Topic: Steam hacked; forums down; credit card info my be compromised

[MysterD]

Kotaku -> Steam hacked; forums are still down; credit card info my be compromised.
So, yeah - all you guys might wanna keep a close watch on your credit card, change your Steam passwords [forums and service]; and watch your Steam accounts for a good while.

[idolminds]

And in case you don't trust Kotaku, Shacknews has it.

[Cools!]

Damn!

[Xessive]

Holy crap! I just found out through a Steam notification!

According to Gabe's letter it was not "Steam" that was hacked, per se, just the Steam forums*. They will be forcing all forum users to change their passwords but Steam itself will remain intact.

EDIT:
I just found Gabe's notice and it was the Steam forums as well as a Steam database.

I'd better keep an eye on my credit card activity.

Dear Steam Users and Steam Forum Users:

Our Steam forums were defaced on the evening of Sunday, November 6. We began investigating and found that the intrusion goes beyond the Steam forums.

We learned that intruders obtained access to a Steam database in addition to the forums. This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information. We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked. We are still investigating.

We don’t have evidence of credit card misuse at this time. Nonetheless you should watch your credit card activity and statements closely.

While we only know of a few forum accounts that have been compromised, all forum users will be required to change their passwords the next time they login. If you have used your Steam forum password on other accounts you should change those passwords as well.

We do not know of any compromised Steam accounts, so we are not planning to force a change of Steam account passwords (which are separate from forum passwords). However, it wouldn’t be a bad idea to change that as well, especially if it is the same as your Steam forum account password.

We will reopen the forums as soon as we can.

I am truly sorry this happened, and I apologize for the inconvenience.

Gabe.

[K-man]

Son of a bitch!

[beo]

god damn it. my xbox live account got hacked and had £170 charged to it this month - not this as well!

[scottws]

Resetting Steam-related passwords now.  I'm already well-prepared for stuff like this since the Gawker incident.  Literally every account I have has a different password.  Of course the only way I can keep track of them is KeePass Password Safe, so hopefully no one ever finds and cracks that.

I just checked and the credit card attached to my Steam account is an old one that isn't active any more.  No biggie.

[idolminds]

Like scott Im all set up with Keepass now thanks to Gawker. Still, changed password.

One thing weird is...anyone get an email about this yet? Some people have claimed to but I havent. I also rarely/never visit the Steam forums or load the client. If it weren't for reddit and gaming news sites I never would have known about this.

Also fun watching people defend Valve. Right, its not as bad as Sony or Gawker. But come on, their forums get compromised and that lead them in to where your Steam account info/CC numbers are held? Why are those linked at all? You need separate accounts for the forum anyway!

[gpw11]

This is why I keep my cards maxed.  okay, not it's not.

But go easy on Valve, they have a lot on their plate.  What, with Episode 3 on the way and all....

[Pugnate]

Idol, (fan)boys will be (fan)boys it seems.

[Cobra951]

god damn it. my xbox live account got hacked and had £170 charged to it this month - not this as well!

I have seen nothing about a general hack of XBL.  (You scared me into checking activity on my acct, and all is well with that.)  It sucks that you got hacked.  How do you think that happened?

You know that tingly feeling you get in the pit of your stomach when you realize you're screwed for the foreseeable future?  I have that sinking feeling about current methods of security.  It seems that it's only a matter of time before anything gets bypassed.  I don't have confidence anymore that the methods used to protect your accounts are foolproof as long as you aren't a fool.  You can be the Einstein of online security, and still be exposed to determined attackers.  Something needs to change at a fundamental level, not just making stronger passwords and hashing algorithms.

[idolminds]

Well theres been an update to this, and they actually sent me an email! I know, right?

Dear Steam User:

     If you have accessed your Steam account since November 10, 2011 you know that we had a network intrusion.  We learned about this intrusion when the Steam forums were defaced on November 6.  Since then our investigation of this intrusion has continued with the help of outside security experts. We now have additional information we would like to share with you.  We are providing this information to you in this formal way because it might be required by your state's law.

     We've recently learned that it is probable that in 2009 the intruders obtained a copy of a database with information about Steam transactions between 2004 and 2008.  This database contained user names, email addresses, encrypted billing addresses and encrypted credit card information.  We do not have any evidence that the encryption on credit card numbers and billing addresses has been compromised.  We are still investigating and working with the Seattle FBI office. 

We don't have evidence of credit card misuse.  Nonetheless, you should watch your credit card activity and statements closely.  You can also remain vigilant by monitoring free credit reports.

The rest of the email is info on viewing credit reports.

Now if I'm reading that correctly, hackers were in and stole a database back in 2009? So how long did they have access if you're only finding this out in 2011?

[Cobra951]

I'll just point to the 2nd paragraph in the post right above yours, and say that's my answer.  I think we're all screwed in the long run, if fundamentally better security methods aren't devised.

[scottws]

I work in IT and lets just say that it is pretty easy for intrusions to go undetected in most organizations.  Executives never take security seriously until there is a major event.