Steam hacked, change your password asap

[PatientZero]

http://www.rockpapershotgun.com/2011/11/...am-hacked/

We’ve just had a note from Gabe Newell saying: “Our Steam forums were defaced on the evening of Sunday, November 6. We began investigating and found that the intrusion goes beyond the Steam forums.”

We learned that intruders obtained access to a Steam database in addition to the forums. This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information. We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked. We are still investigating.

It might be a good idea to change your Steam password, clearly.

Nobody is saying how much data has been compromised, so it's a safe bet that it's more than they're willing to admit.

[Rosencrantz]

Changed my password on the off-chance

although I'm just hoping nothing of value was actually taken. Might be a longshot to ask for, but hey: I need to be more optimistic every now and then so !!


EDIT:
also, what about Steam Guard?

[PatientZero]

For anyone worried, let me give a brief rundown of how security on Steam works, it's actually surprisingly good.

Firstly, your password is not stored as readable text, that would be silly, there are three levels of encryption they use to store it;
1.Generate a hash from your password, this encrypts it into a string of numbers and letters, each section varies depending on what letter it is, and also the what the whole word is.
2.Salt the hash, this means it adds a specific set of characters to the end, then re-hashes it, so you would need to know this code to work out what the original has was.
3.Encrypt the hash, this can be any number of techniques to change the hash code into something entirely different, you would need the encryption key and to know what encryption system they're using to decrypt it.

In effect you would need to know what encryption they're running, what the encryption key is, what the salt code is, and an insane amount of computer time to have a shot at decrypting the hash back to the original password, even someone inside Valve with direct access to the database couldn't tell what your password is.

It also emails you to confirm when a different computer tries to log into your account, tries to change the password, or anything else to do with accessing it, this is the Steam Guard system and it works very, very well.
(when they added it, Gabe Newell himself gave out the password to his Steam account at the conference just to show how secure it was)
In theory your password is totally safe.

So why change your password? Because you should always do that when there's a data leak, the only information we have is that something has gone wrong somewhere, and there is no way to judge what's been compromised or what tricks are being pulled, never underestimate how crafty people can be, and always assume they've thought of something you haven't.

The big scare here of course is if you have a bank account linked to your Steam account, that's the data you really don't want getting out, it's not as well encrypted (because the system actually needs to be able to decrypt it without any input) and the encryption key could be cracked.
If you DO have any bank details logged with Steam, I'd suggest you unlink them to be safe, and keep an eye on any transactions going through that account, I'll be keeping my ear to the ground to catch if the data gets leaked anywhere and if I can get a copy of it I'll be happy to check it to see if anyone here was compromised.
(note: Paypal accounts should be perfectly safe, it's not part of Steam so none of your account details get stored there, it's only card details you need to worry about)

[Alex IDV]

[PatientZero]

AES256 is about as secure as encryption can get right now, for those not down with the lingo that's "Advanced Encryption Standard" and the 256 is how many bits the key is, think of it sort of like having a 256 character password of random letters and numbers.

It's good and strong, not technically impossible to crack but it would require so much computing power and take so long that it's just not realistic, which would be why there's no real risk in telling people that's what they're using.

But I've been hanging around the hacking "scene" for a while now, and that's how a programmer would think, not a hacker, there are far more subtle ways of getting data than just brute-forcing it, personally if I knew something had 256bit encryption I wouldn't even try to crack it, I'd try to get the key some other way, a compromised admin account, a remote exploit, or any other indirect attack.
To use an analogy, it doesn't matter how strong the door is or how many locks it has, because I'm trying to get through the window.

I'm all about not inflating the problem or scaremongering, in all likelihood the data is safe, but that doesn't mean you should be complacent about it, in the long run it always pays off to take the little steps extra to make sure of it yourself.

[Dazz]

Also, free copies of DOTA 2 and Portal 2.

Happy days.

[Rosencrantz]

I'm actually looking forward to a free copy of DOTA2, I've been dying to play that game.

Excite~

[Keychain]

Welp, good thing I turned down someone's Dota 2 offer for my TF2 stuff. I got Skyrim instead, and now I could get Dota 2 for free?

[Dazz]

[DioShiba]

well shit.

looks like we won't be getting free games.

[Alex IDV]

How do we know if that second image isn't some guy with an evil soul's photoshop though?

[Dazz]

That is true, but which looks more likely?

[DioShiba]

Do any of them look like they're for real?

If anything they have the same email and crap so I'm wondering if someone managed to hack his E-mail and just said that.