Steam hacked - All Steam users are adviced to change their Steam passwords(Nov. 2011)

[PieceOfMind]

Let me clear up a few things before it gets more out of hand. Genocidicbunny has already done a good job of giving accurate info too (except not realising the hack was not just of the forum but also of a Steam database that had more juicy info).

What a silly argument. Heck, since I'm vulnerable somewhere anyway, I might as well just put my credit card number and password information right here in this post.

That would be a very silly thing to do. Valve so far have only said that hacker/s obtained access to a database that contained encrypted CC info, hashed and salted passwords and the other info attached to each user like email address, billing address etc.
For starters, there is no indication yet whether any information on any users was actually taken. We don't know how long the hacker/s had access or what their intentions were. I have said in another thread that because the hacker/s chose to advertise their presence by posting an advertisement for a cheats website on the forum then stealing personal information was probably not their primary goal if a goal at all. If it were, they would have tried to stay undetected for as long as possible and not done something as stupid as they did.

Secondly, encrypted CC number means it's pretty much useless in the hands of a thief.

Having access to a number that looks like this:
~7f+}2pG$W{5367B43D_hE6,HS'11*
is a lot different to having access to your unaltered CC number.

Same goes with the password. Hashing/salting is a bit different to encryption but the end result is much the same - useless in the hands of someone who doesn't know the original.

And to those thinking these could be "cracked" computationally eg. by brute force, be aware that the most common modern encryption technologies would require an obscene amount of resources to break. For instance, every computer on Earth working for longer than the current age of the universe (AES256 is like that).
******************

Like free copies of DOTA 2 and Portal 2? Could be, according to Gabe:

Spoiler :

That email is almost certainly fake.

While i definitely trust you that it's a fake (that give aways are far too valuable), i'd like to have a link.

What do you want a link to? You can't really link to a proof an email is fake. Rather the absence of proof the email is genuine should be more than enough to convince anyone.

For Gabe to casually tell someone by email they'll be releasing for free two major games even though there's nothing official said about it or any other public source confirming it, it would be absurd to assume it were true.
******************

The far more important thing from that pic SuperJay posted is that financial information is encrypted with AES256 in the Steam databases. That means the chances of that data becoming accessible are very low (if it happens, it would be due to other errors, breaking the 256-bit AES encryption is not feasible).

While the probability of Steam accounts and especially financial data being compromised remains very low, changing your Steam password is a good idea because it takes just a minute to do. And it's equally important to realize that uninstalling Civ5, Steam or removing your account does nothing whatsoever to improve your security.

Because the email is fake, and because I don't think there's any proof of the encryption type used by other sources, I don't think we actually know if the encryption they use is AES256. If it is, well that's good news - the encryption would be pretty much physically impossible to break even after the advent of scalable quantum computers.
The thing is, for the sake of security Valve will probably never tell us what they use for their encryption.


******************

Generally speaking about the incident, it is not cause for panic. While it'd be a good idea for users to change their passwords it's still probably unnecessary. More importantly, if any user is foolish enough to use in their password something that is potentially publicly accessible (e.g. part of their account name) then they should change their passwords right away anyway.

By far the most important passwords to have strong are your email password and banking passwords.

 

[selajunk]

Steam turn the best Single Player game into a <snip>-hole!

And they will continue to do this as long as people keep buying the DLC's...

Moderator Action: please refrain from using foul language. If you find you have triggered the autocensor, please rephrase, do not try to circumvent it.

ori
Please read the forum rules: http://forums.civfanatics.com/showthread.php?t=422889

 

[Maniacal]

Steam turn the best Single Player game into a <snip>-hole!

And they will continue to do this as long as people keep buying the DLC's...

Except that all of the DLC for Valve's own games is free, and the DLC being sold on Steam is for other companies' games which Valve has nothing to do with (besides offering it for sale on Steam along with those games).

Also no idea what your first sentence is referring to.

 

[Sadato]

It is plain stupid that if I buy my game at my local store I'm forced to start steam everytime I want to play the game.

Nowadays most games require steam interference.

This steam dictatorship is astonishing.

Those who defend steam clearly don't know what freedom and rights mean and enjoy being treated as sheeps.

Moderator Action: Telling people they enjoy being treated like sheep isn't exactly conducive to civil discussion.
Please read the forum rules: http://forums.civfanatics.com/showthread.php?t=422889

 

[Peets]

Sadato: You are free to buy or not to buy it. So your freedom or your rights hasn't been harmed in any way. Those who sell the game have the right and the freedom to sell it how they want.
So do you value your rights and freedom higher then theirs?

 

[Sadato]

Imagine for a moment that Steam bankrupts and shuts down all the servers.

¿What have you paid for?

There's no place for a "take it or leave it" argument becasue the issue is not about the product but about the way it is served to us.

Most democratic countries have laws regarding what can be sold and how can be sold. There is something called "consumer rights" regarding monopolies and the way you are treated and served as a consumer.

If we get to a point where if you want to play a PC game you must use steam and only steam, it is a monopoly and those are forbidden by international laws.

Right now I don't have an alternative to steam to play Civ V and many other titles and I don't think is good nor safe for us as customers.

Steam is an imposition, there are no "good" impositions.

Imagine that to watch a movie at all the cinemas in the US you were forced to pray for Allah as a condition to enter. Hey! No one forces you! Take it or leave it!

 

[Solver]

Because the email is fake, and because I don't think there's any proof of the encryption type used by other sources, I don't think we actually know if the encryption they use is AES256. If it is, well that's good news - the encryption would be pretty much physically impossible to break even after the advent of scalable quantum computers.
The thing is, for the sake of security Valve will probably never tell us what they use for their encryption.

Yep, the email was fake, so statements about AES256 have to be retracted. You're wrong, though, in stating that Valve should want to keep the encryption scheme secret "for the sake of security". If the system relies on the particular encryption scheme being unknown, it's already borked. Kerckhoff's principle is one of the very basics of cryptography.

 

[Peets]

Imagine for a moment that Steam bankrupts and shuts down all the servers.

¿What have you paid for?

There's no place to a "take it or leave it" argument becasue the issue is not about the product but about the way it is served to us.

Most democratic countries have laws regarding what can be sold and how can be sold. There is something called "consumer rights" regarding monopolies and the way you are treated and served as a consumer.

If we get to a point where if you want to play a PC game you must use steam and only steam, it is a monopoly and those are forbidden by international laws.

Right now I don't have an alternative to steam to play Civ V and many other titles and I don't think is good nor safe for us as customers.

Steam is an imposition, there are no "good" impositions.

Imagine that to watch a movie at all the cinemas in the US you were forced to pray for Allah as a condition to enter. Hey! No one forces you! Take it or leave it!

What if you pre-order a game and the company goes bankrupt?
You will lose less but it's the same

For some games you have to install some other software to play it, for example Java. I don't see that big of a fuss about it.

What about games that come only out at Playstation?
If i want to play Gran Turismo (Probably wrong spelled) I have to buy a playstation. What if I don't want to buy a playstation? Should they bring out the game to PC too?

There are some restaurants that have "clothes restriction" It doesn't sound that drastic as you stated for your cinema but it is the same.

 

[Sadato]

If Java bankrupts, java plugins keep running.
That preorder example is quite poor and bizarre, I don't remember any company closing during the preorder and not returning the money.

There are countless companies that closed or that changed its policies or started giving free services and later asked for money.

Imagine that in a couple years Steam demands a payment of 10$ per month to be able to play your games. Take it or leave it?

Steam model means: all eggs in one basket.

We're not talking about Civ V, if we follow this progression in a few months/years ALL games will work only with steam so there is no real alternative or option as customers.

 

[binhthuy71]

Imagine for a moment that Steam bankrupts and shuts down all the servers.

Steam has 35 million active user accounts and 1400 games so it's unlikely that they'll be going BK anytime soon. If they did though, Firaxis/2K would simply issue a patch that obviated the need for Steam and make it available for download.

 

[Peets]

Yes, java keeps running but what if I don't want it but I need it to play that game.
You may think, that is a crazy argument cause everyone accepts it and everyone finds it normal that it is there.

A company closing or going bankrupt is a difference.
When a company goes bankrupt you can forget about your pre-order money.

If steam will ask money in the future, you may count me in for complaining the hell out of them.
But what if Java suddenly starts to ask money?

Steam is starting to get competition, origin... I expect in the future even more companies trying to do the same thing as steam and origin. Who knows what the future brings.

 

[scratchthepitch]

...There are some restaurants that have "clothes restriction" It doesn't sound that drastic as you stated for your cinema but it is the same.

That and the other "reasons" you used to excuse exploitive behavior by the wannabee monopolists at steam are just "selling points" adapted to "debate" form. They are not even valid arguments in the roles you intended for them. For example. the restaurant one above. To relate it accurately to having Civ5 restricted to steam, you would have to stipulate that ALL restaurants have the same dress code and you cant dine out if you don't accommodate yourself to it. That wouldn't exactly help your argument or encourage people to use steam, now would it. You don't really have any positive examples to justify customers being exploited by steam, so you use bogus ones, like those above. Little debate tricks used to sell your POV, rather than valid arguments and facts to support that POV. It's a waste of time, like advertising, which informs nobody and is only intended to get people doing, or buying, things they don't really need nor want.

People just want a choice on whether to use steam or not, that's it.

But you people promoting steam are arguing against them having that choice and try to argue that lack of choice is "good" or "the American way" or some other such sloganeering garbage. Now why is that? Why are you so set against people being able to play a game without steam interfering? It's kinda obvious, isn't it.

I've stated before, the main reason I never developed any desire to even try steam is all the offensive fan spamming trying to force people into accepting this monopoly on their gaming. This kind of hard sell tactic is only used by those up to no good.

Unsubscribes thread.

 

[Peets]

That and the other "reasons" you used to excuse exploitive behavior by the wannabee monopolists at steam are just "selling points" adapted to "debate" form. They are not even valid arguments in the roles you intended for them. For example. the restaurant one above. To relate it accurately to having Civ5 restricted to steam, you would have to stipulate that ALL restaurants have the same dress code and you cant dine out if you don't accommodate yourself to it. That wouldn't exactly help your argument or encourage people to use steam, now would it. You don't really have any positive examples to justify customers being exploited by steam, so you use bogus ones, like those above. Little debate tricks used to sell your POV, rather than valid arguments and facts to support that POV. It's a waste of time, like advertising, which informs nobody and is only intended to get people doing, or buying, things they don't really need nor want.

People just want a choice on whether to use steam or not, that's it.

But you people promoting steam are arguing against them having that choice and try to argue that lack of choice is "good" or "the American way" or some other such sloganeering garbage. Now why is that? Why are you so set against people being able to play a game without steam interfering? It's kinda obvious, isn't it.

I've stated before, the main reason I never developed any desire to even try steam is all the offensive fan spamming trying to force people into accepting this monopoly on their gaming. This kind of hard sell tactic is only used by those up to no good.

Unsubscribes thread.

I am far from telling that steam is good and everyone has to use it.
Nor do I enjoy "The American way"

I simply arguing that some people don't have any good reason why steam is bad.
The reasons they give can be used for many other things where nobody makes no fuss about. This I find frustrating.

People can make the choice if they want to use steam or not.
But if you want to play Civ 5 you have to get steam.
If you want to play another game you are probably have to take something else even if you like it or not. That's how the market works.
I'm just countering the arguments that are used to make steam evil, that's all.

I can easily make your argument turn around, why is everyone creating this propaganda that steam is evil with no valid argument? I haven't seen one good argument.

Steam is exploiting their customers?
Every company is exploiting their customer. Otherwise they'll go out of business.
All those commercials... Most of them are not even true as you stated. Do I have a choice if I want to see them or not? No. Is it there? Yes. But all this fuss started with that steam is braking freedom and your rights... Which they do not.

If steam is a monopoly then so is Xbox, Playstation, ...

There are games that can be played with or without steam, that is not the choice of Steam so who do you have to blame?

 

[Keejus]

I need a PS3 to play Heavy Rain? This Sony monopoly is unacceptable. I need to wear a shirt and shoes to eat at a particular restaurant? Clearly, these money-grubbing food and cloth producers are in cahoots (in this metaphor, restaurants without such a policy are non-Steamworks games, my friend). I want to visit my friend two towns over, but he says I can't come over unless I promise not to punch him in the face again. How dare he monopolize his own private property like that?

I need a government-issued license to drive a car, or own a gun, or sell medicine? This is clearly illegal exploitation of my basic liberties!

Imagine for a moment that Steam bankrupts and shuts down all the servers.

¿What have you paid for?

For what it's worth, they've said that if that ever happens, they will release a patch that unlocks all Steam games and lets you play them without Steam.

 

[forty2j]

Is there a steamless C5 for sale yet?

Yes. On the Mac App Store.

It's unfortunate that this event happened to Steam, because its primary effect has been to get everyone with any ill feelings about Steam to recount them repeatedly. But the fact of the matter is, my personal details, encrypted password & CC #, and so forth are exactly as safe at Steam as they are at Amazon, Apple, Barnes & Noble, and any other place where I happen to have an account with a convenient ordering system. A motivated, determined, skilled hacker will find his way into any of them.

 

[headcase]

I love that I'm finding this out from a Civ fansite and not from Valve itself - you know, when I log into Steam, like right now, immediately.

Christ, Valve. Get your head out of your ass for once.

They're too busy telling you about the wonderful games you could buy!

Thanks CivFanatics

 

[jimmygeo]

I've been leery of getting CIV thru Steam. Now I'm glad I didn't! Long live Civ4 BtS!!

 

[da_Vinci]

Well it's been hacked and countless people may have been put at risk. I hate the way the computer industry has gone, all to secure MONEY. I constantly feel like I am at risk online. I do less and less business online because of this that seem to be so common and happening more frequently.

Just sell your crap at stores!

The problem is that unless you go cash only, unencrypted bank account numbers and routing numbers (with you name and address if you present a check) and unencrypted card numbers are going to be floating around wherever you transact business.

The thing that the internet adds is a route into the online "vault" (where before you would have had to break into someone's physical files), but do you have a guarantee that doing business offline doesn't mean that your info is still put into a corporate database that can be hacked online?

The sad truth is not if we will be compromised, but when in this information age. So you just have to have all precautions up.

They did.

Spoiler :

Well, just seeing all this today, a vigorous search for the notice on steam fails to find it. I think it needs to be more obvious than that.

I was logged into Steam as I wrote that - and no notification. Not on the forums, on Steam itself. Nothing. Pretty lame, Valve. I'm finding out about your security breaches through CFC, RPS, etc - that's not how your customers should be alerted to your compromised database.

Granted, it's nowhere near as bad as Sony, but this is not something one should have to go looking for. Steam's great at throwing all kinds of other popups at you for no apparent reason; this is the one situation where a big notification should immediately appear right up front as soon as the Steam app was launched.

Well said

I changed my Steam password, and I noticed another feature of Steam Guard: It allowed me to deauthorize all other computers (other than the current login). Seems this might be a two edged sword:

1. The good: Since I got in, if anyone had authorized another computer with the old password (which I suppose would mean they would also be in my email), that is now de-authorized and would need the new password to re-authorize.

2. The bad: If someone got in and added computers, since that would mean they are in my email, then they could have de-authorized all computers but theirs, and also changed the password. So this protection to be used by the user, if hacked, could be used to lock out the user?

dV

 

[PieceOfMind]

2. The bad: If someone got in and added computers, since that would mean they are in my email, then they could have de-authorized all computers but theirs, and also changed the password. So this protection to be used by the user, if hacked, could be used to lock out the user?

dV

In that unlikely event going through Steam's support for account recovery would work just fine. However the customer would need to have some form of proof of ownership of the account. Usually a physical cd key from a retail game that was used on Steam or some transaction details are enough to prove ownership. So if your account is stolen, it's never lost forever unless you have nothing left to prove it's yours.

Funnily enough, I think the last 4 digits of the credit card number you used (if you used one!) is one of the things they ask for to help prove your identity.

Also, yes the utility of Steam Guard depends entirely on the strength of security of the email account. It's designed to reduce effectiveness of phishing sites that pretend to be Steam, where they ask directly for your steam account name and password. Now for such phishing attempts to be fruitful they either would need to ask you for your email address and password at the same time (heh, it has been tried!) or obtain access to your email through some other means. In other words it's a big step forward in reducing steam account theft but it's not completely fool-proof.

 

[PieceOfMind]

Yep, the email was fake, so statements about AES256 have to be retracted. You're wrong, though, in stating that Valve should want to keep the encryption scheme secret "for the sake of security". If the system relies on the particular encryption scheme being unknown, it's already borked. Kerckhoff's principle is one of the very basics of cryptography.

We'll have to agree to disagree. Valve employees posting on their forums are refusing to offer any comment in response to questions of the nature: "What type of encryption was used or how secure was it."

People are looking for peace of mind on this matter but not receiving it. Maybe they'll inform us later on. Who knows...