Steam was hacked

[Ichabod]

Hey guys,

I just read at civfanatics that steam was hacked.

I'm a steam user and I think my credit card information was saved in the program. I already changed my account password, but I'd like to ask if there's something else I can do regarding security.

Thanks in advance!

[antisocialmunky]

If you had an unused Dota2 Key, its probably gone. As for credit card/user account/password, they took the encrypted database but the security on it is pretty good so its not likely anything will happen.

[Ichabod]

It's frustrating how I had to change my passwords a good amount of times in this last year due to hackers. First, the PS network (luckily, since I live in Brazil, PS network doesn't work, so no credit card info there), now steam. There was also two other webforums...

Annoying...

[Mist]

You can call your credit card company that your details could be potentially compromised. This should make them monitor the activity on your account much more carefully for a while and catch any suspicious stuff early. Encryption is all good, but even if those hackers don't have the infrastructure to crack it themselves, they can sell it to someone that has.

[Kylearan]

Hi,

As for credit card/user account/password, they took the encrypted database but the security on it is pretty good

Do you have any details about why you think the encryption is "pretty good"? (No offense meant, I'm just curious and a quick Google search only came up with the info that the credentials were salted and hashed which is good, but nothing about the encryption of the credit card details)

It would also be interesting to know why Valve only encrypts credit card information and credentials, and not the other personal information...

@Ichabod, consider changing your password for other sites where you have used the same password as for the Steam site.

-Kylearan

[Mist]

It would also be interesting to know why Valve only encrypts credit card information and credentials, and not the other personal information...

Salted hash is a default method of storing credentials on all php based forum software I'm aware of. So it's not like they did it on purpose, it was probably already there when they set up the forums. Everything else on the other hand was stored in plain text probably because a) it's somewhat resource expensive to pull the information back from a salted hash, and b) they couldn't be bothered ( see Sony casus ). Passwords/credentials only have to be matched, which is cheap, you salt-hash and match the result to whatever is in the database already. Everything else has to be actually pulled back from the database and feed to the user interface.

[Kylearan]

Everything else on the other hand was stored in plain text probably because a) it's somewhat resource expensive to pull the information back from a salted hash, and b) they couldn't be bothered ( see Sony casus ). Passwords/credentials only have to be matched, which is cheap, you salt-hash and match the result to whatever is in the database already. Everything else has to be actually pulled back from the database and feed to the user interface.

I expect companies that store my personal information to protect it properly. Compared to other services they offer, dealing with encrypted data isn't too hard resource-wise, and things like email and billing addresses aren't needed that often in a forum.

I give them credit for protecting the data better than some other sites that got hacked (which stored passwords in plain text, or using md5 with no salt...). But since they have more personal information than most sites from their users (credit card, addresses, ...), we should hold them to higher standards.

[pling]

The story I saw (on thesixthaxis, via my husband's pc so I have no link handy) said that they knew that the Steam Forums were hacked, and that there was potential access to the rest of the Steam user data (forum accounts are separate to Steam accounts), I haven't gone & verified the info by looking for other stories or looking for a steam official one, coz to be honest it's better to be paranoid so I'd be doing the same whatever. I've changed my password & will be stepping back up my paranoid checking of my credit card account to where it was after the PSN database got nicked

I mention that mostly coz I believe they're forcing password changes on forum accounts (I don't have one so don't know first hand) but not on Steam accounts - and that would make sense for what the T6A story said was compromised.

You should be able to check if Steam has your credit card details by opening up the main Steam window (on store/library/community, whatever you want) then at the top right there's a link that says "Name's account" (obviously with your account name in it ). And on the right hand side of the page it shows you your balance in your steam wallet. And when I looked first thing this morning (about 3 hours ago) it told me the last 4 digits of my stored credit card. It doesn't any more tho (I double-checked how to find it while writing this post), and I haven't changed anything so I'm not sure what that's about.

[sunrise089]

@Kylearan - What does salted + hashed mean?

[Mardoc]

@Kylearan - What does salted + hashed mean?

Here's one explanation

If you'd rather have mine - they're two levels of security. A hash is a function that's chosen to be easy to calculate forwards and hard to go backwards. It's used by never actually storing a password; instead, every time a site would use a password, they compute the hash of it and use that instead. This is why sites can usually reset your password but can't usually just tell you what your old password was.

However, now that computing power is cheap, people found a way around hashing - they build a dictionary of hashes for all common passwords, and compare the hashes they steal to that dictionary to get the passwords. Salting is adding one more step - after you take the password from the user, you add some more data (the 'salt'), unique to the user, and hash the combination of them. This means that that dictionary for cracking has to be recreated for each user instead of for each site, and has to be a lot bigger.

Edit: Another explanation, with numbers and examples: Here