Send News. Want a reply? Read this. More in the FAQ.   News Forum - All Forums - Mobile - PDA - RSS Headlines  RSS Headlines   Twitter  Twitter
Customize
User Settings
Styles:
LAN Parties
Upcoming one-time events:

Regularly scheduled events

Steam Breach Follow-up

Valve has issued an update from Gabe Newell with more on the breach of the Steam service late last year. Apparently more information was compromised than was originally believed:

Dear Steam Users and Steam Forum Users

We continue our investigation of last year's intrusion with the help of outside security experts. In my last note about this, I described how intruders had accessed our Steam database but we found no evidence that the intruders took information from that database. That is still the case.

Recently we learned that it is probable that the intruders obtained a copy of a backup file with information about Steam transactions between 2004 and 2008. This backup file contained user names, email addresses, encrypted billing addresses and encrypted credit card information. It did not include Steam passwords.

We do not have any evidence that the encrypted credit card numbers or billing addresses have been compromised. However as I said in November it's a good idea to watch your credit card activity and statements. And of course keeping Steam Guard on is a good idea as well.

We are still investigating and working with law enforcement authorities. Some state laws require a more formal notice of this incident so some of you will get that notice, but we wanted to update everyone with this new information now.

Gabe

View
53 Replies. 3 pages. Viewing page 1.
< Newer [ 1 2 3 ] Older >

53. Re: Steam Breach Follow-up Feb 12, 2012, 20:14 Sepharo
 
Flatline wrote on Feb 12, 2012, 20:11:
Sepharo wrote on Feb 11, 2012, 19:29:
zirik wrote on Feb 11, 2012, 19:21:
avianflu wrote on Feb 11, 2012, 12:55:
Why is no one bringing up the infamous breach at Valve were Gabe's office desktop was hacked with a worm that Gabe himself inadvertently installed and left running for months? Thereby causing the theft of HL2 before release. Not a good precedent for Valve.

thats what i was thinking earlier when i thought hl2 came out in 2005. the source code theft forced valve to delay the release to late nov 2004. i got my copy through a graphics card bundle but the steam card wasnt mailed to me until jan 2005.

Steam card? I got mine through the ATI bundle as well and I just typed the key into Steam and got the preload.

I think there were two ATI bundles. I literally waited over a year for HL2 to come out. The first bundle you had to get a mail in code or something to get your HL2 game. I remember there being silly hoops to jump through.

Mine was with the 9800xt and I remember it was long before the actual game came out, long enough that people weren't even sure the the codes would still be honored. Mine came with a card in the box that had a scratch off portion, I just typed that key into Steam when HL2 preloads were underway and then preloaded mine.
 
Avatar 17249
 
Reply Quote Edit Delete Report
 
52. Re: Steam Breach Follow-up Feb 12, 2012, 20:11 Flatline
 
Sepharo wrote on Feb 11, 2012, 19:29:
zirik wrote on Feb 11, 2012, 19:21:
avianflu wrote on Feb 11, 2012, 12:55:
Why is no one bringing up the infamous breach at Valve were Gabe's office desktop was hacked with a worm that Gabe himself inadvertently installed and left running for months? Thereby causing the theft of HL2 before release. Not a good precedent for Valve.

thats what i was thinking earlier when i thought hl2 came out in 2005. the source code theft forced valve to delay the release to late nov 2004. i got my copy through a graphics card bundle but the steam card wasnt mailed to me until jan 2005.

Steam card? I got mine through the ATI bundle as well and I just typed the key into Steam and got the preload.

I think there were two ATI bundles. I literally waited over a year for HL2 to come out. The first bundle you had to get a mail in code or something to get your HL2 game. I remember there being silly hoops to jump through.
 
Reply Quote Edit Delete Report
 
51. Re: jtw321@gmail.com Feb 12, 2012, 20:09 Flatline
 
Mashiki Amiketo wrote on Feb 11, 2012, 07:08:
Flatline wrote on Feb 11, 2012, 03:23:
Dude, this breach happened THREE YEARS AGO and they just "found out about it" in the recent past. Which is, to put it mildly, a cock-up of epic proportions.
Wait did someone mention that you missed the part where this was already stored data, and it wasn't "three years ago" but rather from the same breech. Sometimes I think this is why it would be better if they simply didn't report things like this. People see earlier dates, jump on their asses, flail about, scream, that the sky is falling. When in fact, they've simply missed read it.

What you're saying and what the email from valve said are totally different. So let me post the full email:

If you have accessed your Steam account since November 10, 2011 you know that we had a network intrusion. We learned about this intrusion when the Steam forums were defaced on November 6. Since then our investigation of this intrusion has continued with the help of outside security experts. We now have additional information we would like to share with you. We are providing this information to you in this formal way because it might be required by your state's law.

We've recently learned that it is probable that in 2009 the intruders obtained a copy of a database with information about Steam transactions between 2004 and 2008. This database contained user names, email addresses, encrypted billing addresses and encrypted credit card information. We do not have any evidence that the encryption on credit card numbers and billing addresses has been compromised. We are still investigating and working with the Seattle FBI office.

We don't have evidence of credit card misuse. Nonetheless, you should watch your credit card activity and statements closely.


Now. I bolded my original quote. There are two intrusions mentioned in this email. One in 2011, one in 2009.

They announced that they *just* determined that in 2009 the salted hashes and other data was stolen. This is in addition to anything they discovered from the 2011 attack or the original "investigation" of the 2009 attack (if they even investigated it).

My criticism is that it took 3 years for them to determine the real damage of the 2009 intrusion. And apparently they only realized this because of the 2011 intrusion. That's pretty sloppy work. I have to ask what else have they missed?
 
Reply Quote Edit Delete Report
 
50. Re: Steam Breach Follow-up Feb 12, 2012, 01:09 z0dd
 
I've given up any hope of secure information and just assume everything I transmit will eventually be available to hackers. I'm pretty sure at this point that storing your life's saving under your mattress is the safest way to protect your funds.  
Reply Quote Edit Delete Report
 
49. Re: Steam Breach Follow-up Feb 11, 2012, 22:52 DrEvil
 
avianflu wrote on Feb 11, 2012, 13:39:
DrEvil == We actually agree more than disagree if you read my post one more time. Look at the first sentence of my post.

But you are completely absolving _businesses_ of responsibility for consumer data stored on their servers?? Seriously ? That's not kosher for fairly obvious reasons.


No, and nowhere did I say that. But neither can anyone here claim that the business is responsible either without having the full facts in their possession.

*If* valve followed reasonable security procedures and kept their systems up-to-date, that's as much as can be asked for. So far, all indicators are that they did.
 
Reply Quote Edit Delete Report
 
48. Re: Steam Breach Follow-up Feb 11, 2012, 22:01 Mordecai Walfish
 
avianflu wrote on Feb 11, 2012, 12:55:
I bought the boxed version of Skyrim and all it was was the steam installer on the disk. Joke on the consumer there. So steam got a credit card out of me.

Huh? I was not aware either Steam or Skyrim had a credit card requirement..
 
Reply Quote Edit Delete Report
 
47. Re: Steam Breach Follow-up Feb 11, 2012, 20:38 Dev
 
zirik wrote on Feb 11, 2012, 19:16:
if the thief got into their backup database what makes you think they did not try to get the encryption keys to get past the hashed data?
I think you need to review what a "hash" is.
 
Reply Quote Edit Delete Report
 
46. Re: Steam Breach Follow-up Feb 11, 2012, 19:30 Sepharo
 
zirik wrote on Feb 11, 2012, 19:28:
Sepharo wrote on Feb 11, 2012, 19:17:
Where are you getting all this?

just comparing what we do to our backup database at work. nobody gets access to it other than the IT guys. and even then it has to be done at a specific terminal in the server room. on a system with full audit enabled to track all activity. no remote access allowed.

Everyone's infrastructure is just like yours.

Also I primarily meant where are you getting the info about what Valve does and does not know?
but it seems they have no idea who took it and with what credentials since they dont know how deep the damage goes.
 
Avatar 17249
 
Reply Quote Edit Delete Report
 
45. Re: Steam Breach Follow-up Feb 11, 2012, 19:29 Sepharo
 
zirik wrote on Feb 11, 2012, 19:21:
avianflu wrote on Feb 11, 2012, 12:55:
Why is no one bringing up the infamous breach at Valve were Gabe's office desktop was hacked with a worm that Gabe himself inadvertently installed and left running for months? Thereby causing the theft of HL2 before release. Not a good precedent for Valve.

thats what i was thinking earlier when i thought hl2 came out in 2005. the source code theft forced valve to delay the release to late nov 2004. i got my copy through a graphics card bundle but the steam card wasnt mailed to me until jan 2005.

Steam card? I got mine through the ATI bundle as well and I just typed the key into Steam and got the preload.
 
Avatar 17249
 
Reply Quote Edit Delete Report
 
44. Re: Steam Breach Follow-up Feb 11, 2012, 19:28 zirik
 
Sepharo wrote on Feb 11, 2012, 19:17:
Where are you getting all this?

just comparing what we do to our backup database at work. nobody gets access to it other than the IT guys. and even then it has to be done at a specific terminal in the server room. on a system with full audit enabled to track all activity. no remote access allowed.
 
Reply Quote Edit Delete Report
 
43. Re: Steam Breach Follow-up Feb 11, 2012, 19:21 zirik
 
avianflu wrote on Feb 11, 2012, 12:55:
Why is no one bringing up the infamous breach at Valve were Gabe's office desktop was hacked with a worm that Gabe himself inadvertently installed and left running for months? Thereby causing the theft of HL2 before release. Not a good precedent for Valve.

thats what i was thinking earlier when i thought hl2 came out in 2005. the source code theft forced valve to delay the release to late nov 2004. i got my copy through a graphics card bundle but the steam card wasnt mailed to me until jan 2005.
 
Reply Quote Edit Delete Report
 
42. Re: Steam Breach Follow-up Feb 11, 2012, 19:17 Sepharo
 
zirik wrote on Feb 11, 2012, 19:14:
the intruders were probably using credentials of someone from valve to access the database. what would be interesting to know is does valve regularly check who retrieves backup files. if they were careful that backup database should have been on a separate system with full audit enabled. but it seems they have no idea who took it and with what credentials since they dont know how deep the damage goes.

Where are you getting all this?
 
Avatar 17249
 
Reply Quote Edit Delete Report
 
41. Re: Steam Breach Follow-up Feb 11, 2012, 19:16 zirik
 
Dev wrote on Feb 11, 2012, 13:36:
avianflu wrote on Feb 11, 2012, 12:55:
Let's NOT leave Valve off the hook: every time there is a credit card breach in the news
Good news then. It was just salted hashes they got in the credit card category. Unlike sony that stored everything in PLAIN TEXT.

if the thief got into their backup database what makes you think they did not try to get the encryption keys to get past the hashed data?
 
Reply Quote Edit Delete Report
 
40. Re: Steam Breach Follow-up Feb 11, 2012, 19:14 zirik
 
alvador wrote on Feb 11, 2012, 09:19:
From the email I received:
We've recently learned that it is probable that in 2009 the intruders obtained a copy of a database with information about Steam transactions between 2004 and 2008.
So, it WAS 3 years ago that the data was stolen, and that data was 4-8 years old (or, 1-5 years old at the time it was stolen). It became obvious to everyone that something had happened in Nov 2011- what's not clear is how soon Valve knew something had happened.

edit- Re-reading the email they say they became aware of it on Nov 6 2011. So, it apparently took the intruders 2 years to do something with the database.

the intruders were probably using credentials of someone from valve to access the database. what would be interesting to know is does valve regularly check who retrieves backup files. if they were careful that backup database should have been on a separate system with full audit enabled. but it seems they have no idea who took it and with what credentials since they dont know how deep the damage goes.
 
Reply Quote Edit Delete Report
 
39. Re: Steam Breach Follow-up Feb 11, 2012, 13:39 avianflu
 

DrEvil == We actually agree more than disagree if you read my post one more time. Look at the first sentence of my post.

But you are completely absolving _businesses_ of responsibility for consumer data stored on their servers?? Seriously ? That's not kosher for fairly obvious reasons.

 
Reply Quote Edit Delete Report
 
38. Re: Steam Breach Follow-up Feb 11, 2012, 13:36 Dev
 
avianflu wrote on Feb 11, 2012, 12:55:
Let's NOT leave Valve off the hook: every time there is a credit card breach in the news
Good news then. It was just salted hashes they got in the credit card category. Unlike sony that stored everything in PLAIN TEXT.
 
Reply Quote Edit Delete Report
 
37. Re: Steam Breach Follow-up Feb 11, 2012, 12:58 nin
 
Let's NOT leave Valve off the hook: every time there is a credit card breach in the news, it _is_ the fault of the company in some manner of lax security with passwords/breadth of access to internal users/encryption.

I don't think anyone's leaving them off the hook, but there is no full proof security system (like someone wanted at the beginning), and they at least made a better effort than sony did.

 
http://www.nin.com/pub/tension/
Reply Quote Edit Delete Report
 
36. Re: Steam Breach Follow-up Feb 11, 2012, 12:57 DrEvil
 
avianflu wrote on Feb 11, 2012, 12:55:
Let's NOT leave Valve off the hook: every time there is a credit card breach in the news, it _is_ the fault of the company in some manner of lax security with passwords/breadth of access to internal users/encryption.

Bullcrap. If someone manages to hack into your computer, I bet you'd be singing a different tune. Do you know every single security vulnerability of every single component of your system? Do you have a patch for everyone? Guess freaking what; you don't.
 
Reply Quote Edit Delete Report
 
35. Re: Steam Breach Follow-up Feb 11, 2012, 12:55 avianflu
 
It is 100% "buyer beware" every single time you use a credit card in any web-based scenario. Happy Thoughts.

Sony never got a credit card from me for the PS3 and boy am I thankful I was prudent on that one.

Sadly I finally joined Steam solely for Skyrim because there was no other option. I bought the boxed version of Skyrim and all it was was the steam installer on the disk. Joke on the consumer there. So steam got a credit card out of me.

Let's NOT leave Valve off the hook: every time there is a credit card breach in the news, it _is_ the fault of the company in some manner of lax security with passwords/breadth of access to internal users/encryption.

Why is no one bringing up the infamous breach at Valve were Gabe's office desktop was hacked with a worm that Gabe himself inadvertently installed and left running for months? Thereby causing the theft of HL2 before release. Not a good precedent for Valve.
 
Reply Quote Edit Delete Report
 
34. Re: Steam Breach Follow-up Feb 11, 2012, 12:22 DrEvil
 
Cutter wrote on Feb 11, 2012, 07:17:
Say sorry Gabe you fat fuck!

He already did; and seriously, what's with the bile? Did this kill your favourite pet or something? Life is too short to be such a jerk.
 
Reply Quote Edit Delete Report
 
53 Replies. 3 pages. Viewing page 1.
< Newer [ 1 2 3 ] Older >


footer

.. .. ..

Blue's News logo