| Mail |
You might also like: WoW Insider, Joystiq, and more

Reader Comments (27)

Posted: Nov 10th 2011 6:29PM Tanek said

  • 2 hearts
  • Report
While I commend Valve for having different passwords on the forums and the games account, it seems odd that a forum compromise would then expose any cc info at all, encrypted or otherwise, doesn't it? Or am I misunderstanding what was broken into?

Posted: Nov 10th 2011 6:34PM Tanek said

  • 2 hearts
  • Report
@Tanek Never mind. Forums and the newly mentioned database are not the same.
Reply

Posted: Nov 10th 2011 6:43PM Graill440 said

  • 2 hearts
  • Report
Oh god...another post-it......

Posted: Nov 10th 2011 6:53PM Wild Colors said

  • 2 hearts
  • Report
@Graill440

Seriously. Whoever figures out the next big thing to replace passwords gets a cookie.

(and no, don't tell me it will be my thumb or my retina....those are a lot harder to replace after they get duplicated)
Reply

Posted: Nov 10th 2011 7:03PM sortius said

  • 2 hearts
  • Report
@Wild Colors There's already a lot of devices that replace passwords, but they all need to be hardware to ensure lower levels of compromise.

Fobs, smart cards, even USB devices are all much more secure than passwords.
Reply

Posted: Nov 10th 2011 7:11PM Hikoro said

  • 2 hearts
  • Report
@Wild Colors

Abundance of everything, if everyone can has what he wants, then there will be no need for passwords... xD
Reply

Posted: Nov 10th 2011 6:56PM Daelda said

  • 2 hearts
  • Report
Just changed my main Steam Password. *Sigh* Now...the worrisome thing is about the Credit Card info....

Posted: Nov 10th 2011 7:24PM Strife said

  • 2 hearts
  • Report
@Daelda

You probably don't have to worry about a thing

"We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked. We are still investigating."

As for the steam passwords, they wouldn't be able to access your account without having first gained access to your email because of Steam Guard. Just make sure your email is secure and has a different password.
Reply

Posted: Nov 10th 2011 9:01PM Daelda said

  • 2 hearts
  • Report
@Strife I'll worry a little anyway. "No evidence" is not the same as "They did not".
Reply

Posted: Nov 10th 2011 7:01PM Wild Colors said

  • 2 hearts
  • Report
Is it possible to change your steam password via the website? I wasn't able to figure out a way to do it...the "Account Details" page just brings up a list of purchases.

I'm assuming it's easy to do through the client once I get home...

Posted: Nov 10th 2011 7:03PM Daelda said

  • 2 hearts
  • Report
@Wild Colors Your main Steam Password can be changed via the Steam Application itself. It is the Forum Password that you have to wait on.
Reply

Posted: Nov 10th 2011 7:52PM aurickle said

  • 2 hearts
  • Report
It's really interesting to see the difference in reaction between this and what happened with Sony.

Objectively: Both companies had their customer databases hacked. Valve had encrypted credit card numbers exposed while Sony had hashed credit card numbers exposed. (In other words, in Sony's case the actual data wasn't even in the database.) When you compare them, Valve's breach is actually more significant due to the fact that actual financial info was exposed. Sony's was only significant for the number of accounts involved.

Reactively: Sony was essentially burned at the stake by Massively's readers, with cries of "incompetence!" before the actual facts were known. Valve, on the other hand, is getting a total pass by the same readers.

Biased much?

Posted: Nov 10th 2011 8:41PM ElfLove said

  • 2 hearts
  • Report
@aurickle

Exactly.

It's stupid.

...also why isn't this the 'Breaking News'? This is far more important thin EQ2 going F2P. >_<
Reply

Posted: Nov 10th 2011 8:43PM Ceridith said

  • 2.5 hearts
  • Report
@aurickle

Sony was burned because they neglected to store CC and direct billing info in a properly secure format, aka, it was stored in plain text.

Steam's CC info is hashed with a salt.
Reply

Posted: Nov 10th 2011 8:47PM ElfLove said

  • 2 hearts
  • Report
@Ceridith

Forgive me for this but....

"Steam's CC info is hashed with a salt."

What does that mean? *blush*

Reply

Posted: Nov 10th 2011 10:12PM Balraw said

  • 2 hearts
  • Report
@ElfLove http://en.wikipedia.org/wiki/Salt_%28cryptography%29

Not sure it makes much sense to me at the moment but then I have had a drink or two so maybe I will try again in the morning :)
Reply

Posted: Nov 10th 2011 11:12PM Ceridith said

  • 2 hearts
  • Report
@ElfLove
It's a type of data encryption. When you hash a value, a PC runs the value through an algorithm, the result is a hashed value, and it looks like scrambled letters and number, i.e.: "ec457d0a974c48d5685a7efa03d137dc8bbde7e3" without the quotes. Because of how the hashing algorithm works, you cannot reverse the hash value back to the the unhashed value. But for authentication against the stored hash value, you would hash the input and compare the two to see if they match.

Adding a salt means that a privately known value is added to the hash either before or after the algorithm is run. It's a method of furthering the encryption to prevent rainbow table attacks, which is basically using a large list of common passwords against their hashed values to attempt to decrypt a hashed value more quickly.
Reply

Posted: Nov 10th 2011 11:33PM (Unverified) said

  • 2 hearts
  • Report
Hmm where is the alert from Steam? Why havn't they chosen to let their base know whats going on, maybe offer some security tips? I see nothing on Steam. Irresponsible doesn't even begin to describe this lack of concern. They don't want to jepordize their precious profit line I guess.

Posted: Nov 11th 2011 12:34AM AshenDream said

  • 2 hearts
  • Report
@(Unverified) I had an alert popup the moment I logged in this evening.
Reply

Posted: Nov 10th 2011 11:40PM (Unverified) said

  • 2 hearts
  • Report
"This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information. We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked."

The converse argument of course being they don't have evidence that the info wasn't comprimised either. This is a weak and vague appoligy lacking any substance. Because "Gabe" isn't sure one way or the other I now have no choice but to go through the painful act of protecting my credit.

Featured Stories

Betawatch: October 18 - 24, 2014

Posted on Oct 24th 2014 8:00PM

The Stream Team: Dungeoning in Swordsman

Posted on Oct 24th 2014 7:00PM

Engadget

Engadget

Joystiq

Joystiq

WoW Insider

WoW

TUAW

TUAW