Dear Steam Users and Steam Forum Users:

Our Steam forums were defaced on the evening of Sunday, November 6. We began investigating and found that the intrusion goes beyond the Steam forums.

We learned that intruders obtained access to a Steam database in addition to the forums. This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information. We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked. We are still investigating.

We don’t have evidence of credit card misuse at this time. Nonetheless you should watch your credit card activity and statements closely.

While we only know of a few forum accounts that have been compromised, all forum users will be required to change their passwords the next time they login. If you have used your Steam forum password on other accounts you should change those passwords as well.

We do not know of any compromised Steam accounts, so we are not planning to force a change of Steam account passwords (which are separate from forum passwords). However, it wouldn’t be a bad idea to change that as well, especially if it is the same as your Steam forum account password.

We will reopen the forums as soon as we can.

I am truly sorry this happened, and I apologize for the inconvenience.

Gabe.


Source - http://forums.steampowered.com/forums/index.php


What are your opinions on this?

A couple days a go the Steam Forums were hacked. Now it is looking to be a bigger breach than suspected.


Dear Steam Users and Steam Forum Users:

Our Steam forums were defaced on the evening of Sunday, November 6. We began investigating and found that the intrusion goes beyond the Steam forums.

We learned that intruders obtained access to a Steam database in addition to the forums. This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information. We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked. We are still investigating.

We don’t have evidence of credit card misuse at this time. Nonetheless you should watch your credit card activity and statements closely.

While we only know of a few forum accounts that have been compromised, all forum users will be required to change their passwords the next time they login. If you have used your Steam forum password on other accounts you should change those passwords as well.

We do not know of any compromised Steam accounts, so we are not planning to force a change of Steam account passwords (which are separate from forum passwords). However, it wouldn’t be a bad idea to change that as well, especially if it is the same as your Steam forum account password.

We will reopen the forums as soon as we can.

I am truly sorry this happened, and I apologize for the inconvenience.

Gabe.

Source (http://forums.steampowered.com/forums/)

BE ADVISED!!

If the credit card encryption remains secure - then I'm not too worried. Bit of forum hassle trying to set a new password etc, not a big deal in the scheme of things. Worse for them than it is for me.

As long as the credit card encryption remains secure. That would be a disaster for sure.

STEAM used hashed and salted and hashed again database so the chance of exploited forum account is low

and the DB used for service itself has way stronger protection so the chance is even lower

yet change of password is not going hurt You anyway

Repost (http://forums.bistudio.com/showthread.php?t=127385) mate ;)

Only thing about all this that concerns me even slightest is the possibility of CC details being compromised.

I have my PayPal linked and just used it for SkyRim :(

Hopefully my account is safe. Hate you Haxors!!

STEAM used hashed and salted and hashed again database so the chance of exploited forum account is low

and the DB used for service itself has way stronger protection so the chance is even lower

yet change of password is not going hurt You anyway

Mmmm. Salted hash.

I called my credit card company to discuss the situation with them. They said that the thieves would require much more information than just the credit card number, so even if they get the numbers, it would be difficult to use them.

If you are concerned, definitely discuss your credit card's security features with your credit card company.

I'm not sure this is the best place for this, but since I know several people got ToH from Steam...

http://forums.steampowered.com/forums/index.php

Well basically I never put my CC info in my steam account. I always want it enter manually. But if my account got hacked and I left acces then it would get me worried as it is theft. No system is hack proof and I certainly dont get why hack groups attack game sites. There is hardly something to gain other then broken gamers.

But I trust valve and steam. They already pulled the forums down and investigate the whole situation. Besides nowadays I get multiple email with these statements from other site to change password etc etc.

Never a bad thing to change it ofc

I'm sorry guys, I didn't realize that I posted this in the TKoH general section. Could a moderator please move it to offtopic?

EDIT: I think I did actually post it in offtopic. I see that there are at least two other threads merged into this one. Maybe it got moved by accident?

Can you trust any system these days?
No, I think you cannot and never will be. There was even this scandal a few months back here in the Netherlands with a respected company that issued the security certificates for government websites. Turned out that the company was hacked a few months before and that Iranian hackers compromised part of their certificates or their algorithm (I'm no expert). Because the company kept it's mouth shut these risk certificates were even used on official government websites to protect sensitive data about civilians (IRS information etc) and to secure online identities (most government things can be done here online with one single digital signature to identify yourself online).

First they came for Sony, and I didn't speak out because I wasn't a Sony customer.

Then they came for Bethesda, and I didn't speak out because I wasn't a Bethesda customer...


You know how it goes. ;)

The whole time this hacking business has been going on, I've not really cared much because it always seemed to be "somewhere else". Now they've hit Steam and quite possibly stolen my user data, along with that of millions of others, and I'm finally worried. Not to mention a little pissed off.

Fortunately I only ever used PayPal via Steam, and I use a variety of passwords for different services, but I'll be making damn sure to change all my passwords anyway. You never know.

Same for me, I thought the whole sony thing was abit funny.

Was at the bank earlier today doing some business and I asked about this and he said I should not worry to much but they would send me a new visa card just to be sure.

I got the same sum in my bank account, no transactions were made or atempted since the hack and I changed my password so it should be ok.

No, I think you cannot and never will be. There was even this scandal a few months back here in the Netherlands with a respected company that issued the security certificates for government websites. Turned out that the company was hacked a few months before and that Iranian hackers compromised part of their certificates or their algorithm (I'm no expert). Because the company kept it's mouth shut these risk certificates were even used on official government websites to protect sensitive data about civilians (IRS information etc) and to secure online identities (most government things can be done here online with one single digital signature to identify yourself online).

Same guy from Iran compromised Comodo CA and issued valid certificates for Gmail, Yahoo mail, ... in march this year (he can prove himself because only he owns private keys of certificates):

http://erratasec.blogspot.com/2011/03/interview-with-comodohacker.html
https://www.eff.org/deeplinks/2011/03/iranian-hackers-obtain-fraudulent-https

Here is his message from latest attack:

http://pastebin.com/1AxH30em

In the interview (first link) he supports current regime in Iran and hates Obama...

EDIT: He claims he has control of 2 other CAs... So if it's true you can't really trust https:// anymore...

I can trust a DVD.

Hi all

A forum got hacked huh.

Bit of a non story.

Bored now. Leaving thread.

Bye

Hi all

A forum got hacked huh.

Bit of a non story.

Bored now. Leaving thread.

Bye

I think I'm going to start calling you Rorschach ;)

http://t2.gstatic.com/images?q=tbn:ANd9GcTYyPB3PWbr8Z0sT2GDVbjpozO0tisudH-OZ03eeKsU4OcMibBa

I've never paid Steam by CC.
I buy all my games on a disc from a shop I can easily return things to.

Losing my account would be a drag, but I pretty much can hack my way into all my Steam games anyway if needs be (if I haven't already).

I expect all the credit card details will be safe.
Reseting your account password couldn't hurt.

Hi all

...

Bit of a non story.

Bored now. Leaving thread.

Bye

Oh the IRONY...

Well he is the expert.

He's bitter because he didn't start this one. BTW, there are several ways to pay on the net without giving bank account infos.

oh the irony...

lol :d

Use Visa and Mastercard gift cards instead.

Banks all over North America and Europe carry them.
You don't even have to have your name or address attached to them.

Since this invasion of steam, I have received two ACCOUNT ALERTS from my bank account, first one was to verify my details, as they haven't been verified yet (had the bank account for over 15 years and had the online banking for last 4 years), if this wasn't to be true I was to ignore the email. the emailers address was "Halifax.Un​itedKingdom​.Login@<hidden>��ntchange-In​YourInfo.66​.162.39.68.​co.uk".

The second email I received today (from H.a.l.i.f.​a.x-ukinfo@<hidden>��smtp-hostch​angedinfos.​218.38.35.2​53.uk) was saying my online banking password has been inputted incorrectly 3 times today, last time I checked the account was over a week ago, it also said "For the protection of your account we have suspended access to it. To restore access please Log on correctly by clicking here or by following the link below:" the link looked legit but it was a redirect to "http://hargakomputerrakitan.com/modules/mod_wdbanners/hlpo/index.php", which has the same layout as the banks site.

I checked my bank for the genuine link, which is a secure https encryption. And it is obviously completely different to the one I was directed to.

So indeed it does look like they managed to get some credit card details. Just dont be gullible if you get any emails sent to you with tiles like "*HalifaxUk - Account ALERT!*‏", *Account ALERT!*‏ etc.

Over to you walker :cool:

I have two bank accounts. One I put enough money into to pay bills and make purchases online as needed, the other offline.

;2060515']Since this invasion of steam, I have received two ACCOUNT ALERTS from my bank account

Meh, I get these all the time, nothing but spoofers trying to trick people into inputting their data into fake forms so that they can then use it to login to the actual system... Nothing to do with the STEAM hacks.

I think the funniest thing (for me at least) is when I get emails from banks I dont even have accounts with informing me that my internet access has been suspended...

I never get them, not a single one to do with my bank account and as persistent as these ones, so.. I put two and two together, never discount something unless you know the facts.

The bank scam emails are just spammed to millions of people knowing a percentage
of them do have accounts at the bank listed in the email and some of them are stupid enough to fall for it.

The bots that collect the emails can also use other available information to compile
lists based on Country and city making it even easier to target specific people.

It's simple, use throwaway Visa/Mastercard gift credit cards for online purchases.
by the time the scammer gets around to using the card it'll be empty.

;2061889']I never get them, not a single one
Lucky you then!


The bank scam emails are just spammed to millions of people knowing a percentage
of them do have accounts at the bank listed in the email and some of them are stupid enough to fall for it.
Exactly this, nothing to do with STEAM