Beware: Steam Hacked, Database Containing Credit Card and Password Info Compromised

20

Comments

+ Add a Comment
avatar

Keith E. Whisman

I changed my password as soon as I found out the other night and last night I got an Forgotten Password Reset Email from Steam. So someone had already tried to access my account and when they couldn't they did the whole reset thing. LOL.. Pisses me off. 

I don't know if it was a result of the hack or if it was someone just someone that had hijacked my account. If so then it's the second time that has happened. 

Well obviously using Alice in Chains songs as my passwords aren't working so I switched to Metallica songs. 

avatar

Nimrod

It was me so what you wanna fight about it?

avatar

iceman08

We're missing a troll here...keep an eye out for the troll

avatar

ms_pacman777

Since I use paypal for my purchases on steam, am I still safe??

avatar

damicatz

Why are the forums in any way linked to the databases that contain credit cards and Steam account information?  Since you don't use your Steam account to login to the forums, the forums should not have been able to touch that database.  Given vBulletin's rather poor security track record, it shold have been put on a separate server from the main website and that server should have been put into a DMZ.

avatar

std error

Nobody said it was linked. All that is in the letter is that there was forum defacement. And now they find that a database has also been hacked. Nowhere is it said that the hackers used the forums to get to the database.

avatar

MrPC2010

I think I'll get my games at the store for a while...

avatar

Citizen Snips

Way to leave out in the title the fact that passwords and CC info was encrypted... But I guess you'd rather get the clicks than be honest

avatar

Slurpy

"Your credit card info may be out in the wild, but it's wrapped in a nice, warm blanket of encryption."

It's right there in the first paragraph.  That said, it hurt me deeply to correct someone with such an awesome screen name.  Kudos, sir.

avatar

Citizen Snips

I was talking about the title, which a majority of the readership (especially if you're just glancing at an RSS feed) don't get past.

It's just that passwords and CC info wasn't stolen, as they were encrypted (as said, hashed and salted) so saying "CC and password information compromised" is disingenuous to what actually happened, the hackers got gibberish, that they're very unlikely to crack.

 

avatar

jlh304

The CC and password information is compromised. No different than if I broke in to your house and stole your lock box that holds your CC. At some point I'll figure out how to open the lock box, just like it's possible to figure out the encryption at some point. Even if I don't figure out the encryption your data has still been compromised and you should make changes to protect yourself. I don't think MPC did anything disingenuous.

avatar

Citizen Snips

There's a difference between breaking into a lock box and breaking an encryption key. One of those tasks takes more power than the sun will create in it's lifetime

avatar

Red Ensign

I hope you're just trying to make a point cause otherwise your statement is scientifically.....inaccurate at best.

avatar

davidtuerk

If they really wanted to: hack a couple of server database's, make a code to decode the encription and BOOM! You have a few credit card's to play with... Not saying any of that is good, Because I bought about 30 games on steam.

avatar

Citizen Snips

Do the readers of MPC really not understand how hard it is to break modern encryption schemes?

http://en.wikipedia.org/wiki/Brute_force_attack (with a hash+salt, rainbow tables wont work)

The encryption schemes required by CC companies for vendors to use would take *more energy than will be produced by the sun in it's lifetime* to crack.

This is the same reason why the fbi has been forced to let some pedos free, because they conviently 'forgot' their truecrypt password, and they couldn't get to any of their data. 

avatar

Red Ensign

Still don't see where it mentions more power than the sun but you are for basic arquments sake, correct in that the encryption won't be broken. If you still believe it to be true, please link me to the math that your theory is based on. Fascinating article by the way. Thanks.

avatar

Cregan89

 

Yes, pure brute force on this data is, by today's standards, basically impossible. The worry in these types of cases is whether or not the hacker was also able to steal the binaries that performed the encryption and decryption, and whether or not it's possible for them to find an exploit in the binaries that would allow them to either obtain the encryption keys, or even just use the binaries to decrypt them outright. If the encryption system has any weak points in it, then it is entirely possible.

Look at the PS3 for example. While it's unfeasible to crack the encryption keys from a collection of video games (in other words, a list of encrypted data), it's very possible to crack the encryption key if you have access to the actual encrypter/decryptor. Same thing happened with Blu-Ray DRM.

 

 

avatar

Taz0

Access to the encrypting/decrypting algorithms is irrelevant. Those are public algorithms which are freely accessible to anyone. An encryption algorithm is publicly known (and publicly scrutinized and verified) mechanism by which you can leverage a small secret, a private key, to create a big secret, millions of encrypted credit cards. If a strong enough encryption method is used, which I am sure was used in the case of Steam, then the big secret is safe as long as the little secret was not compromised. Without the private key, it would be a practically impossible task to crack the encryption. But if the private key was compromised as well the encryption is moot and all data can be instantly decrypted, but doesn't seem to be the case with Steam.

As for the password, they were hashed and salted. Hashing means the passwords went through a one-way function that created a number (called a hash value) completely unrelated to the password itself but that using that same hashing algorithm on the same password will produce the same number. This is used to verify that a user supplied a password without actually storing it, since if you stored a password (even encrypted) and it was compromised, then the attacker could gain access to other websites with that password since many users use the same password for multiple sites. You generally cannot use a hash to get back to the password (which is why it's called a one-way algorithm), since in theory, an infinite number of password may produce the same hash value.

Unfortunately, cryptographically secure hash algorithms, such as SHA-1, have many more possible hash values than there are reasonably sized passwords. For example, a 12 character alphanumeric case-sensitive password has 67 bits of entropy (or "randomness") where as an SHA-1 hash value has 160 bits of entropy. The means that given an SHA-1 hash value there is probably only one password that may have produced it. If you calculate the hashes of all reasonably sized passwords (the result of which is called a "rainbow table"), you can do a reverse lookup, since you've got the whole "phone book" of password and hash in your hand.

This is where "salt" comes in. It is an additional number that brings a little flavor to the hash algorithm by changing it slightly, producing a completely different hash value for a given password. Again, since it's a one-way function, there no way to get the password from a hash of a password, unless you've created a rainbow table for the combination of that particular hashing algorithm with that particular salt value. Which is why a new random salt value is chosen for each password. Even if you've created a rainbow table for a particular salt value, it would be useless for the rest of the password, since they have different salt values. Even if the owner of the data uses a very small salt value, say a 32-bit number, the attacker would still need to create 4,294,967,296 different rainbow tables just to be able to perform a reverse lookup given any salt value. Since creating just a single rainbow table is an enormous undertaking, the task of finding out what the password are of a million salted hashes is practically impossible.

So the main difference between data that is encrypted and data that is hashed with salt is that encrypted data hinges on a small secret, the private key, and if that is compromised, all of the encrypted data is compromised. Hashing with salt does not have such a critical single-point-of-failure, and so I feel safe that the passwords remain secure.

An analogy for encryption that's a bit better than jlh304's is: Imagine someone stealing a million lockboxes made of an almost impenetrable metal, but all of them locked with the same key. You could work extremely hard to break a single lock, take it apart, reverse engineer it and create a key that will open all the other keys (brute-force private key attack), or you could simply steal the key and easily open all the boxes.

An analogy for hashing would be a stealing a million lockboxes made of the same almost impenetrable metal, but where the locks have been destroyed and the only way to open them is by breaking that metal, a near-impossible task. Even if you do break a single lockbox, you still have the problem of the remaining 999,999 boxes, each requiring the same amount of effort to break as the first. The owner of the boxes broke the locks on purpose, since he never needs the actual content (the password), he only desires to know the weight of the content (if the hash matches a given password), which doesn't require opening the lockbox but simply weighing it and subtracting the known weight of the lockbox itself (the hashing function).

avatar

Adam Wolfe

If you're using Steam Guard, there's no need to worry. Gabe Newell is so confident in the system, he gave out his own steam account info and it hasn't been compromised since.

avatar

Conal_keaney

I gasped when I read the title but then again if they're hashed and salted plus with the addition of Steam Guard I feel a little better but still. Better than that Sony fiasco. 

I swear these hackers annoy/anger more than they awe. 

Log in to MaximumPC directly or log in using Facebook

Forgot your username or password?
Click here for help.

Login with Facebook
Log in using Facebook to share comments and articles easily with your Facebook feed.