Steam hacked - All Steam users are adviced to change their Steam passwords(Nov. 2011)

What a silly argument. Heck, since I'm vulnerable somewhere anyway, I might as well just put my credit card number and password information right here in this post. It's something that other places collect anyhow. If I do what I can to minimize my exposure I'm just being a hypocrite--after all, I've bought something online before.

I'm pretty sure that the people who argued against Steam for single player Civ said that it was an unnecessary additional layer of risk, not that if they don't use steam there is no risk. They are 100% correct on that front. You can't explain that little bit of truth away.

My main issue here isn't even that the company was hacked--that happens. My job is in online fraud prevention, and I fully understand how these things work (I don't need any lessons, thanks.) Such things are a fact of life.

However, I probably played civ (on Steam, of course) for about four or five hours since Sunday. I logged into Steam two or three times. The first time I heard about this was last night, from a third party. I logged into steam after reading this, and still there was nothing. I've logged into the email account that I have registered on Steam, and there is no message about this. I look at valvesoftware.com, and do not see anything listed on the main page or in their "news." There's only some information about new products I can buy. I look at the "NEWS" at steampowered.com. I see a sale for the new Elder Scrolls they listed this morning, but nothing of a breach. Oh, I see . . . there it is if I happen to want to look at the forums. I'm sure they decided that everyone who might be interested in this information log onto the forum before doing anything else. I'm sure that is what it is personally, but someone a little more cynical might thing that they were trying to sweep it under the rug.

That said, at least they're getting around to it a little faster than some others have.

 

Thanks for the warning.

 

Honestly, I'm mostly excited for the inevitable free stuff Steam will offer as an apology

 

Like free copies of DOTA 2 and Portal 2? Could be, according to Gabe:

Spoiler :

 

This is why I buy -- not rent -- my games. If it requires online activation, it's not for me.

 

Sorry to be the one to have to break this to you, but before much longer, there are going to be very few new games of any kind that don't require some form of online activation. You will be sitting there playing Tetris and Pong, and not much else.

 

Yeah, and hopefully not games that many people already have (Portal 2 is great but um I kind of own it and it isn't very expensive for people to buy, and I couldn't care less about dota 2).

 

Unless you break the law...

Way to go! Punish the loyal customers and let the pirates have the good stuff. Also, I can't remember last time I bought a game without regretting it. Must have been five years ago.

 

The far more important thing from that pic SuperJay posted is that financial information is encrypted with AES256 in the Steam databases. That means the chances of that data becoming accessible are very low (if it happens, it would be due to other errors, breaking the 256-bit AES encryption is not feasible).

While the probability of Steam accounts and especially financial data being compromised remains very low, changing your Steam password is a good idea because it takes just a minute to do. And it's equally important to realize that uninstalling Civ5, Steam or removing your account does nothing whatsoever to improve your security.

 

Wow, you really are Mr. Hard To Please

I've bought at least 15+ games in the last five years, mostly all big-name titles, and while I'd call a couple of them goose-eggs or so-so, most ranged from quite fun to most excellent. Or you just have really bad taste in games... <ducks>

 

Uh, the consequences of failing to tell your customers about something like this are potentially far worse. I get that it isn't going to be a serious issue for most of us, but you want to know about any kind of potential privacy breach ASAP and finding out only because someone was kind enough to flag it up on this site is pisspoor.

In any case it's their clear responsibility to get the word out by any means necessary, they don't get a pass to hush something like this up just because it might put support under strain.

 

A simple one time online authentication/activation when installing the game is pretty common and unobtrusive. Most games do not require more than that, so does Steam (although it doesn't always work as well as it should).

 

Perhaps you should consider finding another hobby?

 

That's why I rarely by games. Railroads! Civ:Col, Civ V, the new Settlers games... All of them are crap in my opinion.

Instead I play the original Colonization from 1994, Settlers II from 1996, Railroad Tycoon Deluxe from 1993, Transport Tycoon from 1994 and Dune II from 1992. These games are ten times better than any new game I've played, don't require any expensive graphic cards and don't require any online activasion.

I'm fine with that as long it's about preventing piracy. However, Steam is not about preventing piracy. Steam is a marketplace/rental store.

- Steam keeps track of what games you're playing
- Steam shows ads of other games you might be willing to buy
- Steam forces you to run Steam for no apparent reason, other than to be able to collect data and show ads
- Steam prevents you from selling games you don't like

It's not designed to stop pirates, no matter what they claim. Steam is about getting more control the people who actually pay for the game, because they are the ones that are most likely to buy DLC's and other games. Very few people would visit the local game store every week to buy the latest DLC, however, when it's only a click a away and your credit card is already connected, it's much more tempting. So whether or not you "enjoy the benefits of Steam", make no mistake - You are NOT helping to prevent piracy. You are just helping the software companies to adapt a more lucrative way of doing business. Not by preventing piracy, but allowing them to make more money from the paying customers.

 

Well there's your problem, you're trying to buy new releases (that aren't as good) of old games. You need to branch out a bit more and do some more research, tried the Total War or any of Paradox Interactive's games? Come over to the All Other Games subforum here and ask for suggestions of good games, you won't regret it.

EDIT:

Not only has no one said it is only about piracy, I don't think anyone denied that Steam included a store and was a service that wants to sell you games.

Yes, it does, and so do many non-Steam and console games, and...?

Well yeah, and if you don't find the notifications to be useful and informative like plenty of people do you can turn them off. I generally hate advertising too, but I find them very helpful in keeping up to date about new games and sales and stuff.

"No apparent reason" is quite the cop out. I know it isn't the most ideal situation, but for the updates, downloading, etc etc etc Steam is required. Don't like it, then buy it.

Let's face it, if publishers had their way you'd NEVER be able to resell, lend or give away your games regardless of where you bought them. Publishers HATE the used market, and the one digital retailer that does let you trade in your games requires you to authenticate them online at least every 3 days or it doesn't let you play your games (Green Man Gaming). It is hardly the biggest problem though, and if you really dislike it then there are other places to get games that let you give them away (like Good Old Games, although that would be almost like piracy).

I am shocked, utterly shocked to learn that developers, publishers and distributors are in this business to make money! I don't know why you keep going on about piracy in this paragraph, since it has nothing to do with legitimate customers who are willing to fork over cash for DLC. Sure Steam makes that easier, but lots of people bought overpriced and mediocre DLC for games through much more inconvenient methods (and still do, X-Box Live points for example). One bonus to it on Steam is that the DLC sometimes goes on sale (making some of it actually worth its price tag). With or without Steam increased monetization of games is going to continue, Valve is simply being smart and getting a cut of the money (it has also proven to be extremely profitable with TF2 items). Also last but not least, anti-piracy is only ONE 'feature' (or whatever) of Steam, and I am sure everyone is well aware that no DRM can stop pirates.

 

Have you been hacked at Steam?
Yes. The Steam notification identified the personal detail and encrypted detail that was taken. The bad guys have (and will sell) your personal detail, identified by Steam as name, email address, and billing address. The encrypted data is your credit card details and your password.

As a high volume credit card processing merchant, Steam is subject to the Payment Card Industry - Data Security Standard (PCI-DSS). PCI-DSS mandates a strong encryption scheme, and Steam would have been regularly audited for their compliance under PCI-DSS. If they fail their PCI-DSS audits they are not allowed to accept CC transactions. So it's not impossible, but unlikely that your credit card details will be decrypted.

One thing you can do to protect yourself from this is to NOT store your details on their server. On the Steam payment screen, leave blank the tickbox that says "Save my payment information so checkout is easy next time". I NEVER leave payment details on a merchant site if given the option. When you leave that box blank, your details are ONLY used for the current transaction, and not stored. Would you leave your credit card with a store "so payment is easy next time"? Didn't think so.....

Have you been hacked at other sites?
Here is a a good site to see if your email account has been harvested in the growing number of hacks:
https://shouldichangemypassword.com/

This site is maintained by good guys that collect the details posted by bad guy groups like Anonymous and LolzSec. They also update this site when companies are mandated to disclose breaches.

This site collects details from the press and from mandatory disclosures of breaches. Individual records are not maintained on this site, only aggregate details of the breach.
http://www.datalossdb.org/

What is the risk to you?
If the credit card details remain encrypted, the main risk to you is a "spear phishing" attack. A spear phishing attack is spam that contains accurate personal detail about you and convinces you to click on the link or open the attachment in the email. The link or attachment contains the malware that infects your PC and attempts to harvest your banking login details.

If you want to practice your ability to detect spam and spearfishing attacks, try these 10 examples:
http://www.sonicwall.com/furl/phishing/

Is your personal computer hacked?
There are 3 simple steps that are most effective in protecting your PC:
1. Anti-virus
Run anti-virus. Any AV program is better than none. Avast is a very popular free AV program. Microsoft now offers free AV. The commercial ones offer more protection like data encryption, firewalls, and safe surfing. I use a free AV on my PC and commercial products on my family PCs.

Is your AV working?
malware will attempt to turn off your AV. EICAR is a harmless 68 byte text file that is contained in the virus signature database of all AV products. So if you can load EICAR onto your PC then your AV is disabled. Scroll to the bottom of this page and click on the link eicar.com.
http://www.eicar.org/85-0-Download.html

2. Keep your system updated
If you are running a Windows O/S turn on Security Updates. LINUX and Apple have similar update programs. BE SURE to keep your Java and Adobe products updated! Adobe (PDF, Flash, Shockwave) have been the most popular attack vectors the last 3 years.

3. be careful with links and attachments
As mentioned above under "What is the risk to you?"

Some final tips
Change your password on any account with a password similar to your steam password
Advice for picking a strong password are described in the Microsoft site below. Many folks use a Password vault, I have never bothered with that.

Look for small Credit card transactions, especially from iTunes
Bad guys first perform a small dollar transaction to validate the accuracy of stolen credit card lists. iTunes is the first transaction in 60% of stolen CC details. REPORT any suspicious small dollar transactions to your bank!

Wait a week before clicking on a suspicious link
Some email you think is spam may be legitimate, but just wait a week before clicking on the link. The industry is much better at taking down malicious sites. As a security researcher I often intentionally click on links to malware sites, but after a few days the malware sites are dead.

Use a safe surfing plugin
The commercial AV tools include safe surfing plug-ins that warn you when Google or Bing return suspicious sites in the results. If you don't have a commercial AV, use the free McAfee safe surfing plug-in. You can enter the result in the box on the right side of this page, or download the plug-in for your browser. Then do a search on "free screensavers" to see what the results look like.
http://www.siteadvisor.com/

Read about personal PC security
This is a good site with general advice,including how to select a strong password.
http://www.microsoft.com/security

Move to Europe
Ok, sorry this is not really practical. But Europe has "right of removal" privacy law, under which you can demand that your details are removed from a corporate database that you no longer do business with. Privacy laws in the US are weak, but getting better. Australia and New Zealand are sort of half-way.

- WimpyTheWarrior, CISSP

 

WimpyTheWarrior, good suggestions! The one thing that I would emphasize for those who don't want to delve too deeply into PC security is Use a unique password on each online account. Hackers get a lot of access from the fact that many users create a password and then they re-use it just because it's easier to remember one password than it is to remember many of them. A lot of sites automatically default to your email addy for your user name do if a hacker captures your email and your one-and-only password you're toast.

 

This has been shown to be fake.

 

While i definitely trust you that it's a fake (that give aways are far too valuable), i'd like to have a link.

You know, this is very sad.

Yes, these are the consequences of the current system. Sad.

 

I love Settlers II too, great game! I even bought the 10th anniversary just because it is good. But as Maniacal said, there are still good games. Hopefully you'll find one or something else to get some fun