Have you been hacked at Steam?
Yes. The Steam notification identified the personal detail and encrypted detail that was taken. The bad guys have (and will sell) your personal detail, identified by Steam as name, email address, and billing address. The encrypted data is your credit card details and your password.
As a high volume credit card processing merchant, Steam is subject to the Payment Card Industry - Data Security Standard (PCI-DSS). PCI-DSS mandates a strong encryption scheme, and Steam would have been regularly audited for their compliance under PCI-DSS. If they fail their PCI-DSS audits they are not allowed to accept CC transactions. So it's not impossible, but unlikely that your credit card details will be decrypted.
One thing you can do to protect yourself from this is to NOT store your details on their server. On the Steam payment screen, leave blank the tickbox that says "Save my payment information so checkout is easy next time". I NEVER leave payment details on a merchant site if given the option. When you leave that box blank, your details are ONLY used for the current transaction, and not stored. Would you leave your credit card with a store "so payment is easy next time"? Didn't think so.....
Have you been hacked at other sites?
Here is a a good site to see if your email account has been harvested in the growing number of hacks:
https://shouldichangemypassword.com/
This site is maintained by good guys that collect the details posted by bad guy groups like Anonymous and LolzSec. They also update this site when companies are mandated to disclose breaches.
This site collects details from the press and from mandatory disclosures of breaches. Individual records are not maintained on this site, only aggregate details of the breach.
http://www.datalossdb.org/
What is the risk to you?
If the credit card details remain encrypted, the main risk to you is a "spear phishing" attack. A spear phishing attack is spam that contains accurate personal detail about you and convinces you to click on the link or open the attachment in the email. The link or attachment contains the malware that infects your PC and attempts to harvest your banking login details.
If you want to practice your ability to detect spam and spearfishing attacks, try these 10 examples:
http://www.sonicwall.com/furl/phishing/
Is your personal computer hacked?
There are 3 simple steps that are most effective in protecting your PC:
1. Anti-virus
Run anti-virus. Any AV program is better than none. Avast is a very popular free AV program. Microsoft now offers free AV. The commercial ones offer more protection like data encryption, firewalls, and safe surfing. I use a free AV on my PC and commercial products on my family PCs.
Is your AV working?
malware will attempt to turn off your AV. EICAR is a harmless 68 byte text file that is contained in the virus signature database of all AV products. So if you can load EICAR onto your PC then your AV is disabled. Scroll to the bottom of this page and click on the link eicar.com.
http://www.eicar.org/85-0-Download.html
2. Keep your system updated
If you are running a Windows O/S turn on Security Updates. LINUX and Apple have similar update programs. BE SURE to keep your Java and Adobe products updated! Adobe (PDF, Flash, Shockwave) have been the most popular attack vectors the last 3 years.
3. be careful with links and attachments
As mentioned above under "What is the risk to you?"
Some final tips
Change your password on any account with a password similar to your steam password
Advice for picking a strong password are described in the Microsoft site below. Many folks use a Password vault, I have never bothered with that.
Look for small Credit card transactions, especially from iTunes
Bad guys first perform a small dollar transaction to validate the accuracy of stolen credit card lists. iTunes is the first transaction in 60% of stolen CC details. REPORT any suspicious small dollar transactions to your bank!
Wait a week before clicking on a suspicious link
Some email you think is spam may be legitimate, but just wait a week before clicking on the link. The industry is much better at taking down malicious sites. As a security researcher I often intentionally click on links to malware sites, but after a few days the malware sites are dead.
Use a safe surfing plugin
The commercial AV tools include safe surfing plug-ins that warn you when Google or Bing return suspicious sites in the results. If you don't have a commercial AV, use the free McAfee safe surfing plug-in. You can enter the result in the box on the right side of this page, or download the plug-in for your browser. Then do a search on "free screensavers" to see what the results look like.
http://www.siteadvisor.com/
Read about personal PC security
This is a good site with general advice,including how to select a strong password.
http://www.microsoft.com/security
Move to Europe
Ok, sorry this is not really practical. But Europe has "right of removal" privacy law, under which you can demand that your details are removed from a corporate database that you no longer do business with. Privacy laws in the US are weak, but getting better. Australia and New Zealand are sort of half-way.
- WimpyTheWarrior, CISSP
