Steam hack: personal information, encrypted credit card data compromised

… so says Kotaku

A message sent just now from Valve Corporation head Gabe Newell says credit card numbers and other personal information were inside a database compromised during a defacement attack on the Steam forums this Sunday.

Valve is advising all of its Steam customers to keep close eye on their credit card activity, as those numbers were inside a database the hackers penetrated during the larger attack, Newell wrote. The Steam Forums are currently closed. Steam itself is operating.

“We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked. We are still investigating,” Newell wrote. “We don’t have evidence of credit card misuse at this time. Nonetheless you should watch your credit card activity and statements closely.”

The database exposed during the attack “contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information,” Newell said in the statement.

Yeah, just got the message on Steam. Changed my password.

I changed my password too, but I’m more concerned about creditcards being exposed. Does anyone know if steam requests the 3-digit CCV code when you buy a game? They aren’t allowed to save it, right?

Hummm… Never saved my CC data on Steam, hopefully that means there’s no chance it was compromised.

They aren’t allowed to save it. I vaguely remember having to put it in each time I buy something.

Until about a month or two ago, I never stored my CC info on Steam. I finally caved when I started buying a bunch of cheap games on sale.

Yikes. Hopefully all is well, but this kinda sucks (understatement).

PS - Given the rash of hacks, I personally think that companies would do well to do away with the whole storing of CC info to make purchases “easier” for their customers.

If it was in fact hashed and salted passwords, that’s not really a big account risk. I mean, it’s not great, but it’s unlikely to lead to a lot of stolen accounts.

They don’t require anything that isn’t stored. That’s my experience.

I had changed my password when I first heard about this. And I never allowed Steam to save my CC number. Is that enough?

With SteamGuard enabled, it shouldn’t be a problem anyway. Just be sure to enable SteamGuard by going to Settings under the Steam entry in the upper left hand corner of the client.

Who gives a fuck about steamguard? They stole credit card numbers.

Yeah, the first part of my post was answering the question. Even if you store your CC, they are not allowed to store the CV2.

The second part was my own lamenting about finally giving in a letting them store my CC number.

Yeah, I’m a little more worried about the card than the account - I have faith that Valve will sort out accounts if they get swiped and that they’ll work through “gifts” which are purchased fraudulently. On the other hand, if someone has raw card data, then that could completely screw several people over. Various banks have differing levels of fraud response, and frankly I wouldn’t want to trust myself with their good graces.

Well it’s not raw credit card data, it’s obfuscated or hashed in some way. Hopefully they actually encrypted the data. That’s a pretty expensive operation, so many environments cheat and just hash them or use a cheaper operation to obfuscate rather than encrypt.

True, it’s not raw. But here’s the thing - if it’s encrypted (which it is, according to Gabe), why would they grab it if they didn’t have the means to break the encryption?

You can store the credit card numbers and personally identifiable information for millions of people in 1GB. Remember 1KB is 1024 characters, so that’s probably 3 people right there. Do the math, comes out to 3 million people in that 1GB. So the question isn’t why download it, the question is why not download it?

And of course once you’ve got someone’s full name, address, mother’s maiden name, etc, you can steal their ID. Not that I think anyone’s going to bother, since there are so many fully documented creditcard and paypal accounts available cheaply bundled by the 100s on russian websites.

Valid point, stusser. Thanks for easing my mind a bit.

Grrr! Why did I trust my cc info with a company who had their flagship game source code stolen???

quote from the other thread:

So glad I started using KeePass after the PSN Hack.

Just visited Steam - Clicked Change Password
Opened KeePass, opened the steam profile, clicked the button “create a new password”
Voila, a new 128 bit password I’ll never have to remember.