Gabe Newell Says Steam Hack Is Worse Than Expected

[Raesvelg]

I changed my password. I'm happy Valve gave us a heads up.

The problem here is that, technically, Valve HASN'T given me a heads-up.

I don't use the Steam Forums. As such, if I didn't come here every damn day, I'd have NO IDEA that my Steam account info might have been compromised. At all. No e-mail, no big login screen thing on Steam telling me they fucked up, nothing.

 

[FrostyCoolSlug]

What I don't get is that if you've hacked into Steam for personal information and CC details WHY THE FLAMING BUTTJERKY WOULD YOU ADVERTISE THE FACT ON THE TWATTING FORUMS?!

I don't think anything outside of the forums was actually hacked, but valve are erring on the side of caution.

I recieved an email on the 7th advertising Fkn0wned from "[email protected]", I disregarded it as spam.. I've just gone back to review it, it *WAS* sent from Valve's servers, except via the VBulletin Mail page (X-Mailer: vBulletin Mail via PHP)..

What I'm guessing happened, is that one of the admin accounts became compromised giving the 'hackers' access to the vBulletin Admin Control Panel, where they were then able to mass spam all the forum users, as well as set announcements and notices on the forum (The annoucement did come from a Valve account after all).

The reason all the panic comes in, is simply because the vBulletin AdminCP has the ability to directly execute SQL statements against the active database, which, depending on database layout and configuration, could allow for direct queries against databases which are unrelated to the forums. A 'SHOW DATABASES' would list all databases available to your user, and "SELECT * FROM `db`.`table`;" could theoretically allow 'cross database examination'.

I'd like to hope that Valve provide different users different permissions to access different databases (why would the forum user ever need access to the payment database?), and this basic level of security *IN THEORY* would prevent access to anything outside the forums. Valve simply need to make sure no nefarious queries were executed which would provide escallation into databases that the forum user shouldn't be able to access..

I highly doubt that they were able to get shell access, as neither forums.steampowered.com and steampowered.com have SSH (at least, directly) available, which is why they weren't able to just remove the forums and replace them with a generic 'hacked' page, as is the norm in this situation, there also isn't an easy way to directly modify the vBulletin PHP scripts, or upload a bonus script to provide a shell.

Just my 2c based on general observations, Disclaimer: I may be completely wrong, and this goes further than it seems.

 

[Daveman]

well I never use the forums but I changed my password just in case and checked my account balance.

 

[maturin]

Well shit.

I had to cancel my debit card once already after the PSN situation. Rather not have to do it again.

Not to be a jerk, but if you use a debit card for internet purchases, you deserve whatever you get for tempting fate.

Tempting fate? The point of the card is to be used on internet purchases.

If you have an internet-only bank account, then I suppose that's fine. But if someone hacks your credit card and buys things, you can reimbursed. If they get a debit card, everything in the checking account will be gone.

 

[Shjade]

Aaaaaand this would be why I never took the option to have it save my info to make checkout "easier" next time.

And used a different password for the forums than my main account.

...though I have the itch to change both anyway.

 

[Anodos]

Someone tell me, if they had ACCESS to the credit card data, shouldnt we assume they stole it? Access means pass the encryption, right? Otherwise, well, i wouldnt call that access. I wouldnt give hackers the benefit of the doubt, either.

 

[Steve the Pocket]

What I want to know is why haven't I received any emails from Valve about this? Are they only talking to the gaming "press"?

This message also appeared in the Steam Update News window when I quit the Source SDK last night. If you haven't run anything from Steam lately, that's probably why you haven't seen it yet.

 

[Android2137]

I only posted once on the forum (to ask if BLU team bots disappearing on Upward was a common glitch), but I'm still scared. Someone hold me.

 

[captainwalrus]

It took Sony weeks to admit to the extent of the damage and to apologize, and Valve less than a week.

Attack occurred between April 17-19. SCE found out on the 19th and suspended PSN service. Took about six days to determine the extent of the intrusion, culminating in this press release [http://blog.us.playstation.com/2011/04/26/update-on-playstation-network-and-qriocity/] on the 26th. Seven days.

In Valve's case, there are no reports of any accounts actually being hacked, much less credit card info stolen. In Sony's case, credit card information was readily available to hackers and some accounts had been closed or reported stolen.

Valve also didn't store private user information in plaintext files with no encryption. They used encryption and hashed/salted password data, showing that they recognize the obvious threat that plaintext password storage can pose to account security. Sony didn't figure that out until AFTER it was too late.

False [http://blog.us.playstation.com/2011/05/02/playstation-network-security-update/]. Passwords were not stored in cleartext. SCE hashed passwords and encrypted credit card information. The confusion probably occurred because SCE stated that its passwords were not encrypted -- which they weren't. Encryption and hashing are two different thing.

And I think I'll wait for the investigation to finish before concluding whether or not credit card information or account information has been compromised in Valve's attack.

And then the obvious difference being that Steam didn't crash when the hack occurred and has been down pretty much not at all, allowing continued service. Whereas Sony's network was down for weeks, causing millions of players to be unable to play online, or in some cases, to play their games AT ALL (some games had been released that same week which REQUIRED access to Sony's network to play....meaning people had bought brand new games that they weren't able to play for weeks after they bought it). And Sony ended up having to rebuild their ENTIRE network after several more hacks brought them to their knees in virtually every online service they provided.

This is true. Although it's worth noting that Sony has hundreds of subsidiary companies. There's no single "Sony" network. What each subsidiary company does and how they go about protecting personal information isn't indicative of how another subsidiary deals with the problem. I don't think there has been any subsequent breaches of SCE or PSN, even though Sony BMG and Sony Pictures were getting hacked, and Sony Pictures getting hacked shouldn't be an indictment of SCE.

Can we blame Sony itself for failing to implement conglomerate-wide standards for security? Maybe. But then again, I have no idea what kind of cost that would incur or whether that would even be a good idea. Maybe Sony Financial Holdings has different security needs compared to SCE. I don't know enough about corporate structure or security to make an assertion either way.

Just a pro-tip: before mocking other users for "fanboyism" in their defense of Steam, it may behoove you to learn to read properly so that you don't look stupid when the article itself points out how wrong you are.

Agreed.

 

[Nikolaz72]

Never used the forums... I think this is misleading, its mostly the people who use forums its concerning <_<. I believe they are there ofcourse, but not nearly everyone who uses steam.

 

[illas]

I demand a Hat for your failure, Valve!
But seriously, it's nice of them to be honest about the situation.

This image might amuse you then (via VanillaTF2.org)



... Fingers crossed...

 

[Bostur]

I wonder what is new about this.

The message quoted in this article looks like the original message that Steam sent out, why is this case more serious all of a sudden?

 

[fulano]

I've never saved any kind of credit or debit card info in their servers. Everytime I go to buy something I prefer to re-enter the data over and over again--hopefully Valve ain't pulling a Facebook and keeping the data anyways and thus I'll have nothing to worry about--this is the only thing keeping me from freaking out.

Here's hoping.

 

[Soveru]

So Valve takes nearly a week to say that credit card information has been compromised and gets no flak for it while Sony does? The fanboyism here sickens me

...


Sony took several MONTHS to say it!

A but of a difference there...

April 19 - Sony learns of intrusion
April 26 - Sony issues statement that personal data was taken

Doesn't look like several months to me

 

[weirdee]

This is exactly why you use Paypal.

 

[bl4ckh4wk64]

I've never used the Steam Forums, does this mean I'm okay. Or should I just change all my shit just in case?

 

[Strazdas]

Then, what is this???

P.S. escapist forums resized the picture, heres the link: http://i.imgur.com/IMeWI.png

 

[Charli]

Don't use the forums, don't have my actual card info stored on there. I think I'm clear...
Wanna hack my account? Go right ahead, you'll get some temp card info with 2 dollars on it and my shitty game history. Enjoy.