My guess, everyone's caught wind of this and the password change requests are overloading whatever capability Steam's servers have for managing that sort of thing.
That or its just Steam being Steam, the amount of those messages I get in a month is ridiculous.
The uh, credit cards and passwords will never be cracked if steam used a real encryption system. It's not a question of having enough power, it's that modern encryption methods are incredibly strong and use cyphers that have never been cracked. Credit card numbers get stolen online from either neglecting to properly store this data (and by doing so break the law, unlikely in the case of a company like Steam which I am sure gets audited), or by capturing the data before it reached the db.
Lauren's correct, "it should only be a matter of time (and horsepower)" is ignorant and fear mongering. Even a token effort to read up on modern cryptography would have been enough to inform you that the time taken to brute-force the encryption Valve is using is on the order of a few trillion years.
This is all assuming Steam implements proper security algorithms. And I think all the big hacks in the media these last 24 months have shown that you can never be sure of that.
Who knows what they actually got. If they got a list of hashed passwords, then they can run the hashed list against a rainbow table. Because they have a lot of passwords, it probably wouldn't be too hard to figure out any salt that they added to the hash. :/
It is law in the US now that they will have to notify by email every single customer because they can't prove who's info was taken and who's wasn't. I believe they have 72 hours to notify customers, I think. I know there is some time limit they have to notify every customer by because of this law.
Lauren is half-right. The credit card data should not crackable. The only way this would happen is if the private key was accessed. This is possible depending on the way Steam implemented its credit card storage since you could use your credit card without passing a special passphrase, but it could have been implemented in such a way that this would be quite difficult.
The passwords are much more likely to be crackable. They are not actually encrypted. Passwords are stored as a cryptographic hash. Valve doesn't tell us which hash was used, but if it was MD5, which is somewhat likely, all but the securest (i.e., longest) passwords will probably be compromised. If it was something more secure, a good password should still be safe.
I just took it at face value and changed everything, I've had my personal info stolen before when I was younger even precautionary I'm going to go to lengths to make sure it doesn't happen again.
No need to argue what was effected, just change your passwords as a precaution.
If you want to know if something can be 'cracked' (that is to say, if the encryption is reversible) then the answer is usually 'yes'. The question is: will it be cracked?
There are many methods to generate an encrypted password hash. The old standard is to use a hash function (such as MD5, SHA1, etc) combined with a salt. This makes it difficult to simply look up the precomputed value of the hash - but not impossible. Considering the incredible speed one can compute the older hashes like MD5 and SHA1, it's perfectly feasible to crack these in days if not hours with a modest amount of CPU/GPU power.
However, there are more modern hash functions such as bcrypt and pbkdf2 which take much much longer to create a hash. The result is it takes much much longer to attempt to crack it. They're not very widely used right now, but their popularity is increasing as more password databases get compromised. It's very unlikely the Steam database was built with one of these hashes in mind.
I don't know how they encrypt or store their credit card data, but one thing's for sure: it has to be reversible for them to decrypt it and process your payment. Thus it's only a matter of cracking the key - which again, depends on the ciphers used, the key length, etc. Is there only one private key protecting all the credit card data? If so, it may be worthwhile to attempt to brute force the entire key. All that really matters is computing power and time. If you're lucky it's complex and large enough that they'll never feasibly be able to crack it.
So how about it, kid? Do you feel lucky?
0
KwitkoSheriff of Banning (Retired)By the thing near the stuffIcrontian
>If so, it may be worthwhile to attempt to brute force the entire key.
I just want to clarify that it is not really feasible for an individual to brute force anything that has been encrypted with standard asymmetric cryptography techniques. Nothing is possible if they don't have the secret key file. If they do, and it's encrypted like it should be, then the attacker will have to guess the symmetric key used to encrypt the secret key ("passphrase"). This is much more plausible than brute-forcing a key from scratch but it should still be safe if a good passphrase was used.
The data may have been encrypted symmetrically using something like AES or Blowfish. In this case, as in the case of the encrypted secret key, it's much more plausible to crack if a bad passphrase was used, but should be safe if a good passphrase was used. Symmetric encryption is somewhat likely since it would have simplified the automated process of unlocking credit card data.
If someone has your credit card info, it's not so simple as changing your password.
I hope and expect that someone at Valve will provide more technical detail soon.
Sounds like Steam is generally Doing It Rightâ„¢, except why aren't they requiring password changes? Even if the passwords are hashed, they're still at risk.
ACtually the comment aqbout the encryption never being cracked is potentially total rubbish. It all depends on how the passwords are salted - but given the short length of the steam issued passwords a rainbow table attack would be highly effective - in fact i probably have the required rainbow tables sat on my machine at home.
A little bit of investigation would have given the answers needed for this discussion.
What was "hacked" was the Steam forums.
The Steam forums are powered by vBulletin.
Unless they changed the defaults, the vBulletin password hashes are stored using this method:
$hash=MD5(MD5($password)+$salt)
So if you used a dictionary word or a variant of one on the Steam Forums, then it can be pretty easily cracked.
Main danger here: If you used the same password on the Steam Forums as you used elsewhere, then hackers can get into your other accounts. Don't use the same password on different systems!
Likelihood of them getting credit card information is minimal. Same with your actual Steam account, unless you used the same password on there and don't have the SteamGuard two-factor authentication turned on.
If you have never set up an account on the Steam Forums, then don't worry about it.
Comments
Thanks for putting that up Prime I don't check my email enough to catch something like that.
Just changed my passwords, hope they get everything fixed up soon.
I've recieved no such thing. Does that mean it doesn't apply to me?
I herped and then I derped.
My guess, everyone's caught wind of this and the password change requests are overloading whatever capability Steam's servers have for managing that sort of thing.
That or its just Steam being Steam, the amount of those messages I get in a month is ridiculous.
tl;dr: You're wrong.
The passwords are much more likely to be crackable. They are not actually encrypted. Passwords are stored as a cryptographic hash. Valve doesn't tell us which hash was used, but if it was MD5, which is somewhat likely, all but the securest (i.e., longest) passwords will probably be compromised. If it was something more secure, a good password should still be safe.
I just took it at face value and changed everything, I've had my personal info stolen before when I was younger even precautionary I'm going to go to lengths to make sure it doesn't happen again.
No need to argue what was effected, just change your passwords as a precaution.
Be proactive, not reactive.
There are many methods to generate an encrypted password hash. The old standard is to use a hash function (such as MD5, SHA1, etc) combined with a salt. This makes it difficult to simply look up the precomputed value of the hash - but not impossible. Considering the incredible speed one can compute the older hashes like MD5 and SHA1, it's perfectly feasible to crack these in days if not hours with a modest amount of CPU/GPU power.
However, there are more modern hash functions such as bcrypt and pbkdf2 which take much much longer to create a hash. The result is it takes much much longer to attempt to crack it. They're not very widely used right now, but their popularity is increasing as more password databases get compromised. It's very unlikely the Steam database was built with one of these hashes in mind.
I don't know how they encrypt or store their credit card data, but one thing's for sure: it has to be reversible for them to decrypt it and process your payment. Thus it's only a matter of cracking the key - which again, depends on the ciphers used, the key length, etc. Is there only one private key protecting all the credit card data? If so, it may be worthwhile to attempt to brute force the entire key. All that really matters is computing power and time. If you're lucky it's complex and large enough that they'll never feasibly be able to crack it.
So how about it, kid? Do you feel lucky?
QFT. Really, people, what's the big deal to change your password? It takes all of 10 seconds.
Honestly I've been thinking the same thing.
I just want to clarify that it is not really feasible for an individual to brute force anything that has been encrypted with standard asymmetric cryptography techniques. Nothing is possible if they don't have the secret key file. If they do, and it's encrypted like it should be, then the attacker will have to guess the symmetric key used to encrypt the secret key ("passphrase"). This is much more plausible than brute-forcing a key from scratch but it should still be safe if a good passphrase was used.
The data may have been encrypted symmetrically using something like AES or Blowfish. In this case, as in the case of the encrypted secret key, it's much more plausible to crack if a bad passphrase was used, but should be safe if a good passphrase was used. Symmetric encryption is somewhat likely since it would have simplified the automated process of unlocking credit card data.
If someone has your credit card info, it's not so simple as changing your password.
I hope and expect that someone at Valve will provide more technical detail soon.
How did they get the Steam Database if they only owned the forum?
They could have sniffed the last payments.
What was "hacked" was the Steam forums.
The Steam forums are powered by vBulletin.
Unless they changed the defaults, the vBulletin password hashes are stored using this method:
$hash=MD5(MD5($password)+$salt)
So if you used a dictionary word or a variant of one on the Steam Forums, then it can be pretty easily cracked.
Main danger here: If you used the same password on the Steam Forums as you used elsewhere, then hackers can get into your other accounts. Don't use the same password on different systems!
Likelihood of them getting credit card information is minimal. Same with your actual Steam account, unless you used the same password on there and don't have the SteamGuard two-factor authentication turned on.
If you have never set up an account on the Steam Forums, then don't worry about it.