Let me clear up a few things before it gets more out of hand. Genocidicbunny has already done a good job of giving accurate info too (except not realising the hack was not just of the forum but also of a Steam database that had more juicy info).
For starters, there is no indication yet whether any information on any users was actually taken. We don't know how long the hacker/s had access or what their intentions were. I have said in another thread that because the hacker/s chose to advertise their presence by posting an advertisement for a cheats website on the forum then stealing personal information was probably not their primary goal if a goal at all. If it were, they would have tried to stay undetected for as long as possible and not done something as stupid as they did.
Secondly, encrypted CC number means it's pretty much useless in the hands of a thief.
Having access to a number that looks like this:
~7f+}2pG$W{5367B43D_hE6,HS'11*
is a lot different to having access to your unaltered CC number.
Same goes with the password. Hashing/salting is a bit different to encryption but the end result is much the same - useless in the hands of someone who doesn't know the original.
And to those thinking these could be "cracked" computationally eg. by brute force, be aware that the most common modern encryption technologies would require an obscene amount of resources to break. For instance, every computer on Earth working for longer than the current age of the universe (AES256 is like that).
******************
That email is almost certainly fake.
For Gabe to casually tell someone by email they'll be releasing for free two major games even though there's nothing official said about it or any other public source confirming it, it would be absurd to assume it were true.
******************
Because the email is fake, and because I don't think there's any proof of the encryption type used by other sources, I don't think we actually know if the encryption they use is AES256. If it is, well that's good news - the encryption would be pretty much physically impossible to break even after the advent of scalable quantum computers.
The thing is, for the sake of security Valve will probably never tell us what they use for their encryption.
******************
Generally speaking about the incident, it is not cause for panic. While it'd be a good idea for users to change their passwords it's still probably unnecessary. More importantly, if any user is foolish enough to use in their password something that is potentially publicly accessible (e.g. part of their account name) then they should change their passwords right away anyway.
By far the most important passwords to have strong are your email password and banking passwords.
That would be a very silly thing to do. Valve so far have only said that hacker/s obtained access to a database that contained encrypted CC info, hashed and salted passwords and the other info attached to each user like email address, billing address etc.What a silly argument. Heck, since I'm vulnerable somewhere anyway, I might as well just put my credit card number and password information right here in this post.
For starters, there is no indication yet whether any information on any users was actually taken. We don't know how long the hacker/s had access or what their intentions were. I have said in another thread that because the hacker/s chose to advertise their presence by posting an advertisement for a cheats website on the forum then stealing personal information was probably not their primary goal if a goal at all. If it were, they would have tried to stay undetected for as long as possible and not done something as stupid as they did.
Secondly, encrypted CC number means it's pretty much useless in the hands of a thief.
Having access to a number that looks like this:
~7f+}2pG$W{5367B43D_hE6,HS'11*
is a lot different to having access to your unaltered CC number.
Same goes with the password. Hashing/salting is a bit different to encryption but the end result is much the same - useless in the hands of someone who doesn't know the original.
And to those thinking these could be "cracked" computationally eg. by brute force, be aware that the most common modern encryption technologies would require an obscene amount of resources to break. For instance, every computer on Earth working for longer than the current age of the universe (AES256 is like that).
******************
Like free copies of DOTA 2 and Portal 2? Could be, according to Gabe:
Spoiler :
That email is almost certainly fake.
What do you want a link to? You can't really link to a proof an email is fake. Rather the absence of proof the email is genuine should be more than enough to convince anyone.While i definitely trust you that it's a fake (that give aways are far too valuable), i'd like to have a link.
For Gabe to casually tell someone by email they'll be releasing for free two major games even though there's nothing official said about it or any other public source confirming it, it would be absurd to assume it were true.
******************
The far more important thing from that pic SuperJay posted is that financial information is encrypted with AES256 in the Steam databases. That means the chances of that data becoming accessible are very low (if it happens, it would be due to other errors, breaking the 256-bit AES encryption is not feasible).
While the probability of Steam accounts and especially financial data being compromised remains very low, changing your Steam password is a good idea because it takes just a minute to do. And it's equally important to realize that uninstalling Civ5, Steam or removing your account does nothing whatsoever to improve your security.
Because the email is fake, and because I don't think there's any proof of the encryption type used by other sources, I don't think we actually know if the encryption they use is AES256. If it is, well that's good news - the encryption would be pretty much physically impossible to break even after the advent of scalable quantum computers.
The thing is, for the sake of security Valve will probably never tell us what they use for their encryption.
******************
Generally speaking about the incident, it is not cause for panic. While it'd be a good idea for users to change their passwords it's still probably unnecessary. More importantly, if any user is foolish enough to use in their password something that is potentially publicly accessible (e.g. part of their account name) then they should change their passwords right away anyway.
By far the most important passwords to have strong are your email password and banking passwords.