Steam Hackers "Probably" Got Credit Card Info

 Pages 1 2 NEXT
 

Steam Hackers "Probably" Got Credit Card Info

image

Valve boss Gabe Newell says hackers who broke into Steam last year probably made off with an old backup file containing user names, email addresses and encrypted credit card information.

In November 2011, Steam became the latest victim in a string of attacks against game-related websites, as hackers broke into the system, threw up a bunch of inappropriate links, and then stole off into the night. A week after the fact, Valve revealed that the intrusion was worse than originally thought, as the hackers had also gained access to a Steam database containing user information including "hashed and salted passwords" and encrypted credit card info. On the upside, Newell said at the time that "we do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders," and that it would continue to investigate.

Valve now says that the intruders very likely did get away with credit card data, although at this point it appears that the stolen information is old - hopefully too old to be of any value. "Recently we learned that it is probable that the intruders obtained a copy of a backup file with information about Steam transactions between 2004 and 2008," Newell said in the latest update on the situation. "This backup file contained user names, email addresses, encrypted billing addresses and encrypted credit card information. It did not include Steam passwords."

"We do not have any evidence that the encrypted credit card numbers or billing addresses have been compromised," he continued. "However as I said in November it's a good idea to watch your credit card activity and statements. And of course keeping Steam Guard on is a good idea as well."

Valve is continuing its investigation in conjunction with law enforcement authorities.

Permalink

doesn't affect me since i started buying stuff from them last year

Not concerned at all. Even if something does happen regarding my credit card, my card company will lock it and wait till I can verify.

I use PayPal for all my Steam transactions so this is not a worrying thing for me. However I can see how it can be troubling for others.

They encrypt with AES256.

There's nothing to worry about.

God Bless Paypal.

I will never have to deal with hackers and their bullshit. Now if PSN (or SEN) would implement paypal.

D0WNT0WN:
God Bless Paypal.

I will never have to deal with hackers and their bullshit. Now if PSN (or SEN) would implement paypal.

Unless they hack paypal or just your paypal... I honestly don't know the likelihood of that, but anything you do on the internet is traceable and potentially stealable too. I still remember when Amazon was hacked years ago. The net is far from perfect when securing credentials.

And yet neither Steam nor Microsoft, who had a similar issue, will get 1/10th the shitstorm Sony got. Why? Because Sony is PR retarded.

Definitively not concerned, as I started to buy their digital stuff a couple of years back, I also recently changed my password, so knocking on wood.

Not really worried, my card had to be changed lately anyway for an unrelated reason.

LetalisK:
And yet neither Steam nor Microsoft, who had a similar issue, will get 1/10th the shitstorm Sony got. Why? Because Sony is PR retarded.

Yeah, pretty much. Even if the Microsoft and Steam hacks actually turn out worse than the PSN hack niether Steam or M$ will get as much flak as Sony did.

DarkRyter:
They encrypt with AES256.

There's nothing to worry about.

No shit. Any half decent 256bit encryption is so time intensive to decrypt without a key that they're effectively unbreakable and AES256 (formerly 'rijndael') doesn't have any 'breaks' (mathematical shortcuts) that brings keyless decrypt time down below 'lifespan of the universe', so it's pretty much bulletproof for the time being.

The game won't change until quantum computing really gets a toe hold in the crypto game... which will take a while before it gets out of R&D stages.

I find it amusing that, with such a late disclosure here, people aren't throwing a tantrum.

DarkRyter:
They encrypt with AES256.

There's nothing to worry about.

Which is why Gabe has stopped spouting prideful statements about how they couldn't possibly get the info, MIRITE?

The glorious irony? I changed my card after the PSN hack; as a result, this doesn't affect me.

Still, here's hoping Valve keep on top of this. Hate for this to blow up in their faces.

Now this is how you handle a hacker crisis, be completely open about it.

Steam may have some issues, but at least they are open with there communications.

Oh man that sucks. I mean, not for me, since this was all waaaay before I began using Steam, but still. Oh well. At least the credit card data is so old they probably can't use it.

And here I was mad that it took Sony a week or two to tell us our account information was 'probably' stolen. At least I've changed my information since 2008 in almost every way and didn't spend anything until 2009. Still sucks though.

Zachary Amaranth:
I find it amusing that, with such a late disclosure here, people aren't throwing a tantrum.

Because they ALREADY said months ago that the hackers most likely got access to the server with the credit card info and stuff.

NOW they're saying that they DID get in, and made off with a backup copy of some transactions made, which included encrypted Card data.

So yeah, we already knew about this possibility, and this is just some extra confirmation.

>.>

so they basically got .... what you can find in the phone book ....

go them *rolls eyes* i didn't join steam till 09 and i've change my payment data least once since then, closing in on having to update it again actually

aegix drakan:

Because they ALREADY said months ago that the hackers most likely got access to the server with the credit card info and stuff.

NOW they're saying that they DID get in, and made off with a backup copy of some transactions made, which included encrypted Card data.

So yeah, we already knew about this possibility, and this is just some extra confirmation.

Not quite. We were appraised of current information that Gabe bragged was uncrackable.

Oh good, another thing for me to possibly be concerned about. Cheers steam.

First you irritate the hell out of me with this steam cloud nonsense, now this. Been a love/hate/hate relationship between me and this company for many many years now.

How nice of them to confirm this 3-4 months after the hacking. Even Sony didn't take this long to confirm that card details were stolen.

Now watch the Valve fanboys(95% of the people here) start saying how Valve had already said there was a possibility that card details were stole even though Gabe said "We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked."

Valve>Everyone else obviously

Doesn't bother me either way, I use a specific credit card for online purchases and put money on it only when I'm about to buy something, so apart from the maximum 1-2 day windows for stuff like paying my TOR subscription (which is good for another 6 months anyway), they'd have under 5 euros to steal the rest of the time :P

Not G. Ivingname:
Now this is how you handle a hacker crisis, be completely open about it.

Steam may have some issues, but at least they are open with there communications.

You're serious? I remember them saying their servers were hacked months ago. To put that in perspective the entire PSN thing was sorted in a matter of weeks. This is abysmal customer service and I really expected more. As another post pointed out earlier, thank God for PayPal.

Hah! I've only ever used temp. credit cards with Steam. Like to see them try to do anything with an expired VISA number :P

Though, hope no-one gets affected too badly by this.

I guess knowing that the data is still encrypted and that it's too old to be of use is enough comfort for me. With Sony I couldn't believe how little anyone did to prevent the wholesale theft of everyone's information.

The difference between Valve and Sony is that Valve, immediately after finding out about this, alerted everyone, saying that there is a possibility that stuff was stolen. Sony, after finding out about this hack, waited several days, almost a week, before going "Oh by the way you guys, we might have gotten hacked."

I don't have a credit card or any info on my account nor did I have my steam account prior to 2011 so I think I'm in the clear.

Sony takes less then a week to inform customers of a potential credit card breach. Valve takes 4 months. Yet Sony are the monsters because they took too long, and Valve is innocent. I love internet logic.

Which is why I never save my payment data. Sure it's less convenient but I don't mind.

BDNeon:
Sony takes less then a week to inform customers of a potential credit card breach. Valve takes 4 months. Yet Sony are the monsters because they took too long, and Valve is innocent. I love internet logic.

Valve reported on it immediately after it happened. They said they recommend changing your info/card. Sony took a week to say ANYTHING the the community at large. That is the difference, and it is a big difference at that.

Basically this:

jedizero:
The difference between Valve and Sony is that Valve, immediately after finding out about this, alerted everyone, saying that there is a possibility that stuff was stolen. Sony, after finding out about this hack, waited several days, almost a week, before going "Oh by the way you guys, we might have gotten hacked."

The credit card I used in 2008 is expired now, nothing to worry about.

Eye catching headlines trump accurate information, leaving out the word "encrypted" makes all the difference when it comes to sensationalizing this story. Even then I guess for the typical reader informed by the fantasy world of Hollywood movies, encryption might not seem secure. Of course in reality encryption is the only thing stopping people from driving around town picking up credit card numbers from wireless connections.

Arse. Started using Steam in 2008. But hey, AE256 should work. They may be able to crack it by the time the sun goes supernova.

Jodah:

BDNeon:
Sony takes less then a week to inform customers of a potential credit card breach. Valve takes 4 months. Yet Sony are the monsters because they took too long, and Valve is innocent. I love internet logic.

Valve reported on it immediately after it happened. They said they recommend changing your info/card. Sony took a week to say ANYTHING the the community at large. That is the difference, and it is a big difference at that.

Basically this:

jedizero:
The difference between Valve and Sony is that Valve, immediately after finding out about this, alerted everyone, saying that there is a possibility that stuff was stolen. Sony, after finding out about this hack, waited several days, almost a week, before going "Oh by the way you guys, we might have gotten hacked."

"We do not have evidence that encrypted credit card numbers or personally identifying information were taken by the intruders, or that the protection on credit card numbers or passwords was cracked."

From Gabe himself. That was a few days after the hack and as far I can recall, there was nothing about the hacking after that. It is only 4 months later that we learn that credit card details might have been stolen.

Kapol:
And here I was mad that it took Sony a week or two to tell us our account information was 'probably' stolen. At least I've changed my information since 2008 in almost every way and didn't spend anything until 2009. Still sucks though.

It took Valve lees than a week to tell us that there is a chance that data like CC info was stolen. Now they just pinned it down to what data it was...

 Pages 1 2 NEXT

Reply to Thread

Log in or Register to Comment
Have an account? Login below:
With Facebook:Login With Facebook
or
Username:  
Password:  
  
Not registered? To sign up for an account with The Escapist:
Register With Facebook
Register With Facebook
or
Register for a free account here