They are not entirely clear in their statement if only the forum passwords were compromised or the steam account passwords, too (which are separate).
They talk about a database being compromised in addition to the forum, which they say contains passwords. But what passwords? Those of the fourm or those of the steam accounts?
And: I thought I read somewhere that the CC info is only stored locally on your computer if you pay via steam client??
OK, I’m at work so I have access to the Steam Store but not the client installed. How the hell do I change my password from the main Steam pages? Can I only change my account password if I have the client installed and running?
Luckily I’ve been using Paypal to pay for everything on Steam in the past couple of years. They did have a CC tied to my account, but it was an old one I closed long ago, so I deleted it and it’ll be useless to the hackers anyway.
Ha, you’re right!
Wasn’t there also an incident where someone “hacked” Gabe Newell’s forum account, because his password was something like “gnewell”?
Yeah, one should really take notice…
Yes but many retailers don’t use it, also I’m still entering my CC info into the retailer’s site and they can still save it. I’m saying the only place I should ever be entering my CC info is to a server owned and operated by my CC company, not the retailer’s site. There’s no reason Visa and Master Card can’t enforce something like that either. It could function similar to Google check out, it sends the purchase price to my CC company’s site, I enter my info the CC company sends back the authorization result and a transaction number if authorized. Vender never sees the CC number.
If they’re competent, the “credit card information” is a payment token generated from the gateway, not an actual number. You can have saved credit cards for repeat billing w/o having to store the credit card number.
I think the only way you can change your password is from the client. I’m in the same situation.
Client won’t let me change the password either. It keeps saying “try again later”.
Bummer, I suspected as much. I’ll have to change it when I get home tonight.
Fortunately, my laptop also has Steam on it. Password changed. Also fortunately, I’m changing banks in a month so I’ll have to cancel that card anyway, so I’m fairly well protected.
Yeah my CC expires this month so I’m not too worried about it. What I’m more worried about is that I haven’t gotten a replacement yet.
This makes me so glad my CC expired a week ago.
I use a Citi card and just found out they’re sending me a new one due to a recent security breach. I’m not sure it’s related, but it’s good timing.
That sad thing is this seems to happen once every 6 months. Fortunately I wrote down all the sites that use automatic credit card billing so I can update them quickly.
All I keep thinking is when is Amazon going to be hacked? Not if, when.
Given that XBox Live was able to keep charging credit cards despite wrong expiration dates I’m not sure this is any comfort. :(
Well, if that’s the attitude one must take, banks can be hacked too…
That would be the fault of the CC company. They shouldn’t be authorizing payments on expired cards, period.
No, Valve has to have encrypted the card numbers (because they need to decrypt them so they can send the actual number in cleartext off to their payment processor to actually process the charge). A one-way hash would actually be more secure, as there’s no way to get the cleartext card number out of it. There are a variety of ways they could have implemented a secure credit card store that would minimize the risk to customers if their database was compromised, but the fact that the attackers got the salt values as well as the encrypted card numbers suggests that Valve took a simple-minded approach, probably with a private key deployed outside the database somewhere (eg, on the filesystem). If the attackers compromised the key then they ave all the credit card numbers. If not it’s a matter of time and rainbow tables. Either way I’m not sanguine.
Do we know they got the salt values?
Although on second thought, reading Gabe Newell’s announcement a little more closely, he says the salt that was compromised belonged to the forum accounts, not the credit card info, and also that they don’t have evidence that encrypted card numbers were “taken” - presumably they are looking at SQL access logs or the like. That makes me feel a bit better. This is still not great news for anyone who uses the same password on multiple accounts, though.
Yeah. Here’s the whole notice, for the record:
(Edit: oh, my mistake. Looks like he just says they got the salted hash values, not the salt values.)