so that’s probably 3 people right there. Do the math, comes out to 3 million people in that 1GB. So the question isn’t why download it, the question is why not download it?
And of course once you’ve got someone’s full name, address, mother’s maiden name, etc, you can steal their ID. Not that I think anyone’s going to bother, since there are so many fully documented creditcard and paypal accounts available cheaply bundled by the 100s on russian websites.
So glad I started using KeePass after the PSN Hack.
Just visited Steam - Clicked Change Password
Opened KeePass, opened the steam profile, clicked the button “create a new password”
Voila, a new 128 bit password I’ll never have to remember.