Steam Hacked?

[DZComposer]

Appearently, Steam got hacked in a similar way to PSN according to a message on the SPUF that appers to be from Gaben:

Dear Steam Users and Steam Forum Users:

Our Steam forums were defaced on the evening of Sunday, November 6. We began investigating and found that the intrusion goes beyond the Steam forums.

We learned that intruders obtained access to a Steam database in addition to the forums. This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information. We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked. We are still investigating.

We don’t have evidence of credit card misuse at this time. Nonetheless you should watch your credit card activity and statements closely.

While we only know of a few forum accounts that have been compromised, all forum users will be required to change their passwords the next time they login. If you have used your Steam forum password on other accounts you should change those passwords as well.

We do not know of any compromised Steam accounts, so we are not planning to force a change of Steam account passwords (which are separate from forum passwords). However, it wouldn’t be a bad idea to change that as well, especially if it is the same as your Steam forum account password.

We will reopen the forums as soon as we can.

I am truly sorry this happened, and I apologize for the inconvenience.

Gabe.

From the sound of it, someone got access to a DB, but apparently were unable or unwilling to dump it (or knew of an exploit to make a dump not appear in any transaction logs [unlikely]). Good to know Valve salts the passwords. It's an easy thing to overlook, but it is much more secure.

[CrypticQuery]

Ouch, that really stinks; a good thing that my computer can barely handle PC games and that I've never had Steam installed. It's a shame hackers are screwing with EVERYTHING nowadays >.<

Also, there is actually a thread for this already, though including Gabe's message would be a good idea;

[Arashikage]

Well this is bad, time to change my password

[LoneWolf]

Password cycle a go-go.

[Guest Mr. N]

Changed password: Check

Enabled Steam guard: Check

Still have my TF2 items: Check

[Thu'um]

i noticed some weird stuff going on, maybe i should have reported it....

[Scourge]

Password changed, and some more random characters added onto my email password. Eat it hackers.

[DZComposer]

I wouldn't worry too much. To get your password, the hackers would have to crack the hash, which any competent designer would make it SHA2, AND figure out what the salt is. Highly unlikely.

[Drasiana]

What does "salt" mean in this context? You keep saying it and my first thought is OMNOM DELICIOUS CODE-FRIES WITH SALT

That noobery aside, sounds like the people most affected were forum users, and I've never touched the Steam forums, so...:V

[Fluxy]

Ohh boo hoo. There is nothing special on my account. If they -really- want something of mine that Steam has on me, kay. Turns out I need to make a new account? psshaw, like I care. All I do is play TF2 anyways. Lol

[Vulvokunvrii]

O crap....I gues I should change my passwrds ASAP

[Tailsz]

Too bad they don't know my e-mail address password. Can't get into it since Steam locks you out if you change locations and sends a confirmation code to the default e-mail. Unless they figure out my intensively (too) long password for my e-mail they aren't getting squat. :V

[Vulvokunvrii]

Too bad they don't know my e-mail address password. Can't get into it since Steam locks you out if you change locations and sends a confirmation code to the default e-mail. Unless they figure out my intensively (too) long password for my e-mail they aren't getting squat. :V

Same here. I changed my password to something very very long, and NO ONE will figure it out. I also changed my secret question just to be safe.

[Gene Inari]

What does "salt" mean in this context? You keep saying it and my first thought is OMNOM DELICIOUS CODE-FRIES WITH SALT

That noobery aside, sounds like the people most affected were forum users, and I've never touched the Steam forums, so...:V

I think 'salt' is an extra layer on encryption on passwords that make them a lot harder for hackers to get a hold of. That's my guess. :U

[DZComposer]

Basically, a salt is when some math is done that provides a random number (this number can be alphanumeric). This number is then used to alter the plaintext password before hashing it. The proper way to salt is to make sure each user's salt is different. That means that if one account's salt is compromised, the rest of the accounts are safe.

So, you're basically putting some "flavor" on the plaintext (Your "delicious code fries," if you will) before feeding to the hashing algorithm (Your "code cake-hole").

Hashing differs from encrypting in that encryption is designed to be undoable, IE you can do some math to get the original plaintext back. Hashing is a one-way street. Once something is hashed, it (if the hashing algorithm is solid) is unable to be un-hashed. Passwords are hashed for this reason. When you login, the system actually hashes the password you input and then compares this hash with the one in the db. If they match, access granted.

Salts are used to protect against dictionary (list of potential passwords) and rainbow table (list of hash algorithm outputs and the values that create them) attacks.

If you feel like getting geeky: http://www.aspheute....sh/20040105.asp